TryHackMe: Brute It

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Brute It challenge.

Room: https://tryhackme.com/room/bruteit
Level: Easy

Task: Learn how to brute, hash cracking and escalate privileges in this box!

Lets get started

As usual, open the IP in browser first. There is nothing hidden here.

Brute the available directory then,

# gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.98.X -t 60
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/admin (Status: 301)

Ok found the admin path, so go the page…..

Ok now, there is a admin page with login. Inspect the webpage first

There is a message there saying the username is “admin”. Before using hydra, I need to capture the error message first and its “Username or password invalid”. So using hydra, brute the password using rockyou.txt dictionary with…