TryHackMe — LazyAdmin Walkthrough
This is an “easy” difficulity box on TryHackMe. It describes itself as a box to practice Linux Privilege escalation on.
Enumeration
Firstly, I ran a full Nmap scan on the target provided on all ports.
While the scan was running, I navigated to the HTTP website and identified a default Apache webpage.
Based on this default page and with Wappalyzer we can see the version of Apache and this is running on a Ubuntu OS. Additionally I checked the /robots.txt page for any bread crumbs of information that an “administrator” may leave behind. This is a common occurance with CTF-type challenges. Nothing to report back there.
Directory Busting
There are a ton of options to use for directory busting — GoBuster, Dirb, Durbuster, and Ffuf to name a few. I am going to go with Ffuf for it’s speed. One drawback is it won’t pick up sub directories by default, so that’s something I will have to keep in mind if further enumeration is needed.
Here is the Ffuf command:
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.94.28/FUZZ
Results:
Navigating to the /content directory we can see a default notice. Looks there is CMS called Basic CMS Sweetrice.
I don’t see much else on this page that we can enumerate. I checked the page source and it was just mostly default, no extra comments. The next two steps for me are to research possible exploits for SweetRice and to look for further sub-directories under /content. I will put researching exploits on hold for now, because we do not have a version number.
I ran FFuf again but this time for /content/FUZZ and found this additional directories.
Two of these directories were of immediate interest to me. One was a logon portal at /content/as:
And I also found a backup to a SQL database in the directory /inc:
My best guess so far is there could be credentials in this backup file that we can use to log into this SweetRice portal.
Gaining System Access
I was able to download the backup SQL file and just use the cat command to view it’s contents. I noticed a password hash potentially for the admin user.
42f749ade7f9e195bf475f37a44cafcb
Luckily enough, I was able to use CrackStation to show that this password is just Password123.
Now let’s try it with either manger, or admin, and try to log into that portal.
Success (with manager/Password123):
While trying to find an option to upload a file I spotted this in Media Center. My goal here is upload a PHP shell and get access to the machine via a reverse shell. I am uploading a file called shell.php, which includes code I just copied from this GitHub page: https://github.com/pentestmonkey/php-reverse-shell
It looks nothing was happening while trying to upload this file, my hunch is something is blocking PHP files from being uploaded. Web servers are usually set up to block certain file types from being uploaded. In this case, I decided just to try another type of PHP file extension, as sometimes the rule does not block every iteration ( See this source for more PHP extensions: https://www.studyhost.net/support/knowledgebase/53/What-are-valid-file-extensions-I-can-use-for-PHP-scripts.html) This successfully uploaded.
Next I started to Netcat listener on my Kali Linux machine and navigated to this file on the webpage to make the connection.
I am now connected as the user www-data. From here I navigated to /home to see which users are on the box and then I was able to navigate to the only user’s folder “itguy” and capture the user flag for the TryHackMe first question.
Privilege Escalation
Now the goal is to find a way to get root privileges for this machine. The best idea would be to fully enumerate with a tool like LinPEAs or lineum.sh, but I always like to check for any leaky sudo privileges, and in this case I noticed a pearl script that can run as root.
Navigate to /home/itguy/backup.pl and see what this script does:
Looks like it’s calling this .sh script, let’s see what that does. I navigated to /etc/copy and here it is:
This looks like a reverse shell script (interesting). Let’s try to insert my Kali Linux machine’s IP into this and just echo a replacement to swap the file.
Success! First I started a new Netcat listener on port 5555, and then let’s try and run this Perl script as sudo.
I had a hard time finding out why I couldn’t run this. It worked best when I typed out the file path all the way, see above. Don’t forget to start another Netcat listener on port 5554 (see below) to make the connection.
After running that Perl script with sudo permissions I got a root shell and was able to capture the root flag for this challenge.
