[Vulnhub] LazySysAdmin Write-Up

5 min readFeb 1, 2022

this article is about “LazySysAdmin” machine write-up + how to secure it a bit more and having a little more fun that usual.

this machine is available to download at vulnhub website for free.

just an image from the lazysysadmin website!

Enumeration

first things first i need the IP address for this machine i connected kail machine and this machine together using a custom vmnet in vmware. i already know the MAC address of this machine but not the IP.

Naughty Script

i thought of a faster way to get the IP so i created this little naughty python script:

what it does is that it sends ARP requests to only one MAC address which is the MAC address of the victim machine! that way i can get the IP faster than sending the ARP request to every device in the network. the result was:

victim IP

NMAP

now that i got the IP address it’s time to run nmap:

after running it i found some ports open and one of them was HTTP and another one was SMB.

HTTP Enumeration

enumerating the HTTP website with whatweb:

whatweb

nothing exploitable really!

then i ran gobuster:

i found wordpress then tried to use gobuster on it:

ofcourse that it has wp-admin! but the default credentials don’t work!

SMB Enumeration

i tried listing shares:

there is this sumshare that seems interesting:

connecting to sumshare

and could connect to it then i tried to list the files in it and i found several files. it had a wordpress folder too. the one interesting and useful file was deets.txt and one useful file in wordpress folder was wp-config.php.

Back to HTTP Enumeration

i tried the first password but it didn’t work on wordpress, then i tried the second and it worked like a charm!

Exploitation

then i went into appearance > editor > theme footer and pasted a PHP reverse shell in there:

and i got a shell using this:

and i tried to spawn a tty for myself to attend to things easier:

then i listed the /home folder to see the users and there was this togie user!

i used 12345 password on this user and it worked:

Post Exploitation

time for post exploitation stuff!

Getting Root

using sudo -l it says that this user can run everything as root and so i took the challenge:

rooted!

Having Some More Fun

i created a new user in the system to keep my access persistent:

and then i tried to login via SSH to it:

but uh! it is being monitored and they are not lying because my actions are right in the logs file!

but i have root access and i can easily remove it

but where does this annoying banner come from? the answer is in SSH config:

so it uses /etc/banner file!

i tried changing it just for fun!

i changed root password to root as well so that i can navigate around more easily. i then SSHed into it again to check the banner:

enough having fun now..

Securing it

but as ethical hackers we should try to secure the systems and not only break them so i tried to secure it a bit more.

Securing SMB

as we know SMB had a share that allowed guests to login and access sumshare! but how do we deny them this feature? by looking and changing SMB configuration!

the SMB configuration which is at /etc/samba/smb.conf has this at the very end:

the share name is share$ which we used and the comment is sumshare, the path is /var/www/html! and it has guest ok = yes which is bad, very bad!

we can either remove it completely: