This is my write up of the “Lazy Admin” challenge, provided by THM, whom is a fantastic challenge for newcomers to apply their newly gained skills against, whilst reinforcing to more-experienced users how easy it is to overlook the more obvious vulnerabilities.
We are told to simply “have some fun! There might be multiple ways to get user access”
I have only had the opportunity to explore one method, but if I get the chance, I’ll certainly revisit the room and have another prod.
Tasks / Flags:
- What is the value of the user flag?
- What is the value of the root flag?
Enumeration of Host
After launching the instance on the THM platform, I will be running ye ol’ Nmap scan for service discovery and potential attack vectors.
nmap -sV 10.x.x.x
We discover the following services:
- OpenSSH 7.2 on port 22/tcp
- Apache HTTP 2.4.18 on port 80/tcp
With Nmap only being able to fingerprint the Operating System as simply being “Ubuntu”
The following post pursues gaining access to the system via the web application, however on second thought, perhaps a quicker way could of been through targeting SSH. I will visit this later.
The Web Service
As we are only presented with the post-install HTML page of Apache, there must be more to this then meets the eye. It does however, confirm that the service is running on a Ubuntu distribution, this may be useful for privilege escalation later.
Lets enumerate pages to discover the presence of any additional directories using the common Dirbuster wordlist:
Lets keep the thread count low so as to not flood the THM network. We’re in no real rush here, and I don’t expect the application to be huge.
After a couple of minutes, we get a few directories that indicate some content, lets navigate!
Cool! I notice it’s a SweetRice “CMS”, akin to that of Wordpress, etc. Are there any known exploits for it?
There is! Namely:
- Arbitrary File Upload/Download
- Backup Disclosure
We’ll navigate to the directory path, noting that everything is behind the “/content/” directory.
Sweet! Let’s download it and import it into an SQL browser
There’s a syntax error, lets inspect the file then. It reveals a PHP script that merely abstracts the database, hence the failure to import earlier.
There’s admin credentials in here - that are easy to find, but I wont disclose them here.
As we recall, there is a possibility of uploading/downloading Arbitrary code, lets figure out where we can upload a file such as a shell.
Lets find out things like:
- Where we are
- What permissions we have and where
- What can we execute?
We notice a script in /home/itguy that calls on a backup file in /etc/copy.sh
Lets cat the output, and replace our IP address accordingly to the script.
Lets setup a netcat listener for shell:
nc -lvnp 4000
Confirming escalation to root. From there the flags are easy to find - think:
- Where are root user files stored on a Unix system?
- How/where did we discover the /etc/copy.sh script?
- Challenge uses arbitrary file upload where shells can be spawned
- Highlights the importance of setting correct User permissions (www-data had sudo permissions!!)
- How legitimate scripts e.g. backup scripts can be modified to redirect backup output to the attackers machine.
It was good fun :) Cheers THM for providing such a fantastic platform, as well as the creator (whom unfortunately isn’t specified, so I’d assume it’s the core developers in this instance) for the challenge.
As always, So long and thanks for the fish!