LookUp (THM)

Test your enumeration skills on this boot-to-root machine.

Intro.

Hi My Hackers fellos today we have a fresh THM mchaine look intresting let's ge right into it

Enumeration.

Port scanning.

22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+/gIThU4ODr/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF/gS3jP/fVw+H6Eyz/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL/iO8JI5DrcvPDFlmqtX/lzemir7W+WegC7hpoYpkPES6q+0/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=
|   256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login Page
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)

Classic HTTP , SSH let's see the web page.

Enumerate HTTP.

So after some fuzzing i notice something intresting.

If the username and the password are wrong we get this error message.

so i test the admin user and it indded exist.

Notice the Error message says the password is wrong not both as the first try.

And after some fuzzing i foudn a common password.

and when i try to login i got this.

and then i decide to use this password to enumerate other users.

and after i test this creds i got this.

another subdomain i do not know i enumerate subdomains but i did not find it from some reason anyway let's continue.

To add this subdomain just modify '/etc/hosts'

once we login we gonna be here which looks that its shows a files.

Getting Shell.

So after some enumeration i found that this system is as shown below.

elfinder is an open source file manager on the web.

https://github.com/Studio-42/elFinder

and as we can see the version by simple looking we can find that its vulnerable to command injection.

And also we can find a metasploit, exploit for this vulnerablity.

LOL do not do my mistake i forgot to change the lhost.

Getting Shell as think.

So after i got shell on the www-data user i start searching for a way to trying to get shell as think as he the only user in the system.

After a bit i searched for the suid binaries.

suid binaries are just executable application that has been given the right to be executed as the create of the file by any user in the system.

www-data@lookup:/home/think$ find / -perm /4000 2>/dev/null
find / -perm /4000 2>/dev/null
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/core20/1950/usr/bin/chfn
/snap/core20/1950/usr/bin/chsh
/snap/core20/1950/usr/bin/gpasswd
/snap/core20/1950/usr/bin/mount
/snap/core20/1950/usr/bin/newgrp
/snap/core20/1950/usr/bin/passwd
/snap/core20/1950/usr/bin/su
/snap/core20/1950/usr/bin/sudo
/snap/core20/1950/usr/bin/umount
/snap/core20/1950/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1950/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pwm !!!!!!!!!!
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount

and the most important on was 'pwm' which i have not seen before after a bit of search i found this.

PWM is an open source password self-service application for LDAP directories.

so i test the application and i saw this.

i also looked at the think home directory and i found '.passwords' file

i wanted to reverse engineer the file so that i know how does he access the 'id' command if he uses relative path this would make it easier to manipulate with the PATH env variable.

relative paths is when you type 'ls' command you do not specify the full path the to 'ls' command so the OS will look at env variable called PATH and search in all the directories there in order to find it.

I think you could tell now where am i going with this. Before i reverse engineer i decided i want to test to put malicious id file to echo the think info instead of www-data, and modify the PATH env variable.

and the final id file will look like this.

#!/bin/bash
echo "uid=1000(think) gid=1000(think) groups=1000(think)"

and as you can see we did it. now he thinks that we are think and did reveal all the passwords in the .password file of the user think. now i will try to brute force ssh login using these passwords.

and as you can see now we indded find the password.

Root.

Reading the root.txt file.

so after i login i checked the sudo -l command and i found this.

a very simple search we can find a way to read the /root/root.txt file.

Getting shell on the Root user.

using the same look command we can find the ssh key of the root user.

and we just copy it into our machine change its permission into 600 and login via ssh key.

Conclusion.

PreviousService (THM)NextCVE-2024-27198

Last updated 4 months ago