Welcome back for another hit on Tryhackme lab Brute-it design by Reddyz . So without wasting too much time lets go .
Level : Easy
Attacking Strategy
- Enumeration
- Rustscan
- Content Discovery
- Exploitation
- Password cracking
- John the Ripper
- Hash cracking
- Privilege Escalation
- sudoers
Enumeration
As always we start the war with rustscan scanner to check out all the open service on the target system . In this lab we find out the there are Two ports are open 22,80.
rustscan --ulimit 5001 10.10.228.13 -- -sC -sV -oA nmap


On port 80 we have a Apache running so we pick this path and start more enumeration and try to find out the pages and by firing the Dirb we find out that there is admin page on webserver
dirb http://10.10.228.13

now here we need some credentials to login in the portal which we don’t have right now but never loss the hope, after checking the view source we find the user name and we perform the brute force on login portal using hydra .
Tips : Never use burp to brute force when it’s come to use long wordlists .


Now we know the possible username so now it time to brute it .
hydra -l admin -P ../../rockyou.txt 10.10.228.13 http-post-form "/admin/:user=^USER^&pass=^PASS^:Username or password invalid"

After login we find out the new user “john” and his private key which we are going to use to login in the remote system but here is the problem that key is password protected and we have to crack that thing also and here we are using our favorite tool “John the Ripper” . To do this first we have to convert that key to hash and then crack that hash value .

sudo python /usr/share/john/ssh2john.py key >key_hash
john --wordlist=../../rockyou.txt key_hash

Here we get the password of the key and by changing the premission of the key make a login to the server with the john user .
chmod 600 key
ssh -i key [email protected]

Privilege Escalation
Its time to move to victory point means to get root powers so we start our inital enumeration way by checking out the file permission , SUID file ,etc and we get the suderos entry , here we see cat command have some power and we can read the shadow file . If you work on Linux so you already know that shadow file contains the password hashes .

Let’s read the flag first by exploiting the cat command .

Now let get the root power by cracking the hash with the help of hashcat .
hashcat -m 1800 root_hash ../../rockyou.txt


and finally we have the password and we can easily go to root by switching to root user

References
Contact : [email protected] or DM us on twitter.
Thankyou