Brute It CTF (THM)
BRUTE IT
——————————————————————————————————————————————————————
SCANNING AND ENUMERATION
——————————————————————————————————————————————————————
NMAP SCAN

This machine has a ssh server running on port 22 and a web server running at port 80
——————————————————————————————————————————————————————
GOBUSTER SCAN
——————————————————————————————————————————————————————
I found a hidden directory with name ‘’admin’’

——————————————————————————————————————————————————————
Enumerating the website
——————————————————————————————————————————————————————


Looking at the source code we found out that the username is ‘’admin’’
——————————————————————————————————————————————————————
EXPLOITATION
——————————————————————————————————————————————————————
——————————————————————————————————————————————————————
BRUTE-FORCING INTO ADMIN
——————————————————————————————————————————————————————
——————————————————————————————————————————————————————
USING HYDRA
Using the following command I found the password for user ‘’admin’’ on the admin page

——————————————————————————————————————————————————————
LOGGING IN AS ADMIN
Using the username and password I logged in into the website and found a private key

——————————————————————————————————————————————————————
USING PRIVATE KEY TO LOG INTO SSH
I needed to change the privileges of the key and got the passphrase using ssh to John

——————————————————————————————————————————————————————

——————————————————————————————————————————————————————
I logged in into SSH using the private key and found out the user flag.

——————————————————————————————————————————————————————
PRIVESC
——————————————————————————————————————————————————————
I ran ‘’sudo -l’’ command I found out that I can run ‘’cat’’ command as a superuser.
Therefore, I used ‘cat’ to get the /etc/shadow/ file with the password hash for root.

——————————————————————————————————————————————————————
Using John I cracker the password hash and finally switched to root user

——————————————————————————————————————————————————————

——————————————————————————————————————————————————————
——————————————————————————————————————————————————————
Was this helpful?