The scope of our discussion encompasses a variety of topics pertinent to cybersecurity, among which include Brute-force attacks, Hash cracking techniques, and Privilege escalation methodologies. Proficiency in several tools is essential for comprehensively addressing these areas, namely Nmap, Gobuster, Hydra, and John the Ripper.
 |
| Figure-1 |
To access the Brute It room and embark on this learning journey, kindly follow this link: TryHackMe | Brute It
Let's get started!
Task-1: Deploy the machine.
 |
| Figure-2 |
Task-2: Reconnaissance.
In this instance, the box lives at 10.10.186.229 let’s get things started with a quick Nmap scan:
nmap -A -sV -sC -Pn 10.10.186.229
Before attacking, let's get information about the target
 |
| Figure-3 |
Answer the questions below
Search for open ports using nmap.
Search for open ports using nmap.
Question-1: How many ports are open?
Answer-1: 2
Question-2: What version of SSH is running?
Answer-2: openSSH 7.6p1
Question-3: What version of Apache is running?
Answer-3: 2.4.29
Question-4: Which Linux distribution is running?
Answer-4: ubuntu
 |
| Figure-4 |
Search for hidden directories on web server.
Question-5: What is the hidden directory?
Answer-5: /admin
Question-5: What is the hidden directory?
Answer-5: /admin
Task-3: Getting a Shell.
After visiting the /admin directory we find a form, requiring a username and a password:
 |
| Figure-5 |
Let’s check the page source for more information about the web page.
 |
| Figure-6 |
We have a username: admin, now we need the password. With the username, we can brute force the password using Hydra tool.
Command: hydra -l admin -P rockyou.txt <IP Machine> http-post-form “/admin/:user=^USER^&pass=^PASS^login=Login:Username or password invalid"
 |
| Figure-7 |
Find a form to get a shell on SSH.
Answer the questions below
Question-1: What is the user:password of the admin panel?
Answer-1: admin:xavier
 |
| Figure-8 |
 |
| Figure-9 |
Once you click on the RSA private key link which is itching to be clicked you get the rsa and copy it to your local machine.
ssh2john is used to convert the RSA key into text format.
Command: ssh2john id_rsa > hash
With the help of john the ripper tool we can perform brute force to crack the RSA key using the wordlist rockyou.txt
Command: john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH hash
 |
| Figure-10 |
Crack the RSA key you found.
Question-2: What is John's RSA Private Key passphrase?
Answer-2: rockinroll
Answer-2: rockinroll
Using the RSA key and the passphrase we can try connecting to the ssh server.
Command: ssh -i id_rsa john@Machine_IP
Command: ssh -i id_rsa john@Machine_IP
We get a password! Before using it, we need to modify the rights on the key.
Command: chmod 600 id_rsa
Command: chmod 600 id_rsa
 |
| Figure-11 |
We got a shell on SSH as username John and also got the user flag.
Question-3:User.txt
Answer-3: THM{a_password_is_not_a_barrier}
Answer-3: THM{a_password_is_not_a_barrier}
Question-4: Web flag
Answer-4: THM{brut3_f0rce_is_e4sy}
Answer-4: THM{brut3_f0rce_is_e4sy}
Task-4: Privilege Escalation.
Now, we need to escalate our privileges.
Let's enumerate
Command: sudo -l
 |
| Figure-12 |
Here we got a hash of a root user and also with the help of cat command we got the root flag.
Command: sudo cat /root/root.txt
 |
| Figure-13 Copy the root password hash and use John to crack it. Command: john --wordlist=/usr/share/wordlists/rockyou.txt file Here we got the password for the root user "football". |
We Successfully complete the root.
Thankyou!!!
No comments:
Post a Comment