Lookup

by tryhackme and josemlwdf

Pasted image 20241124121258.png

Test your enumeration skills on this boot-to-root machine.

Room link: https://tryhackme.com/r/room/lookup

Challenge Description

Lookup offers a treasure trove of learning opportunities for aspiring hackers. This intriguing machine showcases various real-world vulnerabilities, ranging from web application weaknesses to privilege escalation techniques. By exploring and exploiting these vulnerabilities, hackers can sharpen their skills and gain invaluable experience in ethical hacking. Through "Lookup," hackers can master the art of reconnaissance, scanning, and enumeration to uncover hidden services and subdomains. They will learn how to exploit web application vulnerabilities, such as command injection, and understand the significance of secure coding practices. The machine also challenges hackers to automate tasks, demonstrating the power of scripting in penetration testing.

  • IP Address: 10.10.57.212

Reconnaissance

As usual, let's perform a nmap scan against the target system

sudo nmap -sV -sC -vv -T5 -oA Lookup.nmap 10.10.57.212

Pasted image 20241124121657.png

Here we see the following two ports to be open in the target system:

  • Port 22
  • Port 80

Web Application

Let us first understand the web application of this target system. First let's edit the /etc/hosts file.

sudo nano /etc/hosts

Add the following line:

10.10.57.212 lookup.thm

Pasted image 20241124122059.png

And now, browse the application using the URL: http://lookup.thm

Pasted image 20241124122041.png

On further analysis of the web application, we see no other information being disclosed. Let's do some fuzzing for any other folders, files and vhosts using FFUF.

Files

Pasted image 20241126144301.png

Folder

Pasted image 20241126144357.png

VHost

Pasted image 20241126144628.png

None of these scans give us the required result, so we are with the Login page now.

Web Application

After attempting multiple approaches of username and password, also with some basic SQL Injection payloads and Queries, we see no other result showing up in the application other than the redirection message.

Pasted image 20241126145232.png

Now, let's intercept the login request using burp Suite and then save it to the Repeater for further analysis.

Pasted image 20241126145317.png

In the repeater, we see a different content size (as the in the message) for different users.

abcd

Pasted image 20241126145658.png

But for the admin user:

Pasted image 20241126145730.png

Which confirms us that the username exists in the database, we can now fuzz for that user's password using ffuf.

ffuf -w ~/Pranava__Rao/Tools/Fuzzing\ List/SecLists/Passwords/2020-200_most_used_passwords.txt -u http://lookup.thm/login.php -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -fw 8

Pasted image 20241126150450.png

Now, using this password, when I try to login into the application, we get a different error this time.

Pasted image 20241126150637.png

OK, which means that this error message is actually stating the confirmation of the password to some other specific user, which is strange as the password was identified for the admin user by the tool. But, now, let's fuzz for the username using the password that we have got.

ffuf -w ~/Pranava__Rao/Tools/Fuzzing\ List/SecLists/Usernames/xato-net-10-million-usernames.txt -u http://lookup.thm/login.php -X POST -d "username=FUZZ&password=<Password Here>" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -fw 10

Pasted image 20241126151754.png

And we get another user!! jose!

Now, when we try to login using jose username and the password, we see that the web page is trying to redirect to another page files.lookup.thm.

Pasted image 20241126161946.png

So, let's add that to our /etc/hosts file.

10.10.56.101 lookup.thm files.lookup.thm

Pasted image 20241126162051.png

ELFinder

And Here we see a elfinder application in front of us.

Pasted image 20241126162142.png

After a bit of looking around, we know that this version of application is vulnerable.

Pasted image 20241126162339.png
Version 2.1.47

Pasted image 20241126162443.png

link: https://www.exploit-db.com/exploits/46481

We can also see this request of the vulnerability being made in their GitHub Page.

This exploit requires Python 2.7 and to be able to accesses the connect.minimal.php to upload files. And the connect.minimal.php was accessible even without requiring us to login again.

Pasted image 20241126162859.png

The vulnerability lies in the filename, which allows commands to be injected. The exploit creates a PHP web shell into the upload directory while uploading an arbitrary image.

Pasted image 20241126163113.png

So, for this exploit, let's download any random image and then name it as SecSignal.jpg.

Pasted image 20241126163437.png

and also download the exploit from the Exploit Database page.

Pasted image 20241126163347.png

Now, let's run the script.

python2.7 CVE-201909194-ExploitDatabase.py http://files.lookup.thm/elFinder/

Pasted image 20241126163645.png

THAT WAS JUST MAGIC!!!!!!!!!!!!!!!!

Now! You can updated the she using netcat and payload from Revshells
For this box, I tried a multiple one shells, but the one which worked was nc mkfifo. Also, make sure that you URL Encode the payload.

Pasted image 20241126164209.png

And Here we get the Shell!!!

Pasted image 20241126164040.png

Let's upgrade the Shell to be a bit more useful than what we have right now, which we can do through python.

First, type in the following command:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Spawning /bin/bash using Python’s PTY module, and connect the controlling shell with its standard I/O.

Then, once you get a shell, press Ctrl + Z which will backend the shell, then update the local terminal line settings with stty and bring the remote shell back.

stty raw -echo && fg

Pasted image 20241126164505.png

Shell

Now, after we have got the shell and looking around in the system, we see that are having our user.txt flag in the think user's home directory, but are out of luck. Also, we notice a .passwords file in the same directory.

Pasted image 20241126164853.png

Let's now do some further file path enumeration to find some useful files.

find / -perm /4000 2>/dev/null

Pasted image 20241126172335.png

And Here!! We see a very un-common file to be present in the system.

/usr/sbin/pwm

Pasted image 20241126172434.png

This Tool, looks ups the user id, and then prints out the content from the .passwords file. and since we don't get any output of the file which is obvious as we don't have any /home directory containing the .passwords file. But the think user has one!!!

We can create a id file in the tmp directory and then try to run this file contain the think user's username in it.

echo 'echo "uid=1000(think) gid=1000(think) groups=1000(think)"' > id

Pasted image 20241126172941.png

Make the file executable:

chmod +x id

Now, let's add this path in the PATH of the system.

export PATH=/tmp:$PATH

Pasted image 20241126173315.png

Now, running the tool gives us the list of passwords!

Pasted image 20241126173929.png

Now!! Let's take these passwords into our local machine into a file called password and crack the password for the think user using hydra

hydra -l think -P password.txt lookup.thm ssh

Pasted image 20241126174253.png

Now!! We can login to this user using the username and the password that we got!

Pasted image 20241126174413.png

Now, buy running the sudo -l command, we see that we are able to see the commands that we can use as the root user.

Pasted image 20241126184638.png

now let's run open the root.txt file using the look command.

sudo look '' /root/root.txt

Pasted image 20241126184806.png

That is it!!!!!!!!!

Interactive Graph

Check Out the Walkthrough Video



Table Of Contents
Lookup
Challenge Description
Reconnaissance
Web Application
Files
Folder
VHost
Web Application
abcd
ELFinder
Shell