Tryhackme- ‘Lazy Admin’ walkthrough
Hello People, In this write up I have covered a walkthrough for the Tryhackme box called Lazy Admin. So let’s get started.
1. Information Gathering
We start to gather information by scanning open ports in the system. I used to rustscan and forward the result to Nmap
rustscan -a $IP -b 1000 -r 0–65535 -t 5000 — -A
Open $IP:22
Open $IP:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo0a0DBybd2oCUPGjhXN1BQrAhbKKJhN/PW2OCccDm6KB/+sH/2UWHy3kE1XDgWO2W3EEHVd6vf7SdrCt7sWhJSno/q1ICO6ZnHBCjyWcRMxojBvVtS4kOlzungcirIpPDxiDChZoy+ZdlC3hgnzS5ih/RstPbIy0uG7QI/K7wFzW7dqMlYw62CupjNHt/O16DlokjkzSdq9eyYwzef/CDRb5QnpkTX5iQcxyKiPzZVdX/W8pfP3VfLyd/cxBqvbtQcl3iT1n+QwL8+QArh01boMgWs6oIDxvPxvXoJ0Ts0pEQ2BFC9u7CgdvQz1p+VtuxdH6mu9YztRymXmXPKJfB
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC8TzxsGQ1Xtyg+XwisNmDmdsHKumQYqiUbxqVd+E0E0TdRaeIkSGov/GKoXY00EX2izJSImiJtn0j988XBOTFE=
| 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILe/TbqqjC/bQMfBM29kV2xApQbhUXLFwFJPU14Y9/Nm
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelAfter the execution of command, we get the following result. Here we found out that there are 2 ports open i.e 80 and 22 which is also for HTTP and SSH.
So now we know HTTP website is running on the system so let’s take a look
Default Apache page was running there. So i started to bruteforce the directory using gobuster
gobuster dir -u $IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
I found a directory called /content. So let’s check it.
It was running was running CMS of Sweetrice.
2. Scanning And Enumeration
Now let us again run the gobuster on this endpoint to see what we can find further.
$gobuster dir -u $IP/content/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.135.254/content/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/24 13:49:53 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 323] [--> http://10.10.135.254/content/images/]
/js (Status: 301) [Size: 319] [--> http://10.10.135.254/content/js/]
/inc (Status: 301) [Size: 320] [--> http://10.10.135.254/content/inc/]
/as (Status: 301) [Size: 319] [--> http://10.10.135.254/content/as/]
/_themes (Status: 301) [Size: 324] [--> http://10.10.135.254/content/_themes/]
/attachment (Status: 301) [Size: 327] [--> http://10.10.135.254/content/attachment/]I found out the following directory. There is one directory called ‘/inc’ which was listing files and folder of the website.
In that directory, we found interesting another directory called “mysql_backup” so let’s visit that folder. In the directory, there “.sql” file so, let’s download that file. After you download and open that file, you can see there was username and hashed password.
Now copy the hashed password and go to crackstation and decrypt it.
Since we got this username and password from sql database, there must be some login panel. So let’s us see our gobuster and see if we got any login panel.
There was one diretory in gobuster “/content/as”, when we visit that there was the login panel.
Now enter the username and password we got and it got logged in. Since it was the CMS of Sweetrice, So let’s search for its version number.
After login, Version number was given on top left corner. It’s version was 1.5.1.
3. Exploitation
So we know the version number now let’s google for the vulnerability it has. After some research, I found out this vulnerable to multiple vulnerabilities but one caught my attention, it was Arbitrary File Download.
Download the exploit from exploit-db.
Link: https://www.exploit-db.com/exploits/40698
So now we need a PHP reverse shell.
Link: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Now let us change the IP and Port in PHP reverse shell and run the exploit from exploit-DB.
When you run the exploit, it will ask you to enter “Target URL, username, password and Reverse shell file” and after you enter it will give you the url to trigger reverse shell
Now let us run Netcat. Remember to enter the same port number you entered at the reverse shell.
Now when you visit that URL, it will trigger the exploit, which gives us a reverse connection.
Now you can easily get the first flag by little bit of exploration in the machine.
4. Privilege Escalation
Now let’s check for the sudo permission or rights.
“sudo -l”, You can see that backup.pl file can run as sudo and that file was pointing to /etc/copy.sh
Open /etc/copy.sh and there is reverse shell code, so just change the ip to your machine and start the Netcat listener then run that backup.pl file with sudo.
Now you can successfully get Root access to that machine. Explore a little bit and submit the second flag.
