TryHackMe Lookup Boot to Root Walkthrough 🔍

In this video we are doing tryhackme's new boot to root machine - Lookup made by - [ https://tryhackme.com/r/p/josemlwdf ]. Here we have a basic login page based on the server response on trying to login we can brute force both username and password based on different error indicators upon loggin in with wrong credentials and We see how to brute force using both BurpSuite Intruder and hydra. After getting the correct creds, we got a redirection to a different subdomain where we found a command injection vulnerability in the elFinder 'Php Connector' and gain our initial foothold on the box. After our initial enumeration after getting www-data user shell, we found a custom suid binary that we can use to get a password wordlist for another user on the box. At last using our sudo perms for look command we can grab the id_rsa for root and get our last flag. Hope you'll learn something new. 🙏🚀❤️

Please leave a comment!
[ tryhackme - https://tryhackme.com/r/room/lookup ]

⭐️ Video Contents ⭐
⌨️ 0:00 ⏩ Intro
⌨️ 0:42 ⏩ Initial Enumeration on the webpage
⌨️ 12:27 ⏩ Logging in with found creds
⌨️ 17:25 ⏩ Getting initial foothold on the box using command injection exploit in elFinder 'Php Connector'
⌨️ 19:45 ⏩ Privesc to another user using the found password wordlist
⌨️ 26:54 ⏩ Getting root id_rsa
⌨️ 29:33 ⏩ Final thoughts

Follow me on social media:
● https://twitter.com/hoodietramp

Writeups:
● https://blog.h00dy.me
● https://h00dy.gitbook.io

Github:
● https://github.com/hoodietramp

Mastodon:
● https://defcon.social/@h00dy
● https://infosec.exchange/@h00dy

Support This Tramp!
Donations are not required but are greatly appreciated!
💸Ko-Fi: https://ko-fi.com/h00dy

#tryhackme #ctf #boot2root #redteam #walkthrough #pentesting