Subscribe

Brute It TryHackMe room

Brute It TryHackMe room
Photo by Theo Crazzolara / Unsplash

It's been a while since I have tackled some of these rooms in THM but I am going to try and do this regularly again. I hope that this helps someone in trying to learn some of the basic concepts.

The first thing I like to do is an nmap scan of the machine to see what ports are open. The specific command I run right away is namp -T4 -p- 10.10.211.196. In this case this will come back with ports 80 and 22. After this initial scan I will do a more detailed scan of the specific ports. nmap -sV -sC -p 80,22 10.10.211.196 | tee ports.txt. This will give more more detailed information that can be used to answer the questions for the room.

Now that I have figured out the ports that are open then next step is to see what's available on the web server. The main page is just the default install page for the web server and I am going to assume there is something else there. The program that I am going to use to enumerate the other pages on the web server is gobuster and the specific syntax that I will need to use is: gobuster dir -u http://10.10.211.196 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

Looking at the results that are shown on the page I can see there is a status code of 301. That means that there is a temporary redirect to another page on this machine, so I can assume that this is the page that I want to navigate to. Let's go there and take a look at the page and some source code to see if there are any other clues to this puzzle.

I see this is a simple login page and the source code reveals another clue. You can use CTRL+U, typically, to view the source code of a website. <!– Hey john, if you don't remember, the username is admin --> This tidbit of information can help use try to use a tool to brute force the password on this login form. I know that I want to use Hydra to brute force this login form.

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.211.196 http-post-form '/admin/:user=^USER^&pass=^PASS^&LOGIN=Login:Username or password invalid'

This will take a little time but I eventually have a password to login to this site. Let's login and take a look around to see what we can do next.

On this page I can see a flag for the room and a link to a private key used for ssh. I want to download that key to my computer and in order to do that I want to open a terminal and then change the directory to my working one. cd /PATH/TO/DIRECTORY Once I am in the correct directory I am going to use wget to pull down that key file in order to work with it. wget http://10.10.211.196/admin/panel/id_rsa

Once the key is downloaded to my computer I want to change the permissions on the file in order to use it to try to login. chmod 400 id_rsa is the command that I will run to change the permissions to be read only for the current user and no one else. The next step I want to do is to try and use this to login to the machine. ssh -i id_rsa john@10.10.211.196 The -i tells ssh that I want to use an identity (private) key to authenticate the user john onto the machine. This doesn't work because the key is protected with a password, that I don't know.

In order to try and brute force the password I need to use John the Ripper (JtR). JtR needs to have the key in a specific format that the program can read. JtR will not be able to read the key in it's current format. So, I need to find a program that will convert the private key to the format JtR needs.

python3 /usr/share/john/ssh2john.py id_rsa > id.hash Since, ssh2john.py is a python file I have to use python3 to run the file. This program will convert the key to the format that is needed for JtR and will save the file as id.hash.

In order to brute force the key, I have the file in the format I need now I can use JtR to brute force the password and this is done with this command. john --wordlist=/usr/share/wordlists/rockyou.txt id.hash

After a few minutes the password for the key will be displayed on the screen. Now that I have the password let's try the ssh command again to logon to the machine. And this works perfectly and I can see that I am a low privilege user on this machine 'john'. We have to get the user file on the machine and that is in the current directory and in order to read the file I will use the cat command. cat user.txt

There are some more questions that I need to answer and they are related to the root user. That means that I need to privilege escalate to the root user. There are many ways to do this but I always like to start with sudo -l to see what permissions this user can run as an admin.

I can see that john can run /bin/cat as an admin. This will prove to be good because I have to figure out the root user's password. With this command I can read any files on this machine and I am after 2 specific ones. /etc/passwd and /etc/shadow The passwd file will contain the users on the machine and the shadow file will contain the hashed passwords for the users. There are two different ways that I can brute the passwords, using JtR or Hashcat. JtR will need both files combined into 1 file that JtR can use. Hashcat will just need the hash of the password for the root user. I will show how to both ways here.

Let's start with JtR, using the sudo /bin/cat /etc/shadow command I will display the contents of the file in the terminal window and then copy that to a text file on my machine called shadow.txt and sudo /bin/cat /etc/passwd I will do the same as above except I will save this file as passwd.txt.

In order to combine the files into a format for JtR I will use unshadow passwd.txt shadow.txt > brute to combine the files. Now to use JtR, john --wordlist=/usr/share/wordlists/rockyou.txt brute and after a few minutes of running this program the password for root will be displayed.

Using Hashcat this will be similar to run. I need to use the sudo /bin/cat /etc/shadow command to read the contents of the shadow file. I want to copy the hash for the root user and paste it to a text document. The hash will look like $6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL. Now using Hashcat and a word list use the following command to break the password. hashcat -a 0 -m 1800 hash.txt rockyou.txt Depending upon the speed of the machine and the size of the word list the password will be displayed on the machine.

Be aware that if you are running this in a virtual machine you will want to use JtR since that program uses the processor to brute force the password. If you have access to a physical machine or have the graphics card passed to the virtual machine you can use Hashcat to break the password since Hashcat requires that you have a GPU of some sort to run.

Using the password that is brute forced using either method above I can now switch the user to root and read the root.txt file in order to finish the room. You can use su root to switch to the root user and use the password. Once you are the root user on the machine you can then use cat root.txt and get the final flag for this room.

If you have questions please let me know at feedback@markschindel.com. Have a great day.