Created by potrace 1.14, written by Peter Selinger 2001-2017 Utkarsh's Blog

Brute It - TryHackMe

 
  • Dec 06, 2020

Room Link

Task 1 : About this box

yeah lets start the box.

Task 2 : Reconnaissance

Let us run a nmap scan

/assets/images/posts/bruteit/Untitled.png

How many ports are open?

2

What version of SSH is running?

openssh 7.6p1

What version of Apache is running?

2.4.29

Which Linux distribution is running?

ubuntu

Although it says no exact os matches, we can see that the ssh service is running on ubuntu

What is the hidden directory?

admin

We will do a gobuster scan to for the http server

/assets/images/posts/bruteit/Untitled%201.png

Task 3 : Getting a shell

What is the user:password of the admin panel?

We get a form at <ip>:80\admin

/assets/images/posts/bruteit/Untitled%202.png

we can use hydra to bruteforce it

looking at the source code for the page, there is some useful info for hydra command

/assets/images/posts/bruteit/Untitled%203.png

/assets/images/posts/bruteit/Untitled%204.png

What is John’s RSA Private Key passphrase?

rockinroll

on logging in with the obtained password, we get the following page

/assets/images/posts/bruteit/Untitled%205.png

this is the RSA private key obtained -

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,E32C44CDC29375458A02E94F94B280EA

JCPsentybdCSx8QMOcWKnIAsnIRETjZjz6ALJkX3nKSI4t40y8WfWfkBiDqvxLIm
UrFu3+/UCmXwceW6uJ7Z5CpqMFpUQN8oGUxcmOdPA88bpEBmUH/vD2K/Z+Kg0vY0
BvbTz3VEcpXJygto9WRg3M9XSVsmsxpaAEl4XBN8EmlKAkR+FLj21qbzPzN8Y7bK
HYQ0L43jIulNKOEq9jbI8O1c5YUwowtVlPBNSlzRMuEhceJ1bYDWyUQk3zpVLaXy
+Z3mZtMq5NkAjidlol1ZtwMxvwDy478DjxNQZ7eR/coQmq2jj3tBeKH9AXOZlDQw
UHfmEmBwXHNK82Tp/2eW/Sk8psLngEsvAVPLexeS5QArs+wGPZp1cpV1iSc3AnVB
VOxaB4uzzTXUjP2H8Z68a34B8tMdej0MLHC1KUcWqgyi/Mdq6l8HeolBMUbcFzqA
vbVm8+6DhZPvc4F00bzlDvW23b2pI4RraI8fnEXHty6rfkJuHNVR+N8ZdaYZBODd
/n0a0fTQ1N361KFGr5EF7LX4qKJz2cP2m7qxSPmtZAgzGavUR1JDvCXzyjbPecWR
y0cuCmp8BC+Pd4s3y3b6tqNuharJfZSZ6B0eN99926J5ne7G1BmyPvPj7wb5KuW1
yKGn32DL/Bn+a4oReWngHMLDo/4xmxeJrpmtovwmJOXo5o+UeEU3ywr+sUBJc3W8
oUOXNfQwjdNXMkgVspf8w7bGecucFdmI0sDiYGNk5uvmwUjukfVLT9JPMN8hOns7
onw+9H+FYFUbEeWOu7QpqGRTZYoKJrXSrzII3YFmxE9u3UHLOqqDUIsHjHccmnqx
zRDSfkBkA6ItIqx55+cE0f0sdofXtvzvCRWBa5GFaBtNJhF940Lx9xfbdwOEZzBD
wYZvFv3c1VePTT0wvWybvo0qJTfauB1yRGM1l7ocB2wiHgZBTxPVDjb4qfVT8FNP
f17Dz/BjRDUIKoMu7gTifpnB+iw449cW2y538U+OmOqJE5myq+U0IkY9yydgDB6u
uGrfkAYp6NDvPF71PgiAhcrzggGuDq2jizoeH1Oq9yvt4pn3Q8d8EvuCs32464l5
O+2w+T2AeiPl74+xzkhGa1EcPJavpjogio0E5VAEavh6Yea/riHOHeMiQdQlM+tN
C6YOrVDEUicDGZGVoRROZ2gDbjh6xEZexqKc9Dmt9JbJfYobBG702VC7EpxiHGeJ
mJZ/cDXFDhJ1lBnkF8qhmTQtziEoEyB3D8yiUvW8xRaZGlOQnZWikyKGtJRIrGZv
OcD6BKQSzYoo36vNPK4U7QAVLRyNDHyeYTo8LzNsx0aDbu1rUC+83DyJwUIxOCmd
6WPCj80p/mnnjcF42wwgOVtXduekQBXZ5KpwvmXjb+yoyPCgJbiVwwUtmgZcUN8B
zQ8oFwPXTszUYgNjg5RFgj/MBYTraL6VYDAepn4YowdaAlv3M8ICRKQ3GbQEV6ZC
miDKAMx3K3VJpsY4aV52au5x43do6e3xyTSR7E2bfsUblzj2b+mZXrmxst+XDU6u
x1a9TrlunTcJJZJWKrMTEL4LRWPwR0tsb25tOuUr6DP/Hr52MLaLg1yIGR81cR+W
-----END RSA PRIVATE KEY-----

we can use john to decrypt it but first we need to extract the hash from it using ssh2john.py

/assets/images/posts/bruteit/Untitled%206.png

user.txt

use the rsa key and passphrase obtained to ssh login. we know the username is john from the admin login page

/assets/images/posts/bruteit/Untitled%207.png

Web flag

obtained after logging in the admin form

Task 4 : Privilege Escalation

cat has sudo permission so we can get the root flag directly

/assets/images/posts/bruteit/Untitled%208.png

Also this cat will help us find root password, whose hash is stored in /etc/shadow

use john to crack it

/assets/images/posts/bruteit/Untitled%209.png

Search