TryHackMe - Brute It

Here's another "easy" and FREE session from TryHackMe for us to try out.

Let's kick off by starting up the target machine and connecting to TryHackMe via openvpn. Our target IP is 10.10.233.208.

Reconnaissance

How many ports are open?

Open a new terminal and run our usual starter nmap command sudo nmap -T4 -sC -sV -Pn -oN ~/Documents/nmap/initial 10.10.233.208.

We find 2 open ports on the target machine.

What version of SSH is running?

From the nmap output we can see that the target machine is running OpenSSH 7.6p1.

What version of Apache is running?

Again, our nmap output shows the Apache version is 2.4.29.

Which Linux distribution is running?

Nice easy one here, Ubuntu shows up all over the nmap output :)

What is the hidden directory?

Here we know that the target machine has a webserver so lets get GoBuster cranking to see what we can find.

Run command gobuster dir -u http://10.10.233.208 -w /usr/share/wordlists/dirb/common.txt and we find a /admin page. Browsing to this page gives us a username and password login prompt.

Getting a shell

What is the user:password of the admin panel?

FYI the target machines IP address has changed from here as I accidentally let it expire :(

The hint here says to use Hydra to brute force the login form. We know a username is potentially "admin" due to the note left in the web page source code so we'll go with that.

From a browser lets again browse to http://10.10.229.93/admin and open up and inspect the page. Next lets enter admin as the username on the form and a random password, then click the login button. In the inspection section, select Network tab and we can see the POST method. This means we will be using http-post-form with Hydra.

Now lets look at the raw request to view what we must use to submit the form in Hydra. Our example is user=admin&pass=testing.

So now lets open a terminal and use command sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.229.93 http-post-form '/admin/:user=^USER^&pass=^PASS^:Username or password invalid'

And there we have it, the form login details admin:xavier

To confirm this we use those credentials on the website form and we're in and presented with the following page.

What is John's RSA Private Key passphrase?

For this one the hint says to use John the Ripper. Finding out a private key passphrase isn't something I've done to date so had to do a quick google on using JTR to do crack an RSA private key.

After we logged into the website there was a link for John's RSA private key. Click on that and we are presented with the encrypted private key.

Lets download the private key to our computer with the command wget http://10.10.229.93/admin/panel/id_rsa (the address was found when we click on the RSA link earlier).

Now we need to convert this file to a suitable format that JTR can brute force. Lets first download ssh2john.py using command wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py

Now lets convert the file using command python ssh2john.py id_rsa > id_rsa.hash

Cracking time. Run the command john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash and we get our passphrase.

user.txt

Using the command ssh -i id_rsa john@10.10.229.93 we try to connect to the target machine over ssh using the private RSA key and paraphrase.

Get the following error indicating permissions are too open and private key will be ignored.

Lets change the private key permission by running command chmod 400 id_rsa and trying to login to ssh again.

That's better! now we are prompted for the passphrase, which we enter in what we cracked earlier - and boom we are in.

Lets do an ls on the directory we are in and we find user.txt. Run cat user.txt command and we find the answer THM{a_password_is_not_a_barrier}.

Web flag

This ones easy as it was on the web page after we logged into it in earlier with admin.

THM{brut3_f0rce_is_e4sy}

Privilege Escalation

Find a form to escalate your privileges. What is the root's password?

First we will run sudo -l to see what the user has permission to. Looks like this user has root access to /bin/cat.

Then we'll check out gtfobin to see what we can use to maybe escalate privileges using cat.

We can use the following to read files that we don't have access to. I had to do a bit of snooping on what to do next as I wasn't aware that /etc/shadow file contains information about the systems users and can help us with this question.

If we use the following commands to read the /etc/shadow file:

LFILE=/etc/shadow

then

sudo cat "$LFILE"

In this file we see the root user and its encrypted password. We could try JTR to have a crack at finding out these passwords.

We create a file hash.txt and enter the contents of what we see in the shadow file.

Using JTR we run command john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt and in a couple of seconds we have the password football.

root.txt

Now we have the root password we can either login as the root user or using the previous gtfobin sudo escalation, we can view the file /root/root.txt.