Created by SMN666
Link for this room : https://tryhackme.com/room/bruteit
First , deployed this machine and scanned with nmap.
#sudo nmap -sS -sV {ip }
We found 2 ports are opening.
SSH version is OpenSSH 7.6p1.
Version of Apache on this machine is 2.4.29.
Linux distribution running on this machine is Ubuntu.
We can find hidden directory on this machine with gobuster.
#gobuster dir -u {ip} -w /usr/share/wordlists/rockyou.txt
Hidden directory on web server is admin.
We can brute-force admin login panel with Hydra.
#hydra -l “admin” -P /usr/share/wordlists/rockyou.txt {IP} http-post-form “/admin/:user=^USER^&pass=^PASS^:Username or password invalid”.
We found admin login password and download RSA key on it.
We can use john the ripper to crack the RSA Private Key file.
Login to john’s account via SSH.
We got the user’s flag.
And find #sudo -l
#sudo /bin/cat /root/root.txt
We finally found the root’s flag. We can easy to find Web flag to login admin account.
We can find root’s password with hashcat.
Thanks for reading.
