TryHackMe write-up: Brute It

m0ndzon3
3 min readJun 24, 2021

--

Introduction

This is my write-up for TryHackMe’s Brute It Room.

Enumeration

Using nmap, I found that this box had 2 ports open.

Checking port 80, I see the default Apache web page.

I then used gobuster to search for any folders.

The new folder leads to a login page.

Exploitation

Looking at the source code, I found a username.

So the username is in the source’s comments. Now, all I needed to do was to find the password. This was accomplished by using hydra.

After finding the password, I was able to login. Here, I found the first flag.

There was also a link to download the SSH private key.

Trying to login via SSH using the private key proved futile at the moment. To be able to use the key, I needed to know the key’s password. To do so, I had to use both ssh2john to convert the key and then run john to crack the hash.

Once the key’s password was cracked, I was able to successfully login.

Privilege Escalation

Checking for sudo privileges, it turns out I could run the cat command as root. I then proceeded to check /etc/shadow to get the root hash.

Running john again to get the root password, I was able to su as root.

--

--

m0ndzon3
m0ndzon3

No responses yet