search

LookUp (THM)

Test your enumeration skills on this boot-to-root machine.

hashtag
Intro.

Hi My Hackers fellos today we have a fresh THM mchaine look intresting let's ge right into it

hashtag
Enumeration.

hashtag
Port scanning.

22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+/gIThU4ODr/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF/gS3jP/fVw+H6Eyz/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL/iO8JI5DrcvPDFlmqtX/lzemir7W+WegC7hpoYpkPES6q+0/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=
|   256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login Page
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)

  • Classic HTTP , SSH let's see the web page.

hashtag
Enumerate HTTP.

  • So after some fuzzing i notice something intresting.

If the username and the password are wrong we get this error message.

so i test the admin user and it indded exist.

Notice the Error message says the password is wrong not both as the first try.

And after some fuzzing i foudn a common password.

and when i try to login i got this.

and then i decide to use this password to enumerate other users.

and after i test this creds i got this.

another subdomain i do not know i enumerate subdomains but i did not find it from some reason anyway let's continue.

circle-info

To add this subdomain just modify '/etc/hosts'

once we login we gonna be here which looks that its shows a files.

hashtag
Getting Shell.

So after some enumeration i found that this system is as shown below.

elfinder is an open source file manager on the web.

https://github.com/Studio-42/elFinderarrow-up-right

and as we can see the version by simple looking we can find that its vulnerable to command injection.

And also we can find a metasploit, exploit for this vulnerablity.

Logometasploit-framework/documentation/modules/exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.md at master · rapid7/metasploit-frameworkGitHubchevron-right

circle-info

LOL do not do my mistake i forgot to change the lhost.

hashtag
Getting Shell as think.

So after i got shell on the www-data user i start searching for a way to trying to get shell as think as he the only user in the system.

After a bit i searched for the suid binaries.

circle-info

suid binaries are just executable application that has been given the right to be executed as the create of the file by any user in the system.

and the most important on was 'pwm' which i have not seen before after a bit of search i found this.

LogoGitHub - pwm-project/pwm: pwmGitHubchevron-right
circle-info

PWM is an open source password self-service application for LDAP directories.

so i test the application and i saw this.

circle-info

i also looked at the think home directory and i found '.passwords' file

So ok it uses the id command so it be able to identify the user weird 🤔.

i wanted to reverse engineer the file so that i know how does he access the 'id' command if he uses relative path this would make it easier to manipulate with the PATH env variable.

circle-info

relative paths is when you type 'ls' command you do not specify the full path the to 'ls' command so the OS will look at env variable called PATH and search in all the directories there in order to find it.

I think you could tell now where am i going with this. Before i reverse engineer i decided i want to test to put malicious id file to echo the think info instead of www-data, and modify the PATH env variable.

and the final id file will look like this.

and as you can see we did it. now he thinks that we are think and did reveal all the passwords in the .password file of the user think. now i will try to brute force ssh login using these passwords.

and as you can see now we indded find the password.

hashtag
Root.

hashtag
Reading the root.txt file.

so after i login i checked the sudo -l command and i found this.

a very simple search we can find a way to read the /root/root.txt file.

Logolook | GTFOBinsgtfobins.github.iochevron-right

hashtag
Getting shell on the Root user.

using the same look command we can find the ssh key of the root user.

and we just copy it into our machine change its permission into 600 and login via ssh key.

hashtag
Conclusion.

in the end this machine was quite fun and help you to understand the way of relatives and absolute files path and how this could effect you system security. also to be aware of the current version u use in your software. ⚱️

PreviousService (THM)NextCVE-2024-27198

Last updated