TryHackMe CTF
Hello guys,
TryHackMe offers another great beginner-friendly challenge room.
Ok, lets get jump right in.
Lookup offers a treasure trove of learning opportunities for aspiring hackers. This intriguing machine showcases various real-world vulnerabilities, ranging from web application weaknesses to privilege escalation techniques. By exploring and exploiting these vulnerabilities, hackers can sharpen their skills and gain invaluable experience in ethical hacking. Through "Lookup," hackers can master the art of reconnaissance, scanning, and enumeration to uncover hidden services and subdomains. They will learn how to exploit web application vulnerabilities, such as command injection, and understand the significance of secure coding practices. The machine also challenges hackers to automate tasks, demonstrating the power of scripting in penetration testing.
Based on the information given in the room, it hints about existence of subdomains and hidden services.
As always, I ran a NMAP scan on the target IP, and results indicated that there is only 2 ports open, port 22 and 80.
And the port 80 is running a webpage with a login page. I tried to bruteforce the credentials using BurpSuit and tried basic SQL Injections, but did not work.
After being unsuccessful, I tried to enumerate and find subdomains using GoBuster and FFUF. But still, it did not yield any results.
I decided to check the login page again. This time I noticed, I am getting slightly different error messages when I use "admin" as the username.
I can use this to enumerate usernames. I decided to use FFUF to enumerate the usernames, and it revealed another username.
Now that I have 2 valid usernames, I can use these to bruteforce the passwords. I used FFUF to bruteforce the password.
First I tried the "admin", but it was not successful. Then I used the other username and FFUF was able to successfully bruteforce the password.
I used the username and password to log in to the portal, but it seems like its redirecting us to a different subdomain upon successful login.
And, it looks like a file storage.
Content of some files were very interesting, specially "credentials.txt" file. This file revealed a username and a password combination,
but I was unable to use the credentials to login via SSH or anywhere to use the credentials.
After some looking around, I was able to find the name and the version number of the file manager software. Using this information, I was able to find an existing CVE in ExploitDB which leads to Command Injection Vulnerability.
After some looking around, I was able to find the name and the version number of the file manager software. Using this information, I was able to find
an existing CVE in ExploitDB which leads to Command Injection Vulnerability.
I just checked if Metasploit Framework has any exploits for the CVE and yes it does.!
I was able to get a meterpreter shell on the target as "www-data".
After some enumeration, I found out there is another user called "think" and user flag (user.txt) is in that users home directory. And, "www-data" does not have
necessary permissions to read the file. We will have to escalate privileges to read the user flag.
Furthermore, there is a ".passwords" file which "www-data" do not have access to read.
To escalate privileges, I decided to search for SUID or SGID files and one file "/usr/sbin/pwm" caught my attention.
Note:- To run the following commands, you need to change your meterpreter session to shell by executing "shell" command. If this command, does not work and throws an error
You need to update your "metasploit-framework".
find / -type f -perm -04000 -ls 2>/dev/null
After looking around, I decided to run the command/file because user "www-data" had permission to execute the command. The result output from the command suggested it is executing "id" command and returning the ".passwords" file content for the current user. If we can trick the "pwm" command to think current user is "think" we should be able to get the contents of ".passwords" file for think.
We can create our own "id" executable and force our "id" executable to run everytime "id" command is run. We have to inject our executable's location to the $PATH variable as the first step.
export PATH=/tmp:$PATH
echo $PATH
As the second step, we have to create the "id" executable in the "/tmp" directory. Because we want to identify as "think", we have to output the text what "think" will see when they run "id" command.
We can use the list of passwords returned to bruteforce the SSH password for user "think" using Hydra.
User flag is located in home directory in "user.txt" file. Once we get the user flag, I ran " sudo -l to see which command user "think" is allowed to run with sudo.
Interestingly, user "think" is allowed to run "look" command with sudo. When I checked, GTFOBins, it suggested, that I can use this command to read any file as root.
This is interesting!!
Based on the location and file name of the "user.txt", the root flag should be in "/root/root.txt".
With the root user's "id_rsa" file, you can login to target machine as the root user via SSH and capture the root flag.
I hope you liked the writeup and enjoyed the room. BIG thanks to TryHackMe and the creators of the
"Lookup (Test your enumeration skills on this boot-to-root machine.)" challenge. Let's meet through another writeup in the future.
Happy Hacking..! :)