{"id":211,"date":"2023-03-02T04:40:16","date_gmt":"2023-03-02T04:40:16","guid":{"rendered":"https:\/\/infosecjake.net\/?p=211"},"modified":"2023-03-02T04:40:17","modified_gmt":"2023-03-02T04:40:17","slug":"tryhackme-lazyadmin-walkthrough","status":"publish","type":"post","link":"https:\/\/infosecjake.net\/?p=211","title":{"rendered":"Tryhackme – LazyAdmin Walkthrough"},"content":{"rendered":"\n

Up next is another machine on Tryhackme. This one is called LazyAdmin.<\/p>\n\n\n\n

First, we need to start up our Kali linux VM and then connect to the VPN for Tryhackme. If you haven\u2019t done this before, they have pretty good instructions on how to do this on the Tryhackme site.

After connecting to VPN, lets join the LazyAdmin room and start the victim machine.

As always, we need to start off with some scanning to figure out what ports are open and what other information we can gather to help us build our attack strategy.<\/p>\n\n\n\n

\"nmap<\/figure>\n\n\n\n

So, we have SSH open and an HTTP service on port 80. We will start off by taking a look at the http service.<\/p>\n\n\n\n

\"Apache2\"<\/figure>\n\n\n\n

Default Apache2 page. Nothing much here. Let\u2019s check through Dirb, or another similar tool, to see if there are any directories of interest.

<\/p>\n\n\n\n

\"mysql<\/figure>\n\n\n\n

After googling a hash identifier, I was able to identify that this is MD5. Lets try to crack it\u2026<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Well, that didn\u2019t take long. Now, we need to see if our Dirb has finished and see where we can use these credentials at on the site. Perusing some of the other discovered directories, I see that \/as appears to be an admin login page.

<\/p>\n\n\n\n

\"login<\/figure>\n\n\n\n

Lets see if we can login now\u2026<\/p>\n\n\n\n

Got it! Slight correction here, the username wasn\u2019t admin, it was manager. We are in though.<\/p>\n\n\n\n

\"admin<\/figure>\n\n\n\n

After some research on Google, I\u2019m seeing that SweetRice 1.5.1 is vulnerable to a Local File Inclusion and Arbitrary File Upload. The latter has gotten my attention, however. If I can upload a file, then I can potentially create a reverse shell, if the machine will execute the file (or script in this case).

So, lets grab a reverse shell script from Pentestmonkey here: https:\/\/pentestmonkey.net\/cheat-sheet\/shells\/reverse-shell-cheat-sheet<\/a>, we are going to use PHP.

After a bit of searching, it looks like you can run this on the Ads section below, so lets put\u00a0 our script in there with our IP and run it.<\/p>\n\n\n\n

Lets start our listener up first..<\/p>\n\n\n\n

\"listener\"<\/figure>\n\n\n\n

Now, to run the script, after editing it.<\/p>\n\n\n\n

\"script\"<\/figure>\n\n\n\n

Note that it now gives us this URL:

<\/p>\n\n\n\n

\"url\"<\/figure>\n\n\n\n

Lets navigate to it to see if it executes\u2026<\/p>\n\n\n\n

Nope, nothing there\u2026.maybe it uploaded the file into the browsable directory we looked at earlier and we can click it there?<\/p>\n\n\n\n

\"File<\/figure>\n\n\n\n

There it is! Now, we click it\u2026<\/p>\n\n\n\n

Welp, that didn\u2019t work\u2026seems our PHP reverse shell script isn\u2019t working. Lets find another one\u2026<\/p>\n\n\n\n

This time, I used https:\/\/raw.githubusercontent.com\/pentestmonkey\/php-reverse-shell\/master\/php-reverse-shell.php<\/a><\/p>\n\n\n\n

Modified the file to include my IP address to connect back to and left the default 1234 port.

Restarted my listener on port 1234 and now uploading the file, I just copy\/pasted the entire thing in\u2026<\/p>\n\n\n\n

\"file<\/figure>\n\n\n\n

Let\u2019s try clicking it again\u2026<\/p>\n\n\n\n

\"Shell<\/figure>\n\n\n\n

There we go! A shell!<\/p>\n\n\n\n

Now that we are in, just some simple searching and we found the user flag.<\/p>\n\n\n\n

\"user<\/figure>\n\n\n\n

While we are in the itguy\u2019s directory, lets look around for more stuff. This mysql_login.txt file looks interesting.<\/p>\n\n\n\n

\"mysql<\/figure>\n\n\n\n

Some credentials, but we need to find a way to escalate our privileges to root. So, lets keep looking\u2026
There\u2019s a backup file here\u2026lets look at it..<\/p>\n\n\n\n

\"backup<\/figure>\n\n\n\n

Ok, so lets look at the copy.sh file\u2026<\/p>\n\n\n\n

\"copy<\/figure>\n\n\n\n

So\u2026it\u2019s running a listener. Well, since we\u2019re not connected with a suitable terminal interface, this is going to be harder than it appears. Trying to run vi on the file won\u2019t work.

So\u2026maybe we can just do an echo and pipe the output of that into the file? I\u2019m sure there\u2019s an easier way, but this is what I have at the moment.<\/p>\n\n\n\n

\"edited<\/figure>\n\n\n\n

Well, that worked. Now we start a listener on that port. Yes, I know, I know. It\u2019s corny to use 1337.<\/p>\n\n\n\n

Now, we run the backup script and see what happens.<\/p>\n\n\n\n

\"running<\/figure>\n\n\n\n

Connection came in. Look who we are!<\/p>\n\n\n\n

\"root<\/figure>\n\n\n\n

From here, we just find the root flag and put it in, it was easy to find so I won\u2019t put a screenshot. Machine is now done.<\/p>\n\n\n\n


What I learned:<\/p>\n\n\n\n

    \n
  1. There may be useful scripts on the system that run with elevated privileges that we can use to escalate our privileges.<\/li>\n\n\n\n
  2. Not every PHP reverse shell is going to work the first time. If the first one fails, try again.<\/li>\n\n\n\n
  3. Browsable directories can hold some very interesting files that can become very useful for a threat actor. In this case, a database file held some credentials we could use on our attack.<\/li>\n\n\n\n
  4. Persistence is important. I got a bit frustrated with the file upload section because it wasn\u2019t working for me at first. This was mainly because the reverse shell I was attempting to use was not working. I wasn\u2019t sure the larger file that I ended up using would work, but it indeed did.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

    Up next is another machine on Tryhackme. This one is called LazyAdmin. First, we need to start up our Kali<\/p>\n

    Continue readingTryhackme – LazyAdmin Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":218,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[31],"tags":[33,32,34],"class_list":["post-211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-challenge-walkthroughs","tag-ctf","tag-tryhackme","tag-walkthrough"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/03\/image-6.png","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=211"}],"version-history":[{"count":1,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/211\/revisions"}],"predecessor-version":[{"id":232,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/211\/revisions\/232"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/media\/218"}],"wp:attachment":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}