TryHackMe: LazyAdmin

LazyAdmin is a easy machine of TryHackMe platform, in it, we will exploit a vulnerability of arbitrary upload of files and a leak of credentials to obtain a shell in the system. Later, we will take advantage of the possibility of executing a script modifiable by our user as any user of the system to elevate privileges.

As usual in TryHackMe, we must connect to the VPN or use the AttackBox. I will choose the VPN. We press the Start Machine button, and a minute after, they show us the IP address. Now, we proceed to do the initial recognition with Nmap:

nmap -p- -sV -Pn $IP

The -p parameter with the hyphen indicates to scan all ports, the -sV parameter to fingerprint the versions used, and -Pn to scan the machine even if it does not respond to ping.

We can see that the machine has few services open, only SSH and a web server. Let’s dig into the web server.

Web server enumeration

Fuzzing directories, we found a couple of interesting entries:

We found an installation of the Basic CMS SweetRice.

A quick Google search show us some CVEs and a exploit for versions older than 1.5.1

Fuzzing inside the content folder, we find several interesting endpoints, one of them a login panel in the as directory and the inc directory with directory listing.

Inside the inc directory, we find the CMS version used in the latest.txt file (it happens to be 1.5.1, which has an authenticated arbitrary file upload vulnerability). We also found a folder with a mysql backup. Let’s take a look at this backup for credentials.

Indeed we find the credentials of the manager user with administrator privileges, only that we will have to crack the hash of the key to be able to access.

Once we crack the hash, we can access the CMS with the credentials we just obtained.

It’s time to see if we can reproduce the arbitrary file upload of the exploit. Reading the exploitdb’s exploit, we see that the vulnerable form is located at /as/?type=media_center

Testing, we see that there is some filtering in the form and that if we upload .php files they are not stored. We can bypass the filtering by using other extensions like .php5. Once we know how to bypass it, we can upload a reverse shell and get a shell on the system.

Privilege Escalation

By basic enumeration, we can find some juicy files on the itguy home folder

The MySQL credentials although they work, seem to lead us to a dead end. On the other hand, we can see that the backup script seen before can be executed as root by us.

Let’s take a closer look at what this script does.

It seems that the /etc/copy.sh script has already been modified to launch a reverse shell. Let’s see if we can modify it to get our shell as root.

And finally, we get our shell as root:

PWNed!

I hope you enjoyed my article and found my content useful. See you in the next article.