Brute It is a beginner-friendly challenge by TryHackMe. It is separated into three tasks reconnaissance, getting a shell, and privilege escalation with questions along the way to guide you throughout the engagement. It is a bit more hand-holding but was a fun challenge nonetheless. This box requires you to brute force, crack hashes, and escalate privileges to root.
Task 2 – Reconnaissance
The reconnaissance phase of this challenge is equivalent to gathering information on an assessment. Information such as how many ports are open, what services they are running, and what operating system it uses is important to determine how to attack this system. Other than discovering the web server’s hidden directories, most of the information can be gathered through Nmap.
To start off the reconnaissance phase, we run Nmap to scan against all the ports, 1-65535. Nmap, short for network mapper, “is used to discover hosts and services on a computer network by sending packets and analyzing the responses.“
The highlighted sections of the scan will be used to answer the questions. This Ubuntu Linux machine has 2 open ports. Port 22 is running SSH version OpenSSH 7.6p1 and port 80 is running HTTP Apache web server version 2.4.29.
All there is left to do is to find the hidden directory running on the server’s website.
Tools like Gobuster and Dirbuster use wordlists to enumerate directories and files. The /admin directory gives us a response status code of 301, meaning it has moved permanently, which will redirect us to another page. As one can guess, by going to this page we are greeted with an admin login panel.
Task 3 – Getting a shell
Now that the necessary information has been gathered, it is time to get a shell on this system. To start, we will need to brute force the username and password of the admin panel. As well as crack John’s RSA Private Key phrase. Finally, we will enumerate the system for the challenge’s Web and user.txt flags.
When going to the /admin/ directory, there is a login screen needing a username and password.
By using a tool like Hydra, we can brute force the login credentials to the admin account. The web browser’s built-in dev tools can analyze the traffic being sent to and from the server. Every time we log in we send a post request to /admin/index.php with the user and pass in the body parameters. We add Username or password invalid at the end of the command to know if a login has been successful.
After going through thousands of common passwords, we can see that the admin uses the password xavier to log in. The /admin/panel directory has the web flag THM{brut3_f0rce_is_e4sy} as well as a link to John’s RSA Private Key.
The admin of this system has set up SSH key-based authentication. Key-based authentication “uses cryptography to ensure secure connections… The private key should be kept secret and is used to connect to machines that have the matching public key“. By cracking the private key’s passphrase, we will be able to SSH into the system as John.
ssh2john.py is a program that will convert the id_rsa file into a format that John the Ripper will be able to crack. With a file like rockyou.txt, filled with millions of common passwords, we can find the password by performing a dictionary attack against the id_rsa.hash file. The password associated with the SSH Private Key is rockinroll.
After changing the id_rsa’s file permissions to 600, we can use SSH’s identity option to log in as John. Found in John’s home directory is the user.txt file containing the flag THM{a_password_is_not_a_barrier}.
Task 4 – Privilege Escalation
The last thing we need to do on this system is to escalate our privileges to root. By becoming root, we have effectively taken over this system and owned it.
Sudo -l lists commands John can use with root privileges without being root. The cat command can read data from files but because John can run it as root “it may be used to do privileged reads or disclose files outside a restricted file system”.
This means that our user John has the ability to read the root.txt flag. All we need to do is navigate to the root directory to read it. The root.txt flag is THM{pr1v1l3g3_3sc4l4t10n}.
Reading any file on the system is nice, but it does not mean we owned this system entirely. I collected the /etc/passwd and /etc/shadow files off the system to get the root’s password. These files are the operating system’s authentication schemes and store the operating system’s login information.
Before we use John the Ripper to find out the root’s password we need to put it in a format that john will understand. To do this we will use the unshadow command. unshadow passwd.txt shadow.txt > pass.txt
Having John the Ripper work its magic for a couple of minutes, we can see that the root’s password is football. We will then be able to switch users and become root.
Conclusion
In conclusion, this is a nice follow-up to the Brooklyn Nine Nine. This box required various types of brute force attacks. The admin panel credentials, the RSA key, and the root password all had to be brute forced to complete this challenge. It just goes to show that passwords are not the end all be all to security.
Good bro🤓💪👍