Lookup TryHackMe Motion Graphics Writeup || Detailed Walkthrough || Beginner Friendly || SuNnY

Sunny Singh Verma [ SuNnY ]
System Weakness
Published in
9 min readNov 24, 2024

A Motion Graphics Writeup for New Room → Lookup on TryHackMe

Kudos to The Creator(s) of this Room →

ROOM DIFFICULTY

Easy → Difficulty
[ Name : Lookup ]
This is a Free Room. Anyone can deploy virtual machines in the room
(without being subscribed)!

ROOM OBJECTIVES →

  • User Flag
  • Root Flag

Let’s begin with adding the ip address to the Hosts file
and give it a domain name →
lookup.thm

echo "IP-ADDRESS-OF-YOUR-MACHINE lookup.thm" | sudo tee -a /etc/hosts

Other Way :

** You can use any text editor for this , VIM , subl , etc →

nano /etc/hosts
IP-ADDRESS-OF-YOUR-MACHINE     lookup.thm
( Control + X and Y for saving the file )
Dont forget to add your machine’s ip address instead of —
“IP-ADDRESS-OF-YOUR-MACHINE”

INITIAL ENUMERATION

→ Nmap Scan

nmap -sVC -A lookup.thm -oN nmap.txt
Click on the above image to expand the results

Open Ports and Services from the nmap scan :

22/tcp: SSH service is open, running OpenSSH version 8.2p1 on Ubuntu Linux. The SSH protocol used is version 2.0. Host keys are shown for RSA, ECDSA, and ED25519.

80/tcp: HTTP service is open, running Apache HTTP server version 2.4.41 on Ubuntu. The HTTP server header and title reveal it’s a Login Page.

Operating System Detected from nmap scan :

The system runs a Linux-based OS. Nmap could not identify the exact OS version but hints that it is based on the Linux kernel.

A Login Page is Detected on Port 80 →

Web Server Version Detected On Wappalyzer Plugin in Firefox

Web Server Found ->  Apache HTTP Server 2.4.41

We have to find Credentials to the Login page @Port 80

We can do this by couple of ways , by using burp suite or use Hydra to do a Brute-force attack

We will choose the Hydra way since this is a beginner friendly room

Let’s First try using the default credentials like →
admin:admin OR admin:password

Default Credentials don’t work ! But an error query is returned →

Wrong password. Please try again.
Redirecting in 3 seconds.

The Form action uses login.php

Let’s use the above information for doing a Brute-Force Attack
with the Tool → Hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:Wrong password. Please try again."

hydra -l admin -P /usr/share/wordlists/rockyou.txt lookup.thm http-post-form “/login.php:username=^USER^&password=^PASS^:Wrong password. Please try again.”

hydra:

  • The main tool for conducting brute-force attacks against login services.

-l admin:

  • Specifies the username to test.
    In this case, the username is fixed as admin.

-P /usr/share/wordlists/rockyou.txt:

  • Specifies the password list to use.
    Here, the wordlist is the popular rockyou.txt,
    commonly used in brute-force attempts.

ipaddress.com:

  • The target server’s domain or IP address.
    Replace this with the actual address of the target.

http-post-form:

  • Specifies the service/module to attack.
    In this case, it’s a web form using the HTTP POST method.

"/login.php:username=^USER^&password=^PASS^:Wrong Password. Please try again.":

  • /login.php: The login form's URL endpoint.
  • username=^USER^&password=^PASS^:
    The POST parameters sent to the server.
  • ^USER^: Placeholder for the username being tested
    (replaced by -l admin).
  • ^PASS^: Placeholder for the password being tested
    (taken from rockyou.txt).

Wrong Password. Please try again.: The failure message from the server. Hydra uses this text to identify incorrect login attempts.

Hydra sends HTTP POST requests to /login.php, replacing ^USER^ with admin and ^PASS^ with each password from the rockyou.txt wordlist.

If the response does not contain Wrong Password. Please try again., Hydra assumes the credentials are valid.

Valid Credentials that were found →

admin : password123 

Let’s Try to login using the just Found Credentials →

After trying to login to the above found credentials , we still were not able to login to the page , which could mean that we need to find other username for the login page

Now we will use the Password → password123 to find other username for the login page

hydra -L /usr/share/seclists/Usernames/Names/names.txt -p password123 lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:F=try again" 

Found Credentials with Hydra →

jose:password123

jose:password123

Let’s now Trying login in with these credentials → jose:password123

After trying to login with the credentials → jose:password123 ,
We are redirected to a new URL → files.lookup.thm

Let’s add an entry of → files.lookup.thm to → /etc/hosts

nano /etc/hosts

You can ping files.lookup.thm to check connectivity

After refreshing the page we find a page with 20 Items
There are 18 Files with padlock icon which could indicate access restriction
There are 2 Files without the padlock icon which could mean file could be read

Let’s First check the 2 Files without padlock

Under the file credentials we found → think:nopassword

Can this be the Credentials for SSH login ?

Just Fell down the Rabbit Hole !!

But Hey! Atleast we know the user is potentially → think

Hackers Joke incoming →

Let’s Quickly :wq! outta this one 🤐

Let’s try to find other Clues within the files page→

We that the Web File Manager is Running on → elFinder Version 2.1.47

Let’s Find the Vulnerability of elFinder using Searchsploit on CLI

Let’s Use the Metasploit exiftran Command Injection Exploit

Starting Metasploit Framework

To properly initiate the Metasploit Framework let’s use this command →

msfdb init && msfconsole

Now Let’s Search for elFinder 2.1.48 within the Metasploit Framework

After Selecting the correct module → use 0 …. Let’s set the options parameter

After Setting the options Parameter on Metasploit Framework ,
Let’s run the attack

Let’s Get the shell of the Meterpreter

We got the www-data Shell from the Metasploit exploit

Privilege Escalation To User Account →

Remember we found think credentials ? ,
Now we need to get the password to user think

Let’s Now check for SUID Binaries →

find / -perm /4000 2>/dev/null
/usr/sbin/pwn

/usr/sbin/pwn Looks interesting

Let’s check the file permission for /usr/sbin/pwn

Let’s try running /usr/sbin/pwm

On execution this binary returns the id value and then tried to grab the File → /home/www-data/.passwords

We have to get to the .passwords file

on the Binary the Path is set to user www-data , if we are able to manipulate the path by changing it to tmp directory → inside /tmp directory we have set the current path to /tmp because /tmp is World-readable and then creating a bash file which impersonates as think user

Let’s Change the Directory to /tmp , and create a bash file which impersonates the user think

Let’s create a file named id

echo -e '#!/bin/bash\n echo "uid=33(think) gid=33(think) groups=33(think)"' > id

For those who are confused using the echo command →
you need to wrap the command inside single quote instead of double quotes

Don’t forget to CHMOD +x to id file

Now Let’s try running → /usr/sbin/pwm now , the SUID will now set the user to think and returns the passwords file

We found a bunch of passwords , which we are going to save to a File locally

Now Let’s perform an SSH Brute-Force using the passwords file using hydra tool

 hydra -l think -P /pathtoyourpasswordfile ssh://lookup.thm

The Above command will run a Brute-Force attack on Port 22 with the passwords file for user → think

We found the password , Let’s login to the User think with the newly discovered password using SSH

We Have found the → User Flag

Priv Esc To Root

While logged in to user → think
Let’s check it’s sudo privileges

Let’s Find the look exploit on → GTFOBins

LFILE=/root/.ssh/id_rsa

sudo look '' "$LFILE"

We can now use the above command to get the id_rsa Key to get to root login directly →

Usually the location for id_rsa is stored under the .ssh folder →

sudo /usr/bin/look '' /root/.ssh/id_rsa

This will return the id_rsa key for the root superuser →

Now after getting the id_rsa key , we need to save it to a file locally and give id_rsa permissions by → chmod 600 id_rsa

We have the id_rsa for root account

Let’s Login to root via SSH

ssh -i id_rsa root@lookup.thm

Room Objectives are now achieved ! Congratulations

Congratulations !! You have successfully solved this Room

if you want to get the latest Try Hack Me writeups delivered , go ahead and follow me on Medium and also hit the notify via email

Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma

You can also add me Respect on — Hack The Box if you want i would really appreciate it :)

https://app.hackthebox.com/users/1585635

My TryHackMe Profile Page →

https://tryhackme.com/p/SuNnY

Hope you have enjoyed solving this room as much i did if you did you can add a clap to this article to let me know and if you loved this article you can click clap icon upto 50 times to let me know and that will make my day 🤗
You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future but don’t forget to hit that email notification icon right next to the follow me button

Thank you !
SuNnY

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in System Weakness

System Weakness is a publication that specialises in publishing upcoming writers in cybersecurity and ethical hacking space. Our security experts write to make the cyber universe more secure, one vulnerability at a time.

Written by Sunny Singh Verma [ SuNnY ]

Blogger | Security+ | eJPT | PJPT | CEH-Master | eCPPT | PNPT | CHFI | HTB-CPTS CDSA | RHCSA | TryHackMe Top 50 Global | HTB-Elite H@cker | Follow for updates

Responses (1)

Write a response