TryHackMe: Brute It
Instance:
https://tryhackme.com/room/bruteit
Task:1 About this box
This room covers the following:
Brute Force: It is a hacking method that is used to crack passwords, login credentials etc.
Hash Cracking: It is a technique used to recover plain text passwords from their encrypted or hashed forms.
Privilege Escalation: Privilege escalation is a type of network attack used to gain unauthorized access to systems.
Reconnaissance: It is an information-gathering stage of ethical hacking, where you collect data about the target system.
SSH: It is a network protocol that gives users, particularly system
administrators, a secure way to access a computer over an
unsecured network.
Task:2 Reconnaissance:
This task covers the following Tools & Flag:
Nmap (Network Mapper): It is used for vulnerability checking, port scanning and, of course,network mapping
Go-buster: It is a brute force scanner that can discover hidden directories,subdomains, and virtual hosts -sV Attempts to determine the version of the service running on port -sS TCP SYN port scan (Default)
— word-list read words from FILE.
1. Connect to the OpenVPN network and deploy the machine.
2. Through a Nmap scan, we can identify the open ports.
3. Nmap -sC -sV 10.10.127.17
4. This Ubuntu Linux machine has 2 open ports. Port 22 is running SSH version Open-ssh 7.6p1 and port 80 is running HTTP Apache web server version 2.4.29.
5. Since one of the open ports is the HTTP port, let’s look into it.
6. To identify the hidden extensions, we can use the Gobuster tool.
7. go-buster dir -u 10.10.127.17 — wordlist /usr/share/wordlists/dirb/common.txt.
8. Let’s open the hidden extension. It looks like a login form.
Task:3 Getting a shell
This task covers the following Tools & Flag:
hydra: It is used to crack the passwords of network services
ssh2john.py: It is used to convert the RSA key into text format.
john the ripper:It is used to crack the RSA key using the wordlist rockyou.txt
wget: we can get the RSA key in our local system
-l:User
-P:Password
ssh:used to “login” and perform operations on remote computers
1. We can brute force the HTTP post form using Hydra.
2. hydra -l admin -P /home/kali/Desktop/rockyou.txt 10.10.169.53 http-post-form “/admin/index.php:user=^USER^&pass=^PASS^:Username or password invalid” -V
3. As we got the password to the login form, let’s open it.
4. It looks like the RSA private key, and we have the web flag.
5. Crack the RSA key (John’s RSA Private Key passphrase)
6. Wget 10.10.169.53/admin/panel/id_rsa.
7. /usr/share/john/ssh2john.py id_rsa > idrsa2.txt
8. john idrsa2.txt — wordlist=/usr/share/wordlists/rockyou.txt this will give the RSA private key passphrase.
9. Using the RSA key and the passphrase we can try connecting to the ssh server.
10. ssh john@10.10.17.170 -i id_rsa.
11. We got a shell on SSH as user name John. Take the user flag.
Task:4 Privilege Escalation
1. Now, we need to escalate our privileges.
2. Using sudo -l we can check user privileges. We found that user john can run command /bin/cat as root.
3. The steps given in GTFObins we can get access to the /etc/shadow which containsthe system users and passwords.
4. Make a file named hashes and copy the content of shadow file in hashes and using
john to crack the hashes using rockyou.txt, we got the password of root.
5. john hashes — wordlist=/usr/share/wordlists/rockyou.txt.