{"id":313,"date":"2020-11-10T12:31:52","date_gmt":"2020-11-10T11:31:52","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=313"},"modified":"2021-07-28T17:22:20","modified_gmt":"2021-07-28T15:22:20","slug":"tryhackme-brute-it","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/tryhackme-brute-it\/","title":{"rendered":"[TryHackMe] \u2013 Brute It"},"content":{"rendered":"<\/span> 4<\/span> min read<\/span><\/span>

Views: 785<\/p>\n

<\/div>\n\n\n\n
\"brute<\/figure><\/div>\n\n\n\n

Lien : https:\/\/tryhackme.com\/room\/bruteit<\/a><\/strong><\/p>\n\n\n\n

La room brute it<\/strong> est de niveau facile<\/span>.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\n\n\n\n

[Task 2]<\/h2>\n\n\n\n
<\/div>\n\n\n\n

Dans un premier, nous allons effectuer un scan avec nmap<\/span><\/strong> :<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Ce dernier permet donc de r\u00e9pondre aux 4 premi\u00e8res questions<\/strong> :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

2<\/span><\/strong><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

OpenSSH 7.6p1<\/span><\/strong><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

2.4.29<\/span><\/strong><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Ubuntu<\/span><\/strong><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

\/admin<\/span><\/strong><\/p>\n\n\n\n

\n\n\n\n

Pour la derni\u00e8re question de cette partie, nous allons utiliser gobuster<\/span><\/strong> :<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n

[Task 3]<\/h2>\n\n\n\n
<\/div>\n\n\n\n

Le dossier admin<\/span><\/strong> trouv\u00e9 plus haut cache en r\u00e9alit\u00e9 un panel admin<\/strong> prot\u00e9g\u00e9 par un formulaire de connexion<\/strong>.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

L’utilisateur<\/strong> n’est pas bien difficile \u00e0 trouver :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

Pour r\u00e9cup\u00e9rer le mot de passe admin<\/strong>, nous allons utiliser Hydra<\/span><\/strong> :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Pour mieux comprendre cette commande : https:\/\/mikadmin.fr\/blog\/?p=33<\/a><\/em><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

La r\u00e9ponse est donc : admin:xavier<\/strong><\/p>\n\n\n\n

<\/div>\n\n\n\n

Nous avons \u00e0 pr\u00e9sent acc\u00e8s au panel admin :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Nous obtenons donc le flag pour la r\u00e9ponse n\u00b04 mais aussi une cl\u00e9 priv\u00e9e !<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

Pour cette t\u00e2che, nous faisons appel \u00e0 John<\/span><\/strong> :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Le mot de passe est donc : rockinroll<\/strong><\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

Nous pouvons donc \u00e0 pr\u00e9sent nous connecter \u00e0 la machine<\/strong> et r\u00e9cup\u00e9rer le flag user<\/strong> !<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n

[Task 4]<\/h2>\n\n\n\n

C’est le moment de la privesc !<\/em><\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

Il semblerait que nous ayons les droits de lancer la commande cat<\/strong> en tant que root<\/strong> :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Ce qui nous permet donc de pouvoir lire les fichiers en tant que root<\/strong>, ici afin de r\u00e9cup\u00e9rer le flag root<\/span><\/strong> nous pouvons simplement :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n

Cependant il nous reste une \u00e9tape qui est de trouver le mot de passe<\/strong> root<\/span><\/strong> !<\/p>\n\n\n\n

<\/div>\n\n\n\n

Dans ce cas l\u00e0, nous pouvons donc gr\u00e2ce \u00e0 cat<\/strong> lire le contenu du fichier \/etc\/passwd<\/span><\/strong> & \/etc\/shadow<\/span><\/strong> et tenter de r\u00e9cup\u00e9rer le mot de passe gr\u00e2ce \u00e0 John<\/span><\/strong>.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Nous copions donc sur notre machine ces derniers dans le fichier passwd<\/span><\/strong> et shadow<\/span><\/strong>.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Le mot de passe est donc : football<\/strong><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n","protected":false},"excerpt":{"rendered":"

<\/span> 4<\/span> min read<\/span><\/span>Learn how to brute, hash cracking and escalate privileges in this box! Continuer la lecture →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":45,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4],"tags":[7,21,6,24,23,22,63],"class_list":["post-313","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","tag-bruteforce","tag-ctf","tag-hydra","tag-john","tag-privesc","tag-tryhackme","tag-writeup"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=313"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/313\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/45"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}