Brute It TryHackMe Walkthrough — Hydra Brute Force to Root
Brute It TryHackMe Walkthrough — Hydra Brute Force to Root
Difficulty: Easy · OS: Linux · Skills: Web enumeration, online brute forcing, hash cracking, Linux privilege escalation
Brute It is an easy, beginner-friendly Linux room on TryHackMe that does exactly what the name says — it teaches brute forcing. We enumerate a hidden admin panel, brute-force its login with Hydra, recover an SSH private key, crack its passphrase with John, log in, and finish with a textbook sudo misconfiguration privilege escalation to root.
This writeup keeps it short and practical so you can follow the logic, not just copy commands. Flags and passwords are intentionally redacted — go earn your own.
Attack Chain at a Glance
- Recon → Only ports 22 (SSH) and 80 (HTTP) are open.
- Web enumeration → Gobuster reveals a hidden
/adminlogin page; its page source leaks a username. - Initial access → Hydra brute-forces the admin password. The panel hands out an SSH private key (
id_rsa). - Key cracking →
ssh2john+ John recover the key's passphrase → SSH in as john. - Privilege escalation →
johncan run/bin/catas root via sudo. Read/etc/shadow, crack root's hash, become root.
1. Enumeration
Port Scan
Start with a default-script and version scan.
Result — a small, classic footprint:
22/tcp open ssh OpenSSH 7.6p1 Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
What this tells us: with only SSH and a web server, the website is the entry point and SSH is likely the second step once we find credentials or a key.
Web Directory Brute-Force
The homepage is plain, so enumerate hidden directories with Gobuster.
Key hit:
/admin (Status: 301)
Read the page source — free hints
Open http://<TARGET_IP>/admin/ and you'll see a simple login form. Always view the HTML source of login pages on easy boxes — developers leave comments behind. Here, the source contains a comment revealing the username (admin). That single hint turns a slow two-field brute force into a fast one-field password attack.
Tip: Ctrl+U (view source) is one of the cheapest, highest-value habits in web pentesting.
2. Initial Access — Brute Forcing with Hydra
We have a username (admin) and a login form. Now we throw a wordlist at the password field with Hydra.
First, identify the form's behaviour: it's a POST request with user and pass fields, and a failed login returns a recognisable error string. Hydra needs that failure string to know which attempts are wrong.
Breaking down the http-post-form argument:
| Part | Meaning |
|---|---|
/admin/ | the path the form posts to |
user=^USER^&pass=^PASS^ | the POST body; Hydra swaps in each candidate |
F=Username or password invalid | the failure marker — anything without this string is a hit |
Hydra quickly returns a valid password. Log in to the panel, and it exposes an SSH private key (id_rsa) plus a web flag.
Download the key and lock down its permissions (SSH refuses world-readable keys):
3. Cracking the SSH Key Passphrase
The private key is encrypted with a passphrase, so we can't use it yet. Convert it to a crackable hash with ssh2john, then attack it with John and rockyou:
John recovers the passphrase in seconds. Now use the key to SSH in as john (you'll be prompted for the passphrase you just cracked):
Grab the user flag:
Why this matters: a private key is not a password-less skeleton key when it's passphrase-protected — but a weak passphrase undoes that protection entirely. Treat key passphrases like passwords.
4. Privilege Escalation — Misconfigured sudo (cat)
First thing after any foothold: check what we can run as root.
Output reveals that john can run /bin/cat as root, without a password:
(root) NOPASSWD: /bin/cat
Exploiting with GTFOBins
cat doesn't give a shell, but it lets us read any file as root — including the password database. GTFOBins confirms cat is abusable for file reads under sudo. We read /etc/shadow, which normally only root can see:
Copy out root's hash (the $6$... SHA-512 entry) into a file, then crack it with John:
John recovers root's password. Switch user and you're done:
Rooted. ✅
Key Takeaways
- Brute-forceable logins are a critical risk. No rate limiting, lockout, CAPTCHA, or MFA means Hydra walks straight in. Add account lockouts and MFA to admin panels.
- Never expose private keys through a web app. The
id_rsadownload was the whole ballgame — secrets don't belong in web-served directories. - Passphrase-protect keys and use strong passphrases. A weak one (cracked from rockyou) offers no real protection.
- Audit sudo rules.
NOPASSWDon a file-reading binary likecatis effectively root access. Follow least privilege and check entries against GTFOBins. - Hash everything safely and rotate credentials. A readable
/etc/shadowplus a weak root password = instant full compromise.
FAQ
What does the Brute It room teach? Online password brute forcing (Hydra), SSH private-key passphrase cracking (ssh2john + John), and Linux privilege escalation through a misconfigured sudo rule.
How do I write the Hydra command for the admin login?
Use http-post-form with the path, the POST body containing ^USER^/^PASS^ placeholders, and the page's failure string after F=, e.g. "/admin/:user=^USER^&pass=^PASS^:F=Username or password invalid".
Where do I find the username for the brute force?
View the HTML source of the /admin login page — it's left in a comment.
How do I crack an encrypted id_rsa?
Run ssh2john id_rsa > hash, then john --wordlist=rockyou.txt hash to recover the passphrase.
How does the privilege escalation work?
User john can run /bin/cat as root with NOPASSWD. That allows reading /etc/shadow; crack root's hash with John and su root.
Tools Used
nmap · gobuster · hydra · ssh2john · john · ssh · GTFOBins (reference)
Educational walkthrough for the Brute It room on TryHackMe. Practise responsibly — only test systems you're authorised to attack.
Tags
Keep Reading