Walkthrough of Looz from Vulnhub - Writeup

Walkthrough of Looz from Vulnhub – Writeup

Looz is an easy machine that requires a bruteforcing password for a user. I personally am not a fan of machines that incorporate this technique. Because for me, in a real-world scenario, these are limited by some firewalls. However, I am going to provide a tip at the end of this blog post. So, make sure to check till the end. Also, I have tested this machine in VirtualBox. Let’s begin “Walkthrough of Looz from Vulnhub – Writeup”.

Link to the machine: https://www.vulnhub.com/entry/looz-1,732/

Identify the target

As usual, we have to start by finding out the IP address of the target machine.

sudo netdiscover -r
The IP address of the target is

Scan open ports

Next, we have to identify the exposed services on the target. We can do this by scanning for the open ports.

sudo nmap -v -T4 -p- -A -oN nmap.log
Nmap scan results show two webservers

From the screenshot above, we can see that there are two webservers on the target. One is an nginx and another being apache. Similarly, there are other ports too. However, we don’t need them for the purpose of getting root.

Check the web server at port 80

At the end of the source of the page, we see an HTML comment. That comment reveals the username and the password of a user of a wordpress website.

Comment of the main page

Thus, we have to find out the wordpress site. Next, I checked the directory that would give me a login page of wordpress in server 80. However, that gave me a 404 page.

404 page for wp-admin in port 80

Luckily, it worked for port 8081. Interestingly, it redirected to a different URL with a hostname.

Redirected to a different host

Next, we have to add the host to our hosts file as follows.

sudo vim /etc/hosts
Added wp.looz.com to the hosts file

After we add the host, we can refresh the login page. Next, we can log into the dashboard using the credentials we found earlier.

Logged in as john into wordpress

Now, here comes the bruteforcing part once again. Also, we don’t have to try getting reverse shell for this. However, if we had to, it isn’t easy in this machine. I will explain it later. Anyway, the user john is an administrator of the site. Therefore, we can see all users. Aside from john, there is another user gandalf who is also an administrator.

The list of users shows another user gandalf as an administrator

Next, we have to do the bruteforcing in the SSH port for this user. This takes a lot of time.

Bruteforcing user password

I use hydra most of the time to do the password bruteforcing.

hydra -l gandalf -P /home/kali/rockyou.txt ssh
Successfully cracked the password of the user gandalf

Since I have the password for a user, I logged into the SSH server.

ssh gandalf@
Logged in as gandalf

Root privilege escalation

Finally, we come to the part where we have to get the shell of the root user. When we check the SUID binaries, we find one that gives us the shell.

find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
An SUID binary that would give us the root shell

We find an SUID binary that has executable access to all users. When I executed the binary, I got the root shell.

Root shell

In this way, we can get the root shell in this target.

Check my different machine’s walkthrough: Shenron 3 Walkthrough – Vulnhub – Writeup

Deep dive in the target

Let’s understand the target now. It is using multiple docker containers. Port 80 is the nginx webserver and port 8081 is the apache webserver. When we look at the configuration, nginx is also used as a reverse proxy for the wordpress website running at port 8081.

Configuration of wordpress site

Let’s check the containers on the target.

Containers on the target

Here, we can see that there are two containers wpcontainer and wordpressdb. Port 8081 of the host is mapped to port 80 of the wpcontainer container. Likewise, port 3306 of the host is mapped to port 3306 of the wordpressdb container. So, even if we get the reverse shell from the wordpress website, we end up inside a container. Even further if we have database access, that would also be another container.

Getting reverse shell is difficult

Frustratingly, it’s difficult to get a reverse shell on the target. It restricts updating the theme php files and we cannot inject our reverse shell easily.

Error while trying to update the theme’s 404 page

Since this is an *nix target, we can try Metasploit framework. If you don’t know this, the Metasploit framework gives us a shell by creating a plugin and executing it on the target.

The reverse shell using Metasploit framework is aborted

Unlike the error response, we see that the file is actually uploaded in wordpress.

Plugin created by the Metasploit framework

In such cases, we can start a handler in the Metasploit console and try manually executing the script. However, I won’t be doing this.

In an installation of a WordPress site, we have the plugin “Hello Dolly” by default. Similarly, we also know the URL path of the plugin. I am listening on port 9001 and using the pentestmonkey reverse shell.

Update the plugin with the reverse shell
Invoke the shell by visiting the path of hello dolly

In this way, we can get a shell. Then, I checked the environment variables in the container.

Environment variables in the container

As we know, we can access the database server since it is mapped to port 3306 of the host and is also exposed.

mysql -h -uroot -p
Logged into the mysql server

When I get access to a database server, I check many files and also try writing files using it.

SELECT LOAD_FILE('/etc/passwd');
/etc/passwd file of the wordpressdb container

To write the files, we can do the following. Of course there is no use here because we don’t have a webserver on the wordpressdb container. But I will try writing it to ‘/tmp’ directory.

Write a file into the /tmp directory
Read the file that was written in the /tmp directory

Concluding, if we have access to a database server, we can trying reading and writing files. However, this is not always permitted but is worth trying.

0 0 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments