In this post, we have a TryHackMe boot-to-root machine named lookup. In this machine, we go through the typical steps by starting with Nmap scanning and enumeration. We find a login form. We decided to create a python script to find the correct username and then use Hydra to find the password. After successful authentication, we have a file manager hosted on a subdomain and the version of this web application is vulnerable to a php command injection. The exploit can be run through Metasploit to obtain initial foothold as www-data. We move horizontally first by exploiting a misconfigured Linux binary then we use GTFObins to obtain root.

OSCP Study Notes

HackTheBox CPTS Study Notes

1. Initial Scanning

  • The presenter starts with an Nmap scan to identify open ports and services on the target machine. The scan reveals:
    • Port 22: SSH
    • Port 80: HTTP
  • Aggressive scanning is used since this is a test environment, avoiding triggering production firewalls.

2. Web Application Enumeration

  • Accessing the web service on port 80 reveals a login form. The domain is added to the host file for accessibility.
  • Attempts are made to log in using default credentials (admin:admin), but they fail.
  • Using Burp Suite, the presenter intercepts HTTP requests and identifies differences in server responses for valid and invalid usernames and passwords.

3. Brute Force Attack

  • A Python script is created to enumerate valid usernames using server responses.
  • The script identifies two valid usernames: admin and Jose.
  • Hydra is used to brute-force the password for the user Jose, resulting in the discovery of the password: password123.

4. Exploitation of the Web Application

  • After logging in as Jose, the interface displays a file manager with various files.
  • The presenter identifies a file named credentials, containing a username (think) but no password.
  • Information about the web application (Linder) reveals it is vulnerable to exploitation.
  • Using SearchSploit, the presenter finds an exploit matching the application’s version and uses it to gain a reverse shell on the machine.

5. Privilege Escalation

  • The initial shell runs as the www-data user. The goal is to escalate to think and then root.
  • Exploring the system reveals a SUID binary named pwm. This binary executes commands with elevated privileges.
  • By creating a fake id command, the presenter tricks pwm into believing it is running as think. This grants access to think‘s home directory and a file named passwords.

6. Further Enumeration and Root Escalation

  • Using the discovered passwords, Hydra brute-forces SSH credentials for think.
  • Logging in as think, enumeration reveals the user can execute a binary (look) as root.
  • The binary allows accessing sensitive files, including the root user’s private SSH key.
  • Using the key, the presenter logs in as root and retrieves both user and root flags.

Key Techniques Demonstrated

  • Reconnaissance: Utilizing Nmap and Burp Suite for initial scans and enumeration.
  • Brute Forcing: Using custom scripts and tools like Hydra to discover credentials.
  • Exploitation: Identifying and exploiting vulnerabilities using tools like SearchSploit.
  • Privilege Escalation: Employing creative methods like SUID binary exploitation and file access to gain root access.

TryHackMe Lookup | Room Answers

What is the user flag?
38375fb4dd8baa2b2039ac03d92b820e

What is the root flag?
5a285a9f257e45c68bb6c9f9f57d18e8

Video Walkthrough

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles