TryHackMe: Brute

Nmap scan resulting 4 open ports.

Try to logs in FTP using anonymous credentials but it's failed. Then I opened the website and was immediately presented with a login form.

It will be very difficult if we don't have the username, Since the database MySQL is reachable from our network i will brute-force it first using default username which is root.

Cracked! let's use it to access MySQL.

Let's grab the hashed password and crack it using john.

Got it, then let's use it to logs in on the web.

Log? i clicked the Log button and nothing happen, i think it's log from FTP? then i tried to logs in FTP and comeback to web and got the log.

Look at the log, our username used from login with FTP is reflected on the web, i think we can inject it with PHP script, i found a good reading for FTP poisoning here.

Set up a netcat listener and using this payload below we can get reverse shell.

Then navigate to home and found Adrian directory, inside Adrien directory there is a file named .reminder and i think it's a hint for us.

Rules? best64? i think we should create a word list from word "ettubrute" + exclamation mark so it will be "ettubrute!", let's try it.

In the Adrian home directory there is interesting file called punch_in.sh.

The script is basically write 'Punched in at hours:min' to file named punch_in.

Then from here i running a pspy and found this:

The UID is 0 it's mean this is root running this command, and i think it's read file punch-in and use it like in the image above. Since we have permission to write on file punch-in let's try get reverse shell from it.

Don't forget to setup the netcat listener.