Nov. 14, 2020

Post Cover Gif animation

Brute It - THM Room

Welcome to another writeup, this time we’ll be trying to hack a newly released room on TryHackMe called Brute It created by ReddyyZ!

Getting initial access

Let’s run a rustcan to start things off:

Right away, from rustscan results we get the answers to the first part of the room, specifically these questions:

How many ports are open? What version of SSH is running? Which Linux distributions is running?

Now let’s see if we can answer the following one:

What is the hidden directory?

Running GoBuster

Let’s fire up gobuster and see if we can find that hidden directory:

Very quickly we get the hidden directory.

If we open the machine in our browser (I use Burp’s suite integrated browser just in case I need Burp later) and navigate to the directory we found using gobuster, we see a login form.

If we open the dev tools we see there are two users mentioned: john and admin. Let’s kpep those in mind.

Brute-forcing the login form

Let’s see if we can bruteforce this form. First, we need to check how it responds when we attempt to login:

From that attempt we get all we need to try to brute-force our way in.

Let’s ready our hydra command:

hydra -l <username> -P <wordlist> http-post-form "/admin/:user=^USER^&pass=^PASS^:F=Username or password invalid" -V

NOTE: we could also do -L and provide a list of usernames with both admin and john. As for the wordlist I’ll try with rockyou.txt.

Once ready we launch the command:

This might take a while but we’ll get the password. In hydra we trust 😂

Let’s log in with the credentials we now have:

We get the web flag for the room and a link to a RSA private key:

Cracking the RSA key

Now we need to crack that key so we can hopefully get the initial access to this machine.

We need to grab that plain text key and save it into a file so we can use john to try and crack it. Before that we need to use ssh2john to generate a file that can be cracked by john.

Now we can run john:

and we get the hash cracked.

Now let’s try to connect as john with that key we’ve got:

NOTE: Remember we need proper permissions set for the key to work, so do chmod 600 id_rsa before tryin to log in with the key.

Ok we managed to get the initial access. Off to get the flags now.

Getting the user.txt flag

For this flag we just need to list the files in the directory, and then cat the user.txt file:

That’s the user flag.

Getting the root.txt flag

Now we need to find a way to scalate privileges to root so we can get the last flag. Let’s fire up a python HTTP local server in a folder where we get the ready. Then from the target machine we’ll wget that file so we can do some enumeration.

NOTE: Remmeber to run chmod +x before running it.

Right away we see the user john seems to have permissions to run as sudo, let’s check that out:

If we run sudo -l we can see which commands we can run as sudo:

It seems we can run cat as sudo, we can probably just try to cat the root.txt flag if it is in the usual location /root/root.txt:

That’s it, we got the flag. However, we are not done yet. We need to find the password for the root account. So let’s see how we can get root from cat by searching in GTFObins page:

So let’s try to get the /etc/shadow file so we can potentially get the root password:

Ok we have the password hashes, let’s try to crack them now:

It seems the password are using SHA512crypt. But instead of trying to crack that we can leverage the cat command again and get the /etc/passwd file two, so we can then use the ushadow tool to get the password:

Now having both files we can just use unshadow to get the password:

Now we need to run john again on that passwords file and we should be golden:

That’s it we got the last answer to fully solve this room!

I hope you enjoy the room, props to ReddyyZ for creating it!

Happy hacking!

comments powered by Disqus