The "Lookup" room on TryHackMe immediately caught my attention with its catchy name, and I couldn’t resist the urge to lookup. This is a basic CTF-style room that involves scanning, enumeration, and a bit of creativity. Let’s go through how I exploited this room step by step.
Step 1: Initial Target Ping
The first thing I did was check if the target VPN was active. Using a simple ping, I verified that it was online and ready for scanning.
Step 2: Nmap Scan
After confirming the target was active, I ran a basic Nmap scan to discover open ports. The scan revealed just two open ports:
Port 22 (SSH)
Port 80 (HTTP)
NMap scan output
This was a pretty basic CTF setup, with just two services running. Since I didn’t have any credentials yet, I decided to investigate port 80 and see if there was anything useful.
Step 3: Adding the Domain to /etc/hosts
When I tried accessing the web page in my browser, I saw a login portal, but the domain was not resolving. I added lookup.thm to my /etc/hosts file to ensure the domain resolved properly.
Step 4: Investigating the Login Portal
Upon accessing the page, I found a login portal. I first tried the usual suspects for usernames and passwords like admin and root, but nothing worked. Next, I checked the page source, but there were no useful hints.
Step 5: Attempting SQL Injection
I then tried SQL injection on the login form, but I wasn’t successful in gaining access.
Step 6: Crafting a Username Enumeration Script
Not giving up, I turned to GPT for help to craft a username enumeration script using the SecLists username wordlist. The script was successful, and I discovered two usernames: admin and jose.
Step 7: Brute-Forcing Passwords
With the usernames in hand, I proceeded to brute-force the passwords. Using Hydra and the popular rockyou.txt wordlist, I managed to crack a weak password for the admin account: password123.
Step 8: Discovering a Subdomain
While navigating to the jose account, I stumbled upon a subdomain: files.lookup.thm. I added this to my /etc/hosts file for easy access.
Step 9: Accessing the jose Account
Using the credentials for the jose account, I logged in and found a ton of files that appeared to be related to passwords. After investigating further, I found some interesting information.
Step 10: Investigating the Software Version
One thing that caught my eye was the "About This Software" section on the dashboard. Here, I found the version number of the software, which I quickly used to search for possible exploits in Metasploit.
Metasploit had about 5 modules for this version, so I decided to try my luck.
Step 11: Getting a Meterpreter Shell
I successfully used a Metasploit module to gain a Meterpreter shell on the system. After doing a small victory dance, I started enumerating the system further and found another user: think. What a name!
Step 12: Investigating the think User
While exploring the files in the jose account’s directory on Elfinder, I came across a file named credential.txt. This file contained the username think, but when I tried logging in with this password on SSH, I was denied access.
Step 13: Privilege Escalation Attempts
I wasn’t about to give up just yet. I started looking for privilege escalation vectors and stumbled upon a strange path: /usr/sbin/pwm. I remembered from TCM’s privilege escalation videos that there’s a technique called PATH hijacking. I decided to give it a try.
Step 14: Successful Path Hijacking
Using the PATH hijacking method, I was able to run the file and find potential passwords. I saved these to a file and used Hydra again to brute-force SSH login for the think user. Success! I now had the password and was able to log into the think account.
Step 15: Accessing the User Flag
Once logged in as think, I found and retrieved the user flag. But I wasn’t done yet; it was time to escalate further.
Step 16: Abusing Sudo Permissions
I checked for any binaries that could be abused with sudo -l and found a binary named look. I quickly searched gtfobins.io to see if there were any exploits for it, and sure enough, I found one.
Step 17: Rooting the System
I used the exploit to gain access to the id_rsa file for the root user. After changing the necessary permissions, I gained root access to the system.
Conclusion
The Lookup room was a great learning experience, combining scanning, enumeration, basic brute-forcing, and privilege escalation techniques. The challenge was a reminder of how useful persistence and creative problem-solving can be in penetration testing.
Final Thoughts
This room was a solid exercise in exploiting vulnerabilities and escalating privileges. The tools and techniques I used (such as Hydra, Metasploit, gtfobins, and PATH hijacking) are essential skills for penetration testers. If you haven’t tried this room yet, I highly recommend giving it a shot!
Key Takeaways:
Persistence pays off when brute-forcing passwords.
Using tools like Metasploit and gtfobins can help you find specific vulnerabilities and exploits.
Enumeration is key to finding hidden clues, like usernames and software versions.
Feel free to ask any questions if you’re stuck on a particular step or need more details. Happy hacking! 007
Commentaires