TryHackMe : Brute It CTF Writeup

Fathallah Jr

20 Nov, 2024

Brute It CTF

Introduction

Brute It is a beginner-friendly challenge from TryHackMe. It is divided into three tasks: Reconnaissance, Cover, and Privilege Escalation with questions along the way to guide you through the task. This challenge requires you to brute force, crack hashes, and escalate privileges to root.

Enumeration

As usual, Let us start the initial enumeration by running a port scan using nmap, looking for open ports and running services on the target.

nmap -sV -vv <IP>

We find some open ports.

Use Gobuster

We’ll use Gobuster to find any hidden directories. We can start with the common.txt wordlist and go from there if we don’t find anything.

We’ll use the following command:

gobuster dir -u <IP> -w /usr/share/wordlists/dirb/common.txt

We get a short list of results. One of them is interesting and deserves further scrutiny.

Getting a shell

If we navigate to the hidden directory we found, we come across a login portal.

The source code contains a comment that gives us someone’s name and username to log in.

Use Hydra

We will use Hydra to brute force the password. Let’s see what a login request looks like using Burp Suite. We can start FoxyProxy and Burp Suite and send a request.

Now that we have the login request, we need to see what a failed attempt looks like so we don’t get a false positive.

This allows us to create a Hydra command to brute force the page.

We will use the following command:

hydra -l admin -P /usr/share/wordlists/rockyou.txt MACHINE_IP http-post-form 
"/admin/:user=^USER^&pass=^PASS^:Username or password invalid"

We almost immediately get the password.

John’s RSA Private Key

When we login to the webpage we see a flag and a link to a private key.

The RSA key is encrypted so we cannot currently use it to SSH. Let’s copy and paste it into a file called “privkey” so we can crack it with John the Ripper.

We’ll use the following command to convert the key to something John can read:

python ssh2john.py privkey > keyhash

Now we can use John to crack the key hash file using the following command:

john --wordlist=/usr/share/wordlists/rockyou.txt keyhash

We get the password for the RSA key

Getting the user flag

Let’s change the permissions of the privkey so that we can use it as an SSH key. We’ll use the following command to do this:

chmod 600 privkey

Then we will log into the target via SSH

using the following command:

ssh john@<IP> -i privkey

When asked for a password, we enter the password we found with John.

Privilege Escalation

If we list our sudo permissions, we’ll see that we can run cat as root without a password.

To get the root password, we can use John with a file /etc/passwd and /etc/shadow that contains the root password hash. We can use cat to view the shadow file. We will copy the contents of these files and paste them into a file called shadow and passwd on our machine. We will then use unshadow and put the results into a file called shdo.

We can then use John to crack passwords using the following command:

john --wordlist=/usr/share/wordlists/rockyou.txt shdo

We get the root password almost instantly.

Getting the root flag

Now that we have the root password, we can switch to it and get the flag.

We’ve completed the room!

We’ve gone from nmap scanning to root using Gobuster, Burp Suite, Hydra, and John the Ripper. I hope this article was helpful in completing the room!