LookUp (THM)
Test your enumeration skills on this boot-to-root machine.
Intro.
Hi My Hackers fellos today we have a fresh THM mchaine look intresting let's ge right into it
Enumeration.
Port scanning.
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+/gIThU4ODr/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF/gS3jP/fVw+H6Eyz/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL/iO8JI5DrcvPDFlmqtX/lzemir7W+WegC7hpoYpkPES6q+0/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=
| 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login Page
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Classic HTTP , SSH let's see the web page.
Enumerate HTTP.
So after some fuzzing i notice something intresting.
If the username and the password are wrong we get this error message.
so i test the admin user and it indded exist.
Notice the Error message says the password is wrong not both as the first try.
And after some fuzzing i foudn a common password.
and when i try to login i got this.
and then i decide to use this password to enumerate other users.
and after i test this creds i got this.
another subdomain i do not know i enumerate subdomains but i did not find it from some reason anyway let's continue.
once we login we gonna be here which looks that its shows a files.
Getting Shell.
So after some enumeration i found that this system is as shown below.
elfinder is an open source file manager on the web.
https://github.com/Studio-42/elFinder
and as we can see the version by simple looking we can find that its vulnerable to command injection.
And also we can find a metasploit, exploit for this vulnerablity.
Getting Shell as think.
So after i got shell on the www-data user i start searching for a way to trying to get shell as think as he the only user in the system.
After a bit i searched for the suid binaries.
www-data@lookup:/home/think$ find / -perm /4000 2>/dev/null
find / -perm /4000 2>/dev/null
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/core20/1950/usr/bin/chfn
/snap/core20/1950/usr/bin/chsh
/snap/core20/1950/usr/bin/gpasswd
/snap/core20/1950/usr/bin/mount
/snap/core20/1950/usr/bin/newgrp
/snap/core20/1950/usr/bin/passwd
/snap/core20/1950/usr/bin/su
/snap/core20/1950/usr/bin/sudo
/snap/core20/1950/usr/bin/umount
/snap/core20/1950/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1950/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pwm !!!!!!!!!!
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umountand the most important on was 'pwm' which i have not seen before after a bit of search i found this.
so i test the application and i saw this.
So ok it uses the id command so it be able to identify the user weird ๐ค.
i wanted to reverse engineer the file so that i know how does he access the 'id' command if he uses relative path this would make it easier to manipulate with the PATH env variable.
I think you could tell now where am i going with this. Before i reverse engineer i decided i want to test to put malicious id file to echo the think info instead of www-data, and modify the PATH env variable.
and the final id file will look like this.
#!/bin/bash
echo "uid=1000(think) gid=1000(think) groups=1000(think)"
and as you can see we did it. now he thinks that we are think and did reveal all the passwords in the .password file of the user think. now i will try to brute force ssh login using these passwords.
and as you can see now we indded find the password.
Root.
Reading the root.txt file.
so after i login i checked the sudo -l command and i found this.
a very simple search we can find a way to read the /root/root.txt file.
Getting shell on the Root user.
using the same look command we can find the ssh key of the root user.
and we just copy it into our machine change its permission into 600 and login via ssh key.
Conclusion.
in the end this machine was quite fun and help you to understand the way of relatives and absolute files path and how this could effect you system security. also to be aware of the current version u use in your software. โฑ๏ธ
Last updated