TryHackMe CTF: LazyAdmin
Today, I will be writing on the easy-rated TryHackMe CTF box, "LazyAdmin." This was a very fun machine and would recommend you give this a shot, especially if you're a beginner such as myself.
*Disclaimer: These walkthroughs are for education purposes only. Please don't use this information to do any unlawful activity*
First things first, I always like to add the machines IP to my hosts file, so lets go ahead and do that.
Next, I went ahead to grab an Nmap scan of the machine to see what we're working with here. I like to be as organized as possible so I create a folder for each box, with a folder for Enumeration, Exploitation, and Post-Exploitation within. So I had this output to a text file within the enumeration folder. I also chose to only scan ports 1-5000 as I figured with an easy machine, there was a lower chance of there being an odd ball port open.
Here were my results:
We only have 2 open ports here. SSH and a web server. Since we have no username, and (a given) no password, we can't do anything with SSH at this point, so let's go enumerate the web server. Here is what I was presented with once giving the web page a visit:
Okay, out of 85,000 possible directories, we only got a hit on one; /content
Let's head there to see what we find.
We are greeted with a message stating the website is currently being built and to come back later. But now we have something to go off here! We can see that this is the Basic-CMS SweetRice application, and there is a link that takes you to a "Tips for a basic install" page. I went to the page and read through the article, and I noticed under the second tip that it mentioned a directory called "Inc.' Unfortunately, heading to http://lazyadmin/Inc presented an HTTP 404 error, so I thought this was a dead end.
Well, still not a ton to go off of. We know it's a SweetRice install, but we don't have a version number to go off of to search for any vulnerabilities. A quick google search for "CMS SweetRice Vulnerabilities" showed there were quite a bit, but there were a ton of different versions that were vulnerable to different things. I didn't feel like blindly guessing, so I decided to enumerate some more.
I decided at this point to run a wFuzz scan for any sub-directories of "/content." I again just used the SecLists "2.3-small" word list for this scan.
Here were the results:
Hey! We have quite a few sub-directories here. /js, /inc, /as, /_themes, and /attachment. The /js sub-directory didn't provide much information, so let's head to the /inc directory.
A quick google search for "CMS SweetRice 1.5.1" and voila, we have a version! Let's see what kind of vulnerabilities are out there for this. Well, there seems to be quite a few. It looks like the biggest one was an Arbitrary File Upload, and there seemed to be a script to exploit it. I gave this a shot but was unsuccessful. Okay, back to enumerating.
Going back to our /Inc sub-directory, I decided to take a look into the "mysql_backup/" folder.
Alrighty, we have SQL file here so let's go ahead and download that to see if we can get any information out from it. Once I downloaded it, I went ahead and ran a "cat" to print the contents of the backup SQL file. Most of the contents weren't useful, except for one particular part:
And would you look at that! It looks like we have found us a username, and a password hash! Let's write this down.
Let's identify this hash, and see if we can't crack it. Given the length of the hash, I presumed it to be an MD5 but because I'm fairly new (I know, I know I have to learn to identify them. I'm working on it haha,) I wanted to see if I could verify that. I used a website called tunnelsup.com as they have a hash analyzer. I ran this hash to see if I'd get a hit, and sure enough it was an MD5 hash as I had thought.
Okay, so we know this is an MD5 hash. I decided to try and run it against an online hash database to see if I could easily crack it before using any tools. I used a website called hashes.com, and sure enough it was able to be cracked right then and there. Easy.
So now, we have a user and a password. My first thought was to try and login via SSH with those credentials. No good. Let's go back to enumerating and see if we can find anywhere to use the credentials. I couldn't find anything more on the /Inc sub-directory so I went back to my wFuzz results and went on to the next sub-directory, /as.
Perfect!! A login page! Let's try the newly discovered credentials. SUCCESS!!
Alright, we're logged into the web-console as an Admin, let's see what we can do here. After browsing all the pages seen on the left above, I found that there were 3 where we could upload files (Attachment, Plugin list and Theme) and one where we could add some code (Ads.) I went back to google to see if I could find any vulnerabilities for any of these pages. I kept seeing the same script from before regarding the Arbitrary File Upload vulnerability, so now that I was logged in I tried it again with a PHP Reverse shell script to see if I could get it uploaded to the site. Still no luck.
Back to researching. I ended up finding a script that someone had wrote regarding a Code Execution vulnerability via the use of a CSRF flaw.
Reading through the script, you see that it mentions that SweetRice allows an admin to upload PHP codes through the Ads page. AHH! Let's give that a shot and try to upload a PHP reverse shell script! *Notice the end of the script where it says you can access your code at*
Great, it was uploaded! Let's head over to /Content/Inc/Ads to see if we can see this there.
Yep, there it is! Let's go ahead and set up a Netcat listener and see if we can execute this page to get that reverse shell.
Bingo! We have our initial foothold onto the machine! Let's spawn a better looking shell here.
Ahhhh, much better! Heading for the home folder, we notice a user named "itguy." We change into that directory and boom, we have our user.txt file!
Okay, we are half way there! Let's do some post-exploitation enumeration now. I always try the "Sudo -l" command first off to see if we can run anything with sudo permissions and sure enough, we do!
It looks like we are able to run the Perl binary, and a file called "backup.pl" on the itguy's home directory. Sweet! I wasn't 100% sure what the .pl extension was, so a quick google search later and realized it's a Perl script. If I can run it as sudo, let's see if we can output the content of the file.
Sure can! It looks like it's executing a shell called "copy.sh" in the /etc directory, so let's head there and see if we can read what's inside that.
Oh even better! We can, and we see that the backup.pl script ultimately is spawning a reverse shell back to what I would assume would be the actual admin as a "backdoor" to the application. I wonder if we can edit the one-liner and replace their machine with our machines IP.
Oh, perfect! Let's set up another Netcat listener, and head to the /usr/bin folder and try and run this Perl script.
It worked!!! Let's go ahead and head to /root and get the root.txt flag.
And there we have it! We have successfully rooted this machine, and we can put this one behind us as we move on to more challenges ahead! Again, with being fairly new to penetration testing, this box taught me a lot, and I would highly recommend it for any beginner!
*PS.... There did seem to be a rabbit hole and I went down it, though I won't spoil what it is 😁
Thank you so much for taking the time to read my walkthrough of this very fun box, and I hope it brings help to those that need it!