1
00:00:00,170 --> 00:00:06,230
In this video, we are going to solve boot room from Tryhackme, which is focused on brute forcing with

2
00:00:06,230 --> 00:00:06,680
John.

3
00:00:12,680 --> 00:00:16,250
So open, bloated Rome and try hack me and join the room.

4
00:00:20,220 --> 00:00:21,360
Now start your machine.

5
00:00:24,580 --> 00:00:26,230
Go back on your machine.

6
00:00:27,900 --> 00:00:32,520
Connect with openvpn of tryhackme with sudo openvpn command.

7
00:00:39,000 --> 00:00:44,040
And you can check your connectivity with ifconfig and we get a new interface.

8
00:00:44,040 --> 00:00:45,300
Name of Tunnel zero.

9
00:00:49,210 --> 00:00:50,050
Where's your machine?

10
00:00:50,050 --> 00:00:50,650
Distorted.

11
00:00:50,650 --> 00:00:53,050
Copy the IP address of the target machine.

12
00:00:54,580 --> 00:00:55,300
And bring it.

13
00:00:57,460 --> 00:00:59,830
Now let's just scan the target with Nmap.

14
00:00:59,860 --> 00:01:01,990
Use the command as shown on the screen.

15
00:01:07,160 --> 00:01:08,830
S is for stealth scan.

16
00:01:09,010 --> 00:01:13,180
SV is for version enumeration and O is for OS enumeration.

17
00:01:15,220 --> 00:01:16,840
And we get only one port.

18
00:01:17,350 --> 00:01:19,330
I think we need to slow down the scan.

19
00:01:25,780 --> 00:01:29,710
Repeat the scan but slow it down by replacing T5 with T3.

20
00:01:35,430 --> 00:01:38,820
Then we get another port on the machine, which is port 80.

21
00:01:41,600 --> 00:01:42,530
Don't try me.

22
00:01:42,530 --> 00:01:44,990
The first question is how many ports are open?

23
00:01:45,050 --> 00:01:45,770
Which are two?

24
00:01:47,400 --> 00:01:50,940
The next question is the version of SSH that is running.

25
00:01:51,630 --> 00:01:55,410
You can copy the version from Kali Machine and paste it on Tryhackme.

26
00:01:58,610 --> 00:02:01,490
The next question is for Apache version.

27
00:02:03,490 --> 00:02:05,170
Just copy it from the scan.

28
00:02:13,580 --> 00:02:17,780
And the third question is which Linux distribution is running, which is Ubuntu?

29
00:02:22,750 --> 00:02:25,600
Now we need to find the hidden directory on web server.

30
00:02:27,870 --> 00:02:29,040
So open a new tab.

31
00:02:29,990 --> 00:02:32,630
And fire up as shown on the screen.

32
00:02:33,530 --> 00:02:36,710
And we are using circles to brute force the directories.

33
00:02:39,390 --> 00:02:42,030
While it is running this browse to the website.

34
00:02:42,920 --> 00:02:43,700
Now the home page.

35
00:02:43,700 --> 00:02:44,900
There is only.

36
00:02:46,040 --> 00:02:47,660
Apache2 default page.

37
00:02:49,400 --> 00:02:52,910
So F has found additional directory called admin.

38
00:02:54,200 --> 00:02:55,670
Just browse the admin page.

39
00:03:02,790 --> 00:03:03,840
And first of all.

40
00:03:04,710 --> 00:03:06,090
Respect your source code.

41
00:03:07,620 --> 00:03:10,500
But we do find a username which is admin.

42
00:03:12,620 --> 00:03:15,290
Let's just try some simple SQL injection.

43
00:03:18,450 --> 00:03:20,010
And we did not get anything.

44
00:03:23,080 --> 00:03:27,150
So the hidden directory is admin and answer the question on try hack me.

45
00:03:31,270 --> 00:03:33,340
So we have got the admin panel.

46
00:03:33,370 --> 00:03:35,230
Now we need to brute force the password.

47
00:03:43,030 --> 00:03:46,060
First of all, right, click on the page and open the inspect tab.

48
00:03:48,650 --> 00:03:50,120
Now go to the networks tab.

49
00:03:53,650 --> 00:03:55,390
Then initiate a login request.

50
00:04:03,360 --> 00:04:05,010
Now click on the request method.

51
00:04:05,870 --> 00:04:07,940
And you will get the request parameters.

52
00:04:13,890 --> 00:04:16,050
We need these parameters to use in Hydra.

53
00:04:20,370 --> 00:04:24,570
Now open the hydra and use the command as shown on the screen.

54
00:04:25,430 --> 00:04:27,080
The V is for verbosity.

55
00:04:27,110 --> 00:04:29,210
Dash I is to ignore any errors.

56
00:04:29,240 --> 00:04:31,460
And dash four is for four threads.

57
00:04:33,960 --> 00:04:36,960
And in a few minutes, the hydra will brute force our password.

58
00:04:36,990 --> 00:04:37,830
Which is Xavier.

59
00:04:44,690 --> 00:04:51,530
The login on the admin panel with the username and password and you get an RSA private key and a flag.

60
00:04:55,600 --> 00:04:55,840
No.

61
00:04:55,840 --> 00:04:57,670
Answer the questions on Tryhackme.

62
00:05:02,160 --> 00:05:04,290
You know the admin username and password.

63
00:05:11,160 --> 00:05:13,020
We also have the flag from web.

64
00:05:14,580 --> 00:05:17,160
Who paste it in the question about the web flag.

65
00:05:27,000 --> 00:05:31,170
The open the downloaded key, and you will see that it's encrypted.

66
00:05:32,110 --> 00:05:34,510
Now we can crack the key with John.

67
00:05:37,750 --> 00:05:37,930
This.

68
00:05:37,930 --> 00:05:40,480
Copy this key in a new file.

69
00:05:49,520 --> 00:05:54,410
Now, you would say to John to convert the key in John acceptable format.

70
00:05:57,490 --> 00:05:59,260
So we have got the hash dot txt file.

71
00:06:01,160 --> 00:06:03,470
Now, let's just use John to crack it.

72
00:06:04,690 --> 00:06:06,670
Use the command as shown on the screen.

73
00:06:07,680 --> 00:06:09,840
And use the default word list of John.

74
00:06:17,500 --> 00:06:18,790
I think it has failed.

75
00:06:21,490 --> 00:06:24,250
Use the show flag to view the crack passwords.

76
00:06:27,160 --> 00:06:29,110
Like we do not have any crack password.

77
00:06:29,900 --> 00:06:32,260
Let's just change the word list now.

78
00:06:32,270 --> 00:06:34,610
Use Rockyou dot text to crack it.

79
00:06:34,940 --> 00:06:37,940
And we do get the password, which is rock and roll.

80
00:06:40,980 --> 00:06:41,670
Just base it on.

81
00:06:41,670 --> 00:06:42,570
Try hack me.

82
00:06:49,110 --> 00:06:52,010
Now let's just connect to our target machine with SSH.

83
00:06:59,470 --> 00:07:01,840
First copy the key file in another file.

84
00:07:07,120 --> 00:07:08,470
And make it executable.

85
00:07:14,540 --> 00:07:16,700
Now you would ask to connect to machine.

86
00:07:18,940 --> 00:07:20,710
I think the username is admin.

87
00:07:25,300 --> 00:07:29,410
Just provide the key file and the username and try connecting.

88
00:07:33,310 --> 00:07:34,780
Read our passphrase is wrong.

89
00:07:37,740 --> 00:07:39,450
We need to guess the username.

90
00:07:41,670 --> 00:07:45,150
So the username may be John, which is indicated on the web panel.

91
00:07:46,580 --> 00:07:49,790
To change the username and try connecting again.

92
00:07:57,920 --> 00:07:59,090
And we get the terminal.

93
00:08:01,960 --> 00:08:03,490
The scared out the user flag.

94
00:08:06,300 --> 00:08:08,250
And paste it on Tryhackme.

95
00:08:13,900 --> 00:08:15,760
Just escalate our privileges.

96
00:08:19,810 --> 00:08:21,390
Use the command sudo l.

97
00:08:23,040 --> 00:08:26,220
And we can see that we can run command sudo.

98
00:08:30,080 --> 00:08:33,710
Let's just check gtfo beans how we can escalate our privileges.

99
00:08:36,390 --> 00:08:42,480
So it says if we can read data from file, it may be used to do privileges, reads or disclose files

100
00:08:42,480 --> 00:08:44,370
outside a restricted file system.

101
00:08:45,930 --> 00:08:51,000
So what we can do, we can read the password and the shadow file and try cracking it.

102
00:08:58,010 --> 00:08:59,540
Get out the password file.

103
00:09:06,530 --> 00:09:08,480
Copy the content in a new file.

104
00:09:16,750 --> 00:09:17,680
And save it.

105
00:09:19,280 --> 00:09:20,870
Look at out the shadow file.

106
00:09:23,410 --> 00:09:25,960
Open a new file and save its contents.

107
00:09:33,850 --> 00:09:40,510
To use the command and shadow password and shadow file and save the hash in a new file.

108
00:09:45,150 --> 00:09:46,800
I'm using John to crack it.

109
00:09:52,480 --> 00:09:55,300
And it has successfully cracked the password, which is football.

110
00:10:02,450 --> 00:10:05,090
No switch to root with command.

111
00:10:13,620 --> 00:10:15,990
And get out the flag from root directory.

112
00:10:22,410 --> 00:10:26,370
So we have successfully completed routed roam from tryhackme.