https://tryhackme.com/room/lookup

Keyword: Privilege Escalation (SUID, Sudo), elFinder, SUID

Thank you very much https://medium.com/@The_Hiker/lookup-tryhackme-walkthrough-thehiker-9276508b7d84!

Machine’s IP address: 10.10.2??.???

Attacker’s IP address: 10.4.126.108 (OpenVPN to local)

0. RTFM

• Lookup… is this related to nslookup?
• Command injection?
• web application weaknesses to privilege escalation techniques: from CVEs to SSH The Root!
• and so on… hehe ( https://youtu.be/NFumK_S3mW4?si=uo8F1TbL6ieGcvzm)

1. Recon and bruteforce credentials

As always, I use nmap to scan opened ports and, maybe, services one are using. The command is sudo nmap -sS -p- -T4 -v -sC -sV -oA scan 10.10.210.252 . No, no, this command is enough: nmap -sC -sV 10.10.210.252

We discovered two ports: 22, which will be used on later part, and 80, which provides… password to access SSH, maybe?

Navigate to http://10.10.210.252, it seems that we can’t access to server, just because lookup.thm didn’t resolved to IP address. So we will do that by hand. Open /etc/hosts, add this line at the end of the file:

10.10.210.252   lookup.thm

Save, and go back, we saw login page with NOTHING?

Okay, but first, as we saw input form, what vulnerabilities we can test? SQL injection, XSS, no cookies or hidden field so there isn’t CSRF, default credentials, CVEs goes wrong (because we don’t know what attack in Apache),…

until… we meet our sponsor today, TheHiker… Just kidding, thank you, TheHiker, for helping me solve this difficult part. His solution is… bruteforce username and password. So what kind of username and password lists we will use? I will use Username on seclists (available on Kali Linux) for username and rockyou.txt for password (on wordlists). So let’s get started! (of course, use Burp Suite Intruder to bruteforce hehe)