TryHackMe — Brute It — Write-up

By Frederick Pellerin

https://tryhackme.com/room/bruteit

In this writeup, we’ll dive into a skill-check room that tests our proficiency with fundamental tools and procedures in the world of cybersecurity. Our mission is to conquer this room by answering questions related to brute-forcing, hash cracking, and privilege escalation. If you find yourself stuck at any point, don’t worry — you can always seek out the necessary information and return later to continue our journey.

Together, we’ll unravel the mysteries of this room, step by step. I’ll walk you through my approach and the challenges I encountered during the process. Keep in mind that while I’ll share my methodology, there are countless alternative solutions out there, each as valid as the next. Let’s embark on this adventure together and explore the many paths to success.

Section 1: Preparation

Starting the Machine

My note-taking app — Obsidian

As we embark on this journey, it’s crucial not to waste any time, especially when the target machine is booting. When I fire up a new machine, my first step is to create a new note file in my trusty note-taking application, Obsidian. Of course, you’re free to use any note-taking tool that suits your preferences, even a simple text editor will suffice. The key is to develop the habit of taking notes and meticulously documenting your actions, which is essential for effective penetration testing.

Organizing Your Workspace

Before diving into the more exciting aspects of this challenge, I like to keep my workspace well-organized. To do this, I create a “Brute-It” folder on my local directory and within it, a “nmap” sub-folder. This setup helps me maintain a structured approach to storing room-related files and ensures that I can easily access the resources I need during our adventure.

Preparing the Environment

Once we obtain the target machine’s IP address, it’s time to configure our environment for smooth interaction. I fire up a terminal and add the target IP along with “bruteit.thm” to the /etc/hosts file. This step simplifies our access to the target machine and avoids any potential DNS resolution issues during the penetration testing process.

sudo nano/etc/hosts

Section 2: Enumeration

Discovering Open Ports

Our journey into this challenge starts with uncovering the open ports on our target machine. To accomplish this, we’ll rely on a trusted tool: nmap. Let's launch it to see what the target machine reveals.

What do we know now?

The results of our nmap scan are in, and it's time to take stock of our findings. Here's what we've discovered:

1. Port 22: SSH — A familiar sight, as SSH is open on Port 22. With valid credentials, this is an entry point into our target.
2. Port 80: HTTP — Another standard port, with HTTP services running. This provides us with a web interface to investigate.

Section 3: Exploitation

Exploring HTTP on Port 80

Our journey takes an exciting turn as we dive into the realm of exploitation. We start with Port 80, where we find an Apache httpd 2.4.29 server running at http://bruteit.thm. Our initial visit to this URL reveals nothing out of the ordinary, just the standard Apache2 Web Server Default Page.

Unveiling Hidden Files and Directories

But the beauty of penetration testing lies in uncovering what’s hidden. Our next step involves searching for concealed files and directories on the HTTP server. To achieve this, I turn to the trusty tool called dirsearch. It's perfect for quick, initial scans. The command we use is dirsearch -u http://bruteit.thm.

dirsearch -u bruteit.thm

Now, the intrigue deepens as we explore the /admin directory. Our visit reveals a login page, but there's more to this story. When we inspect the source code of the web page, we stumble upon a hidden comment on line #26. This comment wasn't meant for us; it was intended for a mysterious figure named "john."

Login page

Commentary inserted in the file source

Valuable Discoveries

This revelation unveils two critical pieces of information:

1. The username admin appears to be valid.
2. Someone named john is associated with the admin account. However, keep in mind that "john" could be a potential username as well.

___

Brute-Forcing the Password

With a potentially valid username in hand, our next task is to find the corresponding password. For this mission, we enlist the help of Hydra, a formidable brute-forcing tool. It’s known for its speed, ease of use, and well-documented capabilities. The process is straightforward: Hydra will attempt to log in using the known admin username and a wordlist. In our case, the trusty rockyou.txt serves as the password dictionary. The result? We strike gold with the following credentials:

• User: admin
• Pass: XZXZX

___

Let’s go back to the login web page to enter our new credentials.

Right-Click_ and save the `id_rsa` link to your machine.

Cracking the Hash

Now equipped with these credentials, we return to the login web page. While there, we right-click and save the id_rsa link to our local machine. This file is a private key, a valuable credential for SSH services. However, the password is encrypted within it. To unlock its secrets, we employ the services of "JohnTheRipper."

Our first step is to create a hash file from id_rsa using a Python script named ssh2john.py. With the hash file ready, we set John to work on cracking it. The moment of truth arrives, and we emerge victorious with the password: rockn-roll.

We got a match! The **password** is: `XZXZXZXZXZXZX`

Taking Ownership

To put this newfound knowledge to use, we must ensure we have ownership of the id_rsa key. Changing the file permissions to make it read-only and owned by a single user (you) is the key.

We can check with `ls -la` that `id_rsa` is now read-only and owned by a single user, me.

Connecting via SSH

The time has come to put all our gathered intel into action. We connect to the target using the username john on the SSH server we discovered earlier.

And the magic happens — we gain access as “john.” With our newfound privileges, we quickly explore the target system to locate the coveted user.txt file.

We are in! As john. Check around quickly to find the file user.txt

Section 4: Achieving Root Access

The Final Step: Root Access

Our adventure nears its climax as we set our sights on obtaining root access. To begin, we must determine what privileges “john” holds when it comes to running commands as root using sudo. A quick check reveals that "john" can execute cat as the root user. This knowledge opens the door to the ultimate goal: accessing the root.txt flag.

Revealing the Root Flag

We use the power of sudo to read the root.txt flag by executing: sudo cat /root/root.txt

But there’s one final task remaining — we must uncover the root password.

sudo cat /root/root.txt

There is one last task left to do. Discover the root password.

Cracking the Root Password

To do this, we employ the cat command once again, but this time to retrieve the /etc/passwd and /etc/shadow files on our machine. This is the foundation for our next step - cracking the password using "JohnTheRipper."

First, we create a file named pass.txt with the password hashes by using the unshadow command: unshadow passwd.txt shadow.txt > pass.txt

unshadow passwd.txt shadow.txt > pass.txt

Then, we call upon “John” to do what he does best — crack passwords using the rockyou.txt wordlist: john --wordlist=/usr/share/wordlist/rockyou.txt pass.txt

And the moment of revelation arrives. The root password emerges from the depths of the hashes: root:xzxzxzxzxzxz:0:0:root:/root:/bin/bash

john — wordlist=/usr/share/wordlist/rockyou.txt pass.txt

john — show pass.txt
root:xzxzxzxzxzxz:0:0:root:/root:/bin/bash

There it is! The **root password** is `football`

Mission Complete!

With this final revelation, we’ve successfully reached the pinnacle of this adventure. The room is conquered, and the journey is complete.

My-Writeups/Brute It.md at main · TheRealFREDP3D/My-Writeups