This is my write-up for TryHackMe’s Brute It Room.
Using nmap, I found that this box had 2 ports open.
Checking port 80, I see the default Apache web page.
I then used gobuster to search for any folders.
The new folder leads to a login page.
Looking at the source code, I found a username.
So the username is in the source’s comments. Now, all I needed to do was to find the password. This was accomplished by using hydra.
After finding the password, I was able to login. Here, I found the first flag.
There was also a link to download the SSH private key.
Trying to login via SSH using the private key proved futile at the moment. To be able to use the key, I needed to know the key’s password. To do so, I had to use both ssh2john to convert the key and then run john to crack the hash.
Once the key’s password was cracked, I was able to successfully login.
Checking for sudo privileges, it turns out I could run the cat command as root. I then proceeded to check /etc/shadow to get the root hash.
Running john again to get the root password, I was able to su as root.