Tryhackme Walkthrough : Brute It

Welcome back for another hit on Tryhackme lab Brute-it design by Reddyz . So without wasting too much time lets go .

Level : Easy

Attacking Strategy

  • Enumeration
    • Rustscan
    • Content Discovery
  • Exploitation
    • Password cracking
    • John the Ripper
    • Hash cracking
  • Privilege Escalation
    • sudoers

Enumeration

As always we start the war with rustscan scanner to check out all the open service on the target system . In this lab we find out the there are Two ports are open 22,80.

rustscan --ulimit 5001 10.10.228.13 -- -sC -sV -oA nmap
Rustscan
Ports 22 ,80

On port 80 we have a Apache running so we pick this path and start more enumeration and try to find out the pages and by firing the Dirb we find out that there is admin page on webserver

dirb http://10.10.228.13
Dirb Scan

now here we need some credentials to login in the portal which we don’t have right now but never loss the hope, after checking the view source we find the user name and we perform the brute force on login portal using hydra .

Tips : Never use burp to brute force when it’s come to use long wordlists .

Now we know the possible username so now it time to brute it .

hydra -l admin -P ../../rockyou.txt 10.10.228.13 http-post-form "/admin/:user=^USER^&pass=^PASS^:Username or password invalid"

After login we find out the new user “john” and his private key which we are going to use to login in the remote system but here is the problem that key is password protected and we have to crack that thing also and here we are using our favorite tool “John the Ripper” . To do this first we have to convert that key to hash and then crack that hash value .

Admin account
sudo python /usr/share/john/ssh2john.py key >key_hash
john --wordlist=../../rockyou.txt key_hash
Hash cracking

Here we get the password of the key and by changing the premission of the key make a login to the server with the john user .

chmod 600 key
ssh -i key [email protected] 
ssh login

Privilege Escalation

Its time to move to victory point means to get root powers so we start our inital enumeration way by checking out the file permission , SUID file ,etc and we get the suderos entry , here we see cat command have some power and we can read the shadow file . If you work on Linux so you already know that shadow file contains the password hashes .

sudoers file

Let’s read the flag first by exploiting the cat command .

root flag

Now let get the root power by cracking the hash with the help of hashcat .

hashcat -m 1800 root_hash ../../rockyou.txt
hash crack

and finally we have the password and we can easily go to root by switching to root user

References

Contact : [email protected] or DM us on twitter.

Thankyou

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.