TryHackMe | LazyAdmin Writeup

LazyAdmin CTF: https://tryhackme.com/room/lazyadmin by MrSeth6797

Hi, We are going to solve the LazyAdmin CTF on TryHackMe.

Let’s use nmap to discover open ports on target:

Port 22 and 80 are open on the target and the target runs on Linux.
We could do brute force on SSH but we’ll come to that if we cannot find an another way in.

Let’s enumerate the web server running on port 80.

We can see that Apache engine runs on the target. Let’s find directories using gobuster and dirb.

Gobuster:

Dirb:

There are interesting directories such as ‘inc’ and ‘as’ where they are subdirectory of ‘content’ directory.

/content directory:

/content/as directory:

/content/inc directory:

We can see that web ser is running SweetRice CMS as a website management system. At /content/as, there is a login page that we can brute force or we can find some interesting files on /content/inc.

When we look at mysql_backup file, we found a password of user ‘manager’

Manager’s password hash can be cracked by using tools or online cracking sites:

Let’s login to login page via found credentials.

We cannot ssh into machine by found credentials.

We can get a reverse shell by editing themes.

We can execute that php reverse shell by going to where it is uploaded.

Here is the reverse shell:

User flag is located at /home/itguy/user.txt

Let’s spawn a tty shell and export term to use ‘clear’ command cuz i like my terminal clean.

export TERM=xterm
python -c ‘import pty; pty.spawn(“/bin/bash”)’

There are interesting files on user’s home directory:

Backup.pl file is written by Perl and it is used to execute ‘copy.sh’ script that is located at /etc directory and we can execute it with root privileges:

Now, let’s see /etc/copy.sh file. We have read, write, execute privileges on that file.

And, we can see that nc tool is installed on target. We can use it to get a reverse shell with root privileges.

We have a reverse shell with elevated privileges.