TryHackMe — Brute It

Brute It is a box designed to practice brute forcing passwords, cracking hashes, and escalating privileges. It is a fairly easy box, however there are still many commands one must use to gain root and some them can be tricky. The good news is there’s no IDS/IPS or WAF to worry about, so stealth is not a concern we will take into account with this hack. We will be using aggressive scans and Gobuster. Here’s a high level overview of the the hack:

• Service enumeration
• Brute forcing
• Hash cracking
• Privilege Escalation

All in all, it can be completed in less than an hour. We will show you how.

Brute It was the first box I hacked on TryHackMe. I was assisted in this hack by my partner in crime tacosandpie, a notorious hackerman himself and an all around cool guy.

Obviously

First of all, we logged on to TryHackMe via openvpn and received a target IP address of 10.10.117.244. We created a folder to store files and screenshots related to the hack. This will help us stay organized throughout the hack.

The first step in any successful hack is always reconnaissance. We needed to scan the open ports to find out what kind of attack surface we had available. We used nmap -A 10.10.117.244 to run an aggressive scan and noticed two open ports: port 22 and port 80. We also made note of OpenSSH 7.6p1 and Apache httpd 2.4.29 running on these ports. Last, we noted the OS was Ubuntu Linux. On to enumeration!

Aggressively scanning your ports

Based on our experience with previous hacks, we thought it wise to search for hidden folders and enumerate URIs using Gobuster. We ran gobuster -w /usr/share/dirb/wordlists/big.txt dir -u 10.10.117.244 and found /admin. Bingo.

Gobuster strikes again!

We pulled up 10.10.117.244/admin in the browser and saw a login screen. Hmm… what’s going on here? Let’s take a look under the hood.

Most importantly, how can we break this? 🔨

The first step in finding out was viewing the source code of the page. What do you know? We found a note left by devs in plain sight where anyone on the web could find it. Not good. This revealed the username was admin and also gave us the name john for future reference. A critical bit of info to leave out in the open. We would make them pay for this mistake.

Thanks for helping us “remember!” 😜

Next, we used inspect element to see the parameters passed during a failed login attempt. To do this we looked under the Network tab and selected the Post command. On the right is the option to edit & resend which shows the parameters being passed in the request body of the login. This revealed the username and password fields were being passed as user and pass, respectively. Good to know. With that, we had what we needed to brute force entry. Time to work some of that old hackerman magic!

Your secrets can’t hide from us! 👀

Now that we had a username and parameters to pass, the next step was trying brute force with Hydra. Since it was passwords we were brute forcing, we used the rockyou.txt wordlist. We also used http-post-form to pass the parameters and -V to show login and pass for each attempt. The full command we used was hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.117.244 http-post-form “/admin/:user=^USER^&pass=^PASS^:Username or password invalid” -V.

Brute forcing your passwords verbosely

After 531 attempts, Hydra was successful in brute forcing the password xavier. Perfect. Now we had a username and password combo we could exploit. Let’s see what trouble we could cause with it.

Quite a lot it turns out

We logged into the admin page with the username and password combo and found the web flag THM{brut3_f0rce_is_e4sy} as well as a link to John’s RSA private key. Obviously we wanted to get our hands on that.

It’s almost *too* easy…

We right clicked the link to download the file on our Kali boxes, then ran a cat id_rsa to see the RSA private key. With the passphrase to use this id_rsa file, we should be able to SSH into John’s account without even needing to know his password. That would give us access to the Brute It box itself, and put us one step closer to root. All we needed to do was crack it.

AES-128-CBC encryption? Child’s play! 🤣

I suggest you picture these next few steps in the form of a training montage with some rockin music in the background. Trust me, that’s how it felt to us.

We had the power!

We ran sudo python /usr/share/john/ssh2john.py id_rsa > rsa_hash to create a hash file we could use with John the Ripper.

Can you hear it? 🎵

We cracked the resulting hash with the command sudo john — wordlist=/usr/share/wordlists/rockyou.txt rsa_hash and found the RSA Private Key passphrase was rockinroll.

Rock and roll! 🎸

Now that we had the passphrase, we could use John’s RSA Private Key to SSH in without needing to know his actual password. Cool, huh? All we needed to do was SSH and supply the id_rsa file.

First, we needed to updat permissions on the id_rsa file, which we did with chmod 600 id_rsa. That way the it would be accepted during SSH. Now we had both the passphrase and our id_rsa file was ready for SSH login.

We used ssh -i id_rsa john@10.10.117.244 and entered the passphrase when prompted. Boom. We were in! Rock and roll indeed!

I know you hear it! 🤘😝🤘

Once inside the box, we did some basic exploration and found a user.txt which we pulled up with cat user.txt and saw the password listed inside: THM{a_password_is_not_a_barrier}.

No barriers can stop hackerman

We appeared to be running a TTY shell so our next concern was privilege escalation. There are many ways to escalate to root. We typically like checking sudo privileges on our existing user first, which we did with sudo -l.

😹😹😹

Would you look at that? John can run cat commands with root access. No password required. Talk about letting the cat out of the bag! We quickly did what any hackerman would do and checked the shadow file.

We used sudo cat /etc/shadow > shadow.txt to copy the full shadow file into a txt file we could crack. That included the password hash for root. If we could crack that, we had the box. Game on!

So close!

Unfortunately John the Ripper was not installed on the Brute It box. That left a few options, but we decided to transfer the file to our Kali box before cracking it. We used SimpleHTTPServer to serve the file on the target box with python -m SimpleHTTPServer 4444. Then we used wget 10.10.117.244:4444/shadow.txt to download the file on our Kali box.

I’m in your servers exfiltrating your shadow 👥

Then we used John the Ripper to crack the hash. We used the command sudo john — wordlist=/usr/share/wordlists/rockyou.txt shadow.txt and found the root password is football.

Touchdown! 🏈

With that we used su root to log in as root. Boom. Root. We did it!

Live footage of us gaining root

Finally, we navigated to /root and found the root.txt file. We used cat root.txt to find the last flag: THM{pr1v1l3g3_3sc4l4t10n}.

Mic drop 🎤

Overall this was a fairly easy box, but that allowed us to focus on analyzing each step and thinking logically through our hack. It helps when you have a definite strategy, and this activity definitely helped me think through why we were taking certain steps. I enjoyed the experience, and it was a great opportunity to practice my skills.

Until next time, remember you don’t find hackerman… hackerman finds you!

He’ll find you 🤓

Here’s a listing of some of the tools and commands I used in this hack:

• nmap
• gobuster
• view page source
• inspect element
• hydra
• ssh2john
• john
• ssh
• python
• SimpleHttpServer
• wget