LazyAdmin
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :‌
Command Breakdown:‌
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a files called nmap
Enumeration
Lets go visit the website.
Its an apache2 default page, the source code gives us nothing. Lets use a tool called "gobuster" to find hidden directories.
We found a directory called /content
, lets go visit it.
Looks like the website is running on a software called SweetRice
, so lets search for exploits on searchsploit.
We find few vulnerabilities, I'm going to try the Backup disclosure one first as it might give us a lot of information about past usernames and passwords and a lot more.
Lets copy the exploit to our directory and read it.
After reading through the exploit, its telling us to visit/inc/mysql_backup
to find backup files.
Lets go visit that page.
We find a file, lets download it. Once downloaded , lets read it. Reading through it, we find a username and password.
We found a password, but that doesn't look like a password, so I think we need to crack it and find the real password, that can be done using a site called crackstation
And we found the password.
Now , we need to find a login page to login with these credentials, lets run a gobuster
on the /content/
directory to find hidden directories.
Visiting the /as
directory , we find the login page.
Lets login with the credentials we found.
Username: manager
Password: Password123
And we are logged in!
Looking through the website, we can see multiple upload pages, but the Media Center page looks interesting as we can see what files we can upload.
But first we need to find a vulnerability, so lets go to searchsploit again and search for vulnerabilities.
We can see that there is a vulnerability called Arbitrary File Upload, lets used that, first we need to copy it to our directory.
Reading through the exploit, its looks like we can upload a shell.php5 file with a reverse shell, and get a reverse shell.
We can get a reverse shell from pentestmonkey. Copy the reverse shell to your machine and then change the IP to your IP and the Port to 1234 in the exploit and change the name of the file to shell.php5
Once the file is uploaded start a Netcat reverse shell.
And now click the file on the website and you get a reverse shell.
Now you can go and read the user.txt file which is the answer to the first question in /home/itguy
Privilege Escalation
In the home directory of itguy, we can also see a file called backup.pl
, lets see what it says.
It looks like it is running the file called copy.sh
, so what if we can add a reverse shell to the file and start a listener to get a reverse shell as root as the file is owned by root.
Lets echo our reverse shell with our IP and port to this file, we can find the reverse shell on pentestmonkey.
After that we need to run the file, but first we need to check what we can run as root, we can find that out by using the command sudo -l
.
Looks like we can run the file. So lets run it, before that we need to start a reverse shell listener.
Once we use the command we get a reverse shell
Now you can get the root flag in /root
and answer the last question of this room.
Last updated