THM – Lazy Admin Writeup

This is my write up of the "Lazy Admin" challenge, provided by TryHackMe, whom is a fantastic challenge for newcomers to apply their newly gained skills against, whilst reinforcing to more-experienced users how easy it is to overlook the more obvious vulnerabilities. Read more….

Preface

This is my write up of the "Lazy Admin" challenge, provided by THM, whom is a fantastic challenge for newcomers to apply their newly gained skills against, whilst reinforcing to more-experienced users how easy it is to overlook the more obvious vulnerabilities.

Room Cover

Table of Contents

Introduction

We are told to simply "have some fun! There might be multiple ways to get user access"

I have only had the opportunity to explore one method, but if I get the chance, I'll certainly revisit the room and have another prod.

Tasks / Flags:

  • What is the value of the user flag?
  • What is the value of the root flag?

Enumeration of Host

After launching the instance on the THM platform, I will be running ye ol' Nmap scan for service discovery and potential attack vectors.

nmap -sV 10.x.x.x

We discover the following services:

  • OpenSSH 7.2 on port 22/tcp
  • Apache HTTP 2.4.18 on port 80/tcp

With Nmap only being able to fingerprint the Operating System as simply being "Ubuntu"

The following post pursues gaining access to the system via the web application, however on second thought, perhaps a quicker way could of been through targeting SSH. I will visit this later.

The Web Service

Apache Landing Page

As we are only presented with the post-install HTML page of Apache, there must be more to this then meets the eye. It does however, confirm that the service is running on a Ubuntu distribution, this may be useful for privilege escalation later.

Dirbuster

Lets enumerate pages to discover the presence of any additional directories using the common Dirbuster wordlist:

Enumerating Directories via Dirbuster

Lets keep the thread count low so as to not flood the THM network. We're in no real rush here, and I don't expect the application to be huge.

After a couple of minutes, we get a few directories that indicate some content, lets navigate!

Dirbuster Results

SweetRice CMS Landing

Cool! I notice it's a SweetRice "CMS", akin to that of WordPress, etc. Are there any known exploits for it?

Searchsploit Sweetrice

There is! Namely:

  • Arbitrary File Upload/Download
  • Backup Disclosure
  • CSRF

Lets investigate...

Mysql Backup Disclosure Vuln.

We'll navigate to the directory path, noting that everything is behind the "/content/" directory.

Mysql Backup Directory

Sweet! Let's download it and import it into an SQL browser

SQL Browser Syntax Error

There's a syntax error, lets inspect the file then. It reveals a PHP script that merely abstracts the database, hence the failure to import earlier.

PHP Syntaxed File

There's admin credentials in here - that are easy to find, but I wont disclose them here.

Sweetrice Login

As we recall, there is a possibility of uploading/downloading Arbitrary code, lets figure out where we can upload a file such as a shell.

Attempting Execution

Successful Exploit

Lets find out things like:

  • Where we are
  • What permissions we have and where
  • What can we execute?

Printing working directory

Printing User Home Directory

We notice a script in /home/itguy that calls on a backup file in /etc/copy.sh

Lets cat the output, and replace our IP address accordingly to the script.

Replacing Backup Script

Lets setup a netcat listener for shell:

nc -lvnp 4000

Local Netcat Listener

Confirming escalation to root. From there the flags are easy to find - think:

  • Where are root user files stored on a Unix system?
  • How/where did we discover the /etc/copy.sh script?

Reflection

  • Challenge uses arbitrary file upload where shells can be spawned
  • Highlights the importance of setting correct User permissions (www-data had sudo permissions!!)
  • How legitimate scripts e.g. backup scripts can be modified to redirect backup output to the attackers machine.

It was good fun 🙂 Cheers THM for providing such a fantastic platform, as well as the creator (whom unfortunately isn't specified, so I'd assume it's the core developers in this instance) for the challenge.

As always, So long and thanks for the fish!