[{"data":1,"prerenderedAt":600},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-bruteit-writeup":3,"surround-\u002F2025\u002Ftryhackme-bruteit-writeup":591},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":14,"draft":6,"readingTime":15,"body":20,"_type":584,"_id":585,"_source":586,"_file":587,"_stem":588,"_extension":589,"_original_dir":590},"\u002F2025\u002Ftryhackme-bruteit-writeup","2025",false,"","TryHackMe - Brute It","In this article, we take a step-by-step look at the solution to TryHackMe's \"Brute It\" room. We gain full access using brute force attacks against the web login form with Hydra, and against the SSH key password and root password hash with John the Ripper.","2025-08-26T13:49:07.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002Fthumbnail.jpg",[13],"CTF",true,{"text":16,"minutes":17,"time":18,"words":19},"3 min read",2.16,129600,432,{"type":21,"children":22,"toc":578},"root",[23,29,45,52,56,60,84,88,109,113,119,132,191,266,293,297,316,320,324,329,333,344,348,361,365,371,389,393,414,418,436,498,511,515,536,540,551,555,568,572],{"type":24,"tag":25,"props":26,"children":28},"element","pic",{"src":27},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F1.jpg",[],{"type":24,"tag":30,"props":31,"children":32},"p",{},[33,36],{"type":34,"value":35},"text","Target IP: ",{"type":24,"tag":37,"props":38,"children":42},"a",{"href":39,"rel":40},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fbruteit",[41],"nofollow",[43],{"type":34,"value":44},"10.10.175.21",{"type":24,"tag":46,"props":47,"children":49},"h2",{"id":48},"reconnaissance",[50],{"type":34,"value":51},"Reconnaissance",{"type":24,"tag":25,"props":53,"children":55},{"src":54},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F2.jpg",[],{"type":24,"tag":25,"props":57,"children":59},{"src":58},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F3.jpg",[],{"type":24,"tag":30,"props":61,"children":62},{},[63,65,75,77,82],{"type":34,"value":64},"While performing manual checks, I accessed the ",{"type":24,"tag":66,"props":67,"children":72},"code",{"className":68,"id":70,"style":71},[69],"example-info","just-like-this","color: #4DFFBE",[73],{"type":34,"value":74},"\u002Fadmin",{"type":34,"value":76}," directory. (Tools such as Gobuster or Dirbuster were running in the background. And they couldn't find anything other than the ",{"type":24,"tag":66,"props":78,"children":80},{"className":79},[],[81],{"type":34,"value":74},{"type":34,"value":83}," directory.)",{"type":24,"tag":25,"props":85,"children":87},{"src":86},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F4.jpg",[],{"type":24,"tag":30,"props":89,"children":90},{},[91,93,99,101,107],{"type":34,"value":92},"When we check the source code, we learn that a message has been left for ",{"type":24,"tag":66,"props":94,"children":96},{"className":95,"id":70,"style":71},[69],[97],{"type":34,"value":98},"john",{"type":34,"value":100}," and that the username is ",{"type":24,"tag":66,"props":102,"children":104},{"className":103,"id":70,"style":71},[69],[105],{"type":34,"value":106},"admin",{"type":34,"value":108},".",{"type":24,"tag":25,"props":110,"children":112},{"src":111},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F5.jpg",[],{"type":24,"tag":46,"props":114,"children":116},{"id":115},"initial-access",[117],{"type":34,"value":118},"Initial Access",{"type":24,"tag":30,"props":120,"children":121},{},[122,124,130],{"type":34,"value":123},"We have no information other than the username. In this case, let's try brute-forcing the password for this login page. For this, we will use the ",{"type":24,"tag":66,"props":125,"children":127},{"className":126},[],[128],{"type":34,"value":129},"hydra",{"type":34,"value":131}," tool.",{"type":24,"tag":133,"props":134,"children":138},"pre",{"className":135,"code":136,"language":137,"meta":7,"style":7},"language-bash shiki shiki-themes catppuccin-latte one-dark-pro","hydra -l admin -P \u002Fusr\u002Fshare\u002Fwordlist\u002Frockyou.txt 10.10.175.21 http-post-form \"\u002Fadmin\u002F:user=^USER^&pass=^PASS^:F=invalid\"\n","bash",[139],{"type":24,"tag":66,"props":140,"children":141},{"__ignoreMap":7},[142],{"type":24,"tag":143,"props":144,"children":147},"span",{"class":145,"line":146},"line",1,[148,153,159,165,170,175,181,186],{"type":24,"tag":143,"props":149,"children":151},{"style":150},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#61AFEF;--shiki-dark-font-style:inherit",[152],{"type":34,"value":129},{"type":24,"tag":143,"props":154,"children":156},{"style":155},"--shiki-default:#40A02B;--shiki-dark:#D19A66",[157],{"type":34,"value":158}," -l",{"type":24,"tag":143,"props":160,"children":162},{"style":161},"--shiki-default:#40A02B;--shiki-dark:#98C379",[163],{"type":34,"value":164}," admin",{"type":24,"tag":143,"props":166,"children":167},{"style":155},[168],{"type":34,"value":169}," -P",{"type":24,"tag":143,"props":171,"children":172},{"style":161},[173],{"type":34,"value":174}," \u002Fusr\u002Fshare\u002Fwordlist\u002Frockyou.txt",{"type":24,"tag":143,"props":176,"children":178},{"style":177},"--shiki-default:#FE640B;--shiki-dark:#D19A66",[179],{"type":34,"value":180}," 10.10.175.21",{"type":24,"tag":143,"props":182,"children":183},{"style":161},[184],{"type":34,"value":185}," http-post-form",{"type":24,"tag":143,"props":187,"children":188},{"style":161},[189],{"type":34,"value":190}," \"\u002Fadmin\u002F:user=^USER^&pass=^PASS^:F=invalid\"\n",{"type":24,"tag":192,"props":193,"children":194},"ul",{},[195,208,219,244,255],{"type":24,"tag":196,"props":197,"children":198},"li",{},[199,206],{"type":24,"tag":66,"props":200,"children":203},{"className":201,"id":70,"style":202},[69],"color: #77BEF0",[204],{"type":34,"value":205},"http-post-form",{"type":34,"value":207},": We specify that we will send a POST request.",{"type":24,"tag":196,"props":209,"children":210},{},[211,217],{"type":24,"tag":66,"props":212,"children":214},{"className":213,"id":70,"style":202},[69],[215],{"type":34,"value":216},"\u002Fadmin\u002F",{"type":34,"value":218}," directory containing the entry form.",{"type":24,"tag":196,"props":220,"children":221},{},[222,228,230],{"type":24,"tag":66,"props":223,"children":225},{"className":224,"id":70,"style":202},[69],[226],{"type":34,"value":227},"user=^USER^&pass^PASS^",{"type":34,"value":229}," specifies how the form should be filled in.\n",{"type":24,"tag":192,"props":231,"children":232},{},[233],{"type":24,"tag":196,"props":234,"children":235},{},[236,242],{"type":24,"tag":66,"props":237,"children":239},{"className":238,"id":70,"style":202},[69],[240],{"type":34,"value":241},"user=^USER^",{"type":34,"value":243},": This tells Hydra that the name of the username field in the HTML form is 'user' and that it should put the admin username specified with -l here.",{"type":24,"tag":196,"props":245,"children":246},{},[247,253],{"type":24,"tag":66,"props":248,"children":250},{"className":249,"id":70,"style":202},[69],[251],{"type":34,"value":252},"pass=^PASS^",{"type":34,"value":254},": This specifies that the name of the password field is 'pass' and that Hydra should put the password it is trying from the rockyou.txt list (^PASS^) here.",{"type":24,"tag":196,"props":256,"children":257},{},[258,264],{"type":24,"tag":66,"props":259,"children":261},{"className":260,"id":70,"style":202},[69],[262],{"type":34,"value":263},"F=invalid",{"type":34,"value":265},": Specifies the failure condition. If the response from the server contains the word \"invalid\" when an incorrect password is tried, Hydra understands that the password is incorrect and moves on to the next one.",{"type":24,"tag":267,"props":268,"children":270},"alert",{"type":269},"info",[271,280,285,289],{"type":24,"tag":272,"props":273,"children":274},"template",{"v-slot:title":7},[275],{"type":24,"tag":30,"props":276,"children":277},{},[278],{"type":34,"value":279},"Enter the correct values",{"type":24,"tag":30,"props":281,"children":282},{},[283],{"type":34,"value":284},"We can find these values when we examine the site. For example, when we send a random request, we can see what the request load is like or what error message will be returned in the event of an error.",{"type":24,"tag":25,"props":286,"children":288},{"src":287},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F6.jpg",[],{"type":24,"tag":25,"props":290,"children":292},{"src":291},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F7.jpg",[],{"type":24,"tag":25,"props":294,"children":296},{"src":295},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F8.jpg",[],{"type":24,"tag":30,"props":298,"children":299},{},[300,302,308,310,315],{"type":34,"value":301},"And we obtained the pair ",{"type":24,"tag":66,"props":303,"children":305},{"className":304,"id":70,"style":71},[69],[306],{"type":34,"value":307},"admin:xavier",{"type":34,"value":309},". When we log in with this information, we find an RSA private key for ",{"type":24,"tag":66,"props":311,"children":313},{"className":312,"id":70,"style":71},[69],[314],{"type":34,"value":98},{"type":34,"value":108},{"type":24,"tag":25,"props":317,"children":319},{"src":318},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F9.jpg",[],{"type":24,"tag":25,"props":321,"children":323},{"src":322},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F10.jpg",[],{"type":24,"tag":30,"props":325,"children":326},{},[327],{"type":34,"value":328},"When we try to log in with SSH, we see that there is a password for the key.",{"type":24,"tag":25,"props":330,"children":332},{"src":331},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F11.jpg",[],{"type":24,"tag":30,"props":334,"children":335},{},[336,338,343],{"type":34,"value":337},"If the password is simple, we can crack it using ",{"type":24,"tag":66,"props":339,"children":341},{"className":340},[],[342],{"type":34,"value":98},{"type":34,"value":108},{"type":24,"tag":25,"props":345,"children":347},{"src":346},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F12.jpg",[],{"type":24,"tag":30,"props":349,"children":350},{},[351,353,359],{"type":34,"value":352},"And we get the pair ",{"type":24,"tag":66,"props":354,"children":356},{"className":355,"id":70,"style":71},[69],[357],{"type":34,"value":358},"john:rockinroll",{"type":34,"value":360},". Now let's log in via SSH with this information.",{"type":24,"tag":25,"props":362,"children":364},{"src":363},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F13.jpg",[],{"type":24,"tag":46,"props":366,"children":368},{"id":367},"privilege-escalation",[369],{"type":34,"value":370},"Privilege Escalation",{"type":24,"tag":30,"props":372,"children":373},{},[374,376,387],{"type":34,"value":375},"Now we need to elevate privileges, so I will download the ",{"type":24,"tag":37,"props":377,"children":380},{"href":378,"rel":379},"https:\u002F\u002Fgithub.com\u002Fpeass-ng\u002FPEASS-ng\u002Ftree\u002Fmaster\u002FlinPEAS",[41],[381],{"type":24,"tag":66,"props":382,"children":384},{"className":383},[],[385],{"type":34,"value":386},"linpeas.sh",{"type":34,"value":388}," script from my Apache server to the target system and perform a scan on the system.",{"type":24,"tag":25,"props":390,"children":392},{"src":391},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F14.jpg",[],{"type":24,"tag":30,"props":394,"children":395},{},[396,398,403,405,412],{"type":34,"value":397},"And we saw that the ",{"type":24,"tag":66,"props":399,"children":401},{"className":400},[],[402],{"type":34,"value":98},{"type":34,"value":404}," user could run the ",{"type":24,"tag":66,"props":406,"children":409},{"className":407,"id":70,"style":408},[69],"color: #EA5B6F",[410],{"type":34,"value":411},"\u002Fbin\u002Fcat",{"type":34,"value":413}," binary with sudo privileges without needing a password.",{"type":24,"tag":25,"props":415,"children":417},{"src":416},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F15.jpg",[],{"type":24,"tag":30,"props":419,"children":420},{},[421,423,434],{"type":34,"value":422},"We performed a search via ",{"type":24,"tag":37,"props":424,"children":427},{"href":425,"rel":426},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fcat\u002F",[41],[428],{"type":24,"tag":66,"props":429,"children":431},{"className":430},[],[432],{"type":34,"value":433},"GTFObins",{"type":34,"value":435}," and can read the desired file using the following commands.",{"type":24,"tag":133,"props":437,"children":439},{"className":135,"code":438,"language":137,"meta":7,"style":7},"LFILE=file_to_read # We must enter the path of the file we want here.\nsudo cat \"$LFILE\"\n",[440],{"type":24,"tag":66,"props":441,"children":442},{"__ignoreMap":7},[443,469],{"type":24,"tag":143,"props":444,"children":445},{"class":145,"line":146},[446,452,458,463],{"type":24,"tag":143,"props":447,"children":449},{"style":448},"--shiki-default:#4C4F69;--shiki-dark:#E06C75",[450],{"type":34,"value":451},"LFILE",{"type":24,"tag":143,"props":453,"children":455},{"style":454},"--shiki-default:#179299;--shiki-dark:#56B6C2",[456],{"type":34,"value":457},"=",{"type":24,"tag":143,"props":459,"children":460},{"style":161},[461],{"type":34,"value":462},"file_to_read",{"type":24,"tag":143,"props":464,"children":466},{"style":465},"--shiki-default:#9CA0B0;--shiki-default-font-style:italic;--shiki-dark:#7F848E;--shiki-dark-font-style:italic",[467],{"type":34,"value":468}," # We must enter the path of the file we want here.\n",{"type":24,"tag":143,"props":470,"children":472},{"class":145,"line":471},2,[473,478,483,488,493],{"type":24,"tag":143,"props":474,"children":475},{"style":150},[476],{"type":34,"value":477},"sudo",{"type":24,"tag":143,"props":479,"children":480},{"style":161},[481],{"type":34,"value":482}," cat",{"type":24,"tag":143,"props":484,"children":485},{"style":161},[486],{"type":34,"value":487}," \"",{"type":24,"tag":143,"props":489,"children":490},{"style":448},[491],{"type":34,"value":492},"$LFILE",{"type":24,"tag":143,"props":494,"children":495},{"style":161},[496],{"type":34,"value":497},"\"\n",{"type":24,"tag":30,"props":499,"children":500},{},[501,503,509],{"type":34,"value":502},"We want to gain root privileges. Therefore, we can retrieve the hashes of the passwords for users on our system from the ",{"type":24,"tag":66,"props":504,"children":506},{"className":505,"id":70,"style":71},[69],[507],{"type":34,"value":508},"\u002Fetc\u002Fshadow",{"type":34,"value":510}," file.",{"type":24,"tag":25,"props":512,"children":514},{"src":513},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F16.jpg",[],{"type":24,"tag":30,"props":516,"children":517},{},[518,520,525,527,534],{"type":34,"value":519},"From here, we take the hash of ",{"type":24,"tag":66,"props":521,"children":523},{"className":522},[],[524],{"type":34,"value":21},{"type":34,"value":526}," and place it into a file on our own device. (Note that you should take it in the format ",{"type":24,"tag":66,"props":528,"children":531},{"className":529,"id":70,"style":530},[69],"color: #efb11d",[532],{"type":34,"value":533},"root:hashhashhash",{"type":34,"value":535},".)",{"type":24,"tag":25,"props":537,"children":539},{"src":538},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F17.jpg",[],{"type":24,"tag":30,"props":541,"children":542},{},[543,545,550],{"type":34,"value":544},"We can crack this hash using the ",{"type":24,"tag":66,"props":546,"children":548},{"className":547},[],[549],{"type":34,"value":98},{"type":34,"value":131},{"type":24,"tag":25,"props":552,"children":554},{"src":553},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F18.jpg",[],{"type":24,"tag":30,"props":556,"children":557},{},[558,560,566],{"type":34,"value":559},"Let's log in as root with this ",{"type":24,"tag":66,"props":561,"children":563},{"className":562,"id":70,"style":71},[69],[564],{"type":34,"value":565},"root:football",{"type":34,"value":567}," information.",{"type":24,"tag":25,"props":569,"children":571},{"src":570},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-bruteit-writeup\u002F19.jpg",[],{"type":24,"tag":573,"props":574,"children":575},"style",{},[576],{"type":34,"value":577},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":579,"depth":579,"links":580},4,[581,582,583],{"id":48,"depth":471,"text":51},{"id":115,"depth":471,"text":118},{"id":367,"depth":471,"text":370},"markdown","content:posts:2025:tryhackme-bruteit-writeup.md","content","posts\u002F2025\u002Ftryhackme-bruteit-writeup.md","posts\u002F2025\u002Ftryhackme-bruteit-writeup","md","\u002Fposts",[592,596],{"_path":593,"title":594,"date":595},"\u002F2025\u002Ftryhackme-tomghost-writeup","TryHackMe - Tomghost","2025-08-26T07:21:07.000Z",{"_path":597,"title":598,"date":599},"\u002F2025\u002Ftryhackme-wgelctf-writeup","TryHackMe - Wgel CTF","2025-08-27T11:42:45.000Z",1777022957129]