TryHackMe — Brute It — Write-up
In this writeup, we’ll dive into a skill-check room that tests our proficiency with fundamental tools and procedures in the world of cybersecurity. Our mission is to conquer this room by answering questions related to brute-forcing, hash cracking, and privilege escalation. If you find yourself stuck at any point, don’t worry — you can always seek out the necessary information and return later to continue our journey.
Together, we’ll unravel the mysteries of this room, step by step. I’ll walk you through my approach and the challenges I encountered during the process. Keep in mind that while I’ll share my methodology, there are countless alternative solutions out there, each as valid as the next. Let’s embark on this adventure together and explore the many paths to success.
Section 1: Preparation
Starting the Machine
As we embark on this journey, it’s crucial not to waste any time, especially when the target machine is booting. When I fire up a new machine, my first step is to create a new note file in my trusty note-taking application, Obsidian. Of course, you’re free to use any note-taking tool that suits your preferences, even a simple text editor will suffice. The key is to develop the habit of taking notes and meticulously documenting your actions, which is essential for effective penetration testing.
Organizing Your Workspace
Before diving into the more exciting aspects of this challenge, I like to keep my workspace well-organized. To do this, I create a “Brute-It” folder on my local directory and within it, a “nmap” sub-folder. This setup helps me maintain a structured approach to storing room-related files and ensures that I can easily access the resources I need during our adventure.
Preparing the Environment
Once we obtain the target machine’s IP address, it’s time to configure our environment for smooth interaction. I fire up a terminal and add the target IP along with “bruteit.thm” to the /etc/hosts
file. This step simplifies our access to the target machine and avoids any potential DNS resolution issues during the penetration testing process.
Section 2: Enumeration
Discovering Open Ports
Our journey into this challenge starts with uncovering the open ports on our target machine. To accomplish this, we’ll rely on a trusted tool: nmap
. Let's launch it to see what the target machine reveals.
What do we know now?
The results of our nmap
scan are in, and it's time to take stock of our findings. Here's what we've discovered:
- Port 22: SSH — A familiar sight, as SSH is open on Port 22. With valid credentials, this is an entry point into our target.
- Port 80: HTTP — Another standard port, with HTTP services running. This provides us with a web interface to investigate.
Section 3: Exploitation
Exploring HTTP on Port 80
Our journey takes an exciting turn as we dive into the realm of exploitation. We start with Port 80, where we find an Apache httpd 2.4.29 server running at http://bruteit.thm
. Our initial visit to this URL reveals nothing out of the ordinary, just the standard Apache2 Web Server Default Page.
Unveiling Hidden Files and Directories
But the beauty of penetration testing lies in uncovering what’s hidden. Our next step involves searching for concealed files and directories on the HTTP server. To achieve this, I turn to the trusty tool called dirsearch
. It's perfect for quick, initial scans. The command we use is dirsearch -u http://bruteit.thm
.
Now, the intrigue deepens as we explore the /admin
directory. Our visit reveals a login page, but there's more to this story. When we inspect the source code of the web page, we stumble upon a hidden comment on line #26. This comment wasn't meant for us; it was intended for a mysterious figure named "john."
Valuable Discoveries
This revelation unveils two critical pieces of information:
- The username
admin
appears to be valid. - Someone named
john
is associated with theadmin
account. However, keep in mind that "john" could be a potential username as well.
___
Brute-Forcing the Password
With a potentially valid username in hand, our next task is to find the corresponding password. For this mission, we enlist the help of Hydra, a formidable brute-forcing tool. It’s known for its speed, ease of use, and well-documented capabilities. The process is straightforward: Hydra will attempt to log in using the known admin
username and a wordlist. In our case, the trusty rockyou.txt
serves as the password dictionary. The result? We strike gold with the following credentials:
- User: admin
- Pass: XZXZX
___
Let’s go back to the login web page to enter our new credentials.
Right-Click_ and save the `id_rsa` link to your machine.
Cracking the Hash
Now equipped with these credentials, we return to the login web page. While there, we right-click and save the id_rsa
link to our local machine. This file is a private key, a valuable credential for SSH services. However, the password is encrypted within it. To unlock its secrets, we employ the services of "JohnTheRipper."
Our first step is to create a hash file from id_rsa
using a Python script named ssh2john.py
. With the hash file ready, we set John to work on cracking it. The moment of truth arrives, and we emerge victorious with the password: rockn-roll
.
We got a match! The **password** is: `XZXZXZXZXZXZX`
Taking Ownership
To put this newfound knowledge to use, we must ensure we have ownership of the id_rsa
key. Changing the file permissions to make it read-only and owned by a single user (you) is the key.
We can check with `ls -la` that `id_rsa` is now read-only and owned by a single user, me.
Connecting via SSH
The time has come to put all our gathered intel into action. We connect to the target using the username john
on the SSH server we discovered earlier.
And the magic happens — we gain access as “john.” With our newfound privileges, we quickly explore the target system to locate the coveted user.txt
file.
Section 4: Achieving Root Access
The Final Step: Root Access
Our adventure nears its climax as we set our sights on obtaining root access. To begin, we must determine what privileges “john” holds when it comes to running commands as root using sudo
. A quick check reveals that "john" can execute cat
as the root user. This knowledge opens the door to the ultimate goal: accessing the root.txt
flag.
Revealing the Root Flag
We use the power of sudo
to read the root.txt
flag by executing: sudo cat /root/root.txt
But there’s one final task remaining — we must uncover the root password.
sudo cat /root/root.txt
There is one last task left to do. Discover the root password.
Cracking the Root Password
To do this, we employ the cat
command once again, but this time to retrieve the /etc/passwd
and /etc/shadow
files on our machine. This is the foundation for our next step - cracking the password using "JohnTheRipper."
First, we create a file named pass.txt
with the password hashes by using the unshadow
command: unshadow passwd.txt shadow.txt > pass.txt
unshadow passwd.txt shadow.txt > pass.txt
Then, we call upon “John” to do what he does best — crack passwords using the rockyou.txt
wordlist: john --wordlist=/usr/share/wordlist/rockyou.txt pass.txt
And the moment of revelation arrives. The root password emerges from the depths of the hashes: root:xzxzxzxzxzxz:0:0:root:/root:/bin/bash
john — wordlist=/usr/share/wordlist/rockyou.txt pass.txt
john — show pass.txt
root:xzxzxzxzxzxz:0:0:root:/root:/bin/bash
There it is! The **root password** is `football`
Mission Complete!
With this final revelation, we’ve successfully reached the pinnacle of this adventure. The room is conquered, and the journey is complete.