TryHackMe BruteIt writeup (Beginner Friendly)

Hi, this is the writeup for Brute It room for TryHackMe. This room is meant for beginners and suitable for the ones who are new to hacking. This room is created by ReddyyZ. Without further ado, let's get started.

Brute It TryHackMe room link : https://tryhackme.com/room/bruteit

Task 1 About This Box

Just deploy the machine and we are done.

Task 2 Reconnaissance

Before we attack the machine, we must first gather information about the machine. So, run nmap -sV -sC -T4 <machine-IP>.

We get nmap results that show there are 2 ports that are open, port 22 and port 80.

And we get the answer to our question:

Ans: 2

Ans: OpenSSH 7.6p1

Ans: 2.4.29

Ans: Ubuntu

For the directory, we can use gobuster to seek it out.

gobuster dir -u <machine-IP> -w <wordlist>

So, we get the directory and we move on to the next task.

Task 3 Getting a Shell

Let’s go to port 80. And we can see this page after opening the IP with the directory we found from the previous task.

Go to View Page Source, and we can see the is a comment:

Hey john, if you don't remember, the username is admin

So, we can obviously know that to log in to this page we can use the username admin. And now we can use Hydra to brute force the password.

Bingo, we get it and now we can log in.

After entering the page, we can see one flag at the bottom and a link for RSA private key.

After clicking into the RSA private key link, we can see:

Copy these and save them to a text file. Now, we can crack this RSA key to get the password. First, we need to run ssh2john to turn the key into a hash.

Run chmod 600 to change the permission of the RSA.txt file which contains the RSA private key we get from the link. After that, run john.

Great, we get the password.

Run ssh -i <rsa-FILE> john@<Machine-IP> and use the password we cracked just now. And now we are in.

List the files and use cat command to show the content of user.txt.

Next, we can run sudo -l and see what is the privilege for john.

/bin/cat can be used. So, go to GTFObins and find cat.

Change the LFILE=file_to_read to the directory of the root.txt. And run the sudo cat “$LFILE”.

and we get the flag in root.txt.

For root’s password, we can do the same trick.

After getting the hash, save it into a text editor and run hashcat:

hashcat -a 0 -m 1800 </path-of-hash.txt> </your-dictionary>

AND YES, WE DONE THIS ROOM!

Thank you for reading this writeup. Thank you THM for providing such a good place for us to learn to hack.

Can check my other writeups and give comments if there is anything I need to improve.