Brute it - TryHackMe

Room based on Brute-forcing, Hash cracking and Privilege escalation. Find the room here.

Recon

Given the IP address to the machine, we ought to do an nmap scan to find services running on it.

nmap -sS -sV -p- <IP>

We find 2 services open, ssh running on port 22 and a web server running on port 80.

Visiting the web application using the IP on a browser gives us the default Apache2 page. We then try directory brute-forcing using dirsearch, a directory brute-forcing tool.

python3 dirsearch.py -u <IP>

We find an admin directory, visiting it greets us with a login page. Viewing the source of the page reveals a comment hidden by the developer that should help us logging in, the username.

Exploitation

If the valid password is a weak one, we should be able to get it by doing a dictionary attack against the login page using hydra.

hydra -l john -P <wordlist> <IP/domain> http-post-form “/admin/:user=admin&pass=^PASS^:F=Username or password invalid”
  • -l flag to use with the specific username ‘admin’.
  • -P flag to use with a wordlist of possible passwords. Here we use rockyou.
  • <IP/domain> IP address or url to attack.
  • http-post-form specifies the method the page is using(we’re ‘posting’ data to the web server ). Note:If the web server was running on port 443, we’d use “https”.
  • /admin/ specifying the path to attack .
  • user=admin&pass=^PASS^specifies the location of username/password forms. Found by viewing the page source and noting the name of the username and password labels. Since we already know the username, we hard code it in the request. If we were trying to brute-force the username too, then we would have ^USER^ in the place of “admin”.
  • F=Username or password invalid Specifies the error message returned after a failed login attempt. This is used as a pointer to hydra so that it knows that when that message is not returned, then the credentials could have been found. This error message is got by keying in random credentials in the login page.

Getting a shell

After attempting the dictionary attack, we get a valid password. Logging in gives us a private RSA key, that we extract with wget;

wget http://<IP>/admin/panel/id_rsa

We then set permissions so that the current user(in the attacking machine)owns the ssh key.

chmod 600 id_rsa

We then try to login using the key

ssh -i id_rsa john@IP

We are prompted to insert a passphrase, which means we have to crack the RSA key to find a passphrase. For this, we ought to use ssh2john to convert the RSA key to a format JohnTheRipper can understand then crack it.

ssh2john.py id_rsa > idhashjohn --wordlist= rockyou.txt idhash

This then gives us the passphrase that we use to login to the remote machine via ssh.

ssh -i id_rsa john@IP

Privilege Escalation

We try to see whether there are any binaries that we can run as root without needing the root password.

sudo -l

We find that we are able to run the binary “cat”

We then search for the binary in GTFOBins

LFILE=file_to_read
sudo cat "$LFILE"

Here we can set the variable ‘LFILE’ to any file in the system and then read it using the second command.

For the purposes of privilege escalation here, we want to read the hash of the root password located in /etc/shadow using this method, since it is only readable by root, then crack it using hashcat.

We therefore set LFILE to /etc/shadow

LFILE=/etc/shadow

Then read the contents;

sudo cat "$LFILE"

We then determine the type of hash it is using hashid.

hashid roothash

We find that it is an SHA-512 crypt hash so we crack it using hashcat. We then find what mode sha512crypt is used in hashcat by checking in this website.

hashcat -m 1800 roothash --wordlist rockyou.txt

This then gives us the root password.

Happy Hacking!