Brute It CTF (THM)

BRUTE IT

——————————————————————————————————————————————————————

SCANNING AND ENUMERATION

——————————————————————————————————————————————————————

NMAP SCAN

Image

This machine has a ssh server running on port 22 and a web server running at port 80

——————————————————————————————————————————————————————

GOBUSTER SCAN

——————————————————————————————————————————————————————

I found a hidden directory with name ‘’admin’’

Image

——————————————————————————————————————————————————————

Enumerating the website

——————————————————————————————————————————————————————

Image
Image

Looking at the source code we found out that the username is ‘’admin’’

——————————————————————————————————————————————————————

EXPLOITATION

——————————————————————————————————————————————————————

——————————————————————————————————————————————————————

BRUTE-FORCING INTO ADMIN

——————————————————————————————————————————————————————

——————————————————————————————————————————————————————

USING HYDRA

Using the following command I found the password for user ‘’admin’’ on the admin page

Image

——————————————————————————————————————————————————————

LOGGING IN AS ADMIN

Using the username and password I logged in into the website and found a private key

Image

——————————————————————————————————————————————————————

USING PRIVATE KEY TO LOG INTO SSH

I needed to change the privileges of the key and got the passphrase using ssh to John

Image

——————————————————————————————————————————————————————

Image

——————————————————————————————————————————————————————

I logged in into SSH using the private key and found out the user flag.

Image

——————————————————————————————————————————————————————

PRIVESC

——————————————————————————————————————————————————————

I ran ‘’sudo -l’’ command I found out that I can run ‘’cat’’ command as a superuser.

Therefore, I used ‘cat’ to get the /etc/shadow/ file with the password hash for root.

Image

——————————————————————————————————————————————————————

Using John I cracker the password hash and finally switched to root user

Image

——————————————————————————————————————————————————————

Image

——————————————————————————————————————————————————————

——————————————————————————————————————————————————————

Was this helpful?