Published: Mar 3, 2022 by Wesley Kent
TryHackMe - Lazy Admin
This CTF has two flags to find, let’s get into it with the most basic nmap scan available (honestly no idea why I didn’t include the -sC -sV
flags here, I must’ve been tired):
Since this is running an open port 80 and we can open it in a browser, let’s try to enumerate some more directories and pages:
There we discover the /content
folder, which we can also run against our wordlist as well:
This gives us a number of paths that we can investigate, and after a lot of searching I discovered a couple of interesting things, the most obvious being a login forum at /as
:
Now, knowing this CTF is titled “Lazy Admin”, I am going to assume that this admin is using poor usernames/passwords, or default ones. As such, I looked at the get request through burpsuite for the username/password input names and attempted to brute force a password for an ‘admin’ and other similar usernames with hydra. Unfortunately, since I was just guessing the username nothing came of it, but it was worth a try since I was just letting it run in the background.
Moving on, in the /inc
subfolder we do find an old mysql backup file, which are always good to find. Inside that we find some useful text, including a username and what appears to be a hashed password.
Now that we have found some kind of hashed password (in the above screenshot), we can try to crack it with John
after identifying the hash type:
Now that we have the hash type, let’s run John
against it:
And we supposedly have a working user/pass, and trying to log into the /as
portal works. Also, from the backup sql file I now know that the username is actually ‘manager’, not the ‘admin’ I had previously guessed. Still a “Lazy Admin” choice, however, but moving on here is what we are greeted with after logging in:
Now, after navigating around a bit there is a place where we can add an “ad”, which for me really meant I can just upload some custom code which may or may not accidentally start some kind of reverse shell. on accident, of course.
Again, a site that will prove very useful in these kinds of situations is pentestmonkey. After a quick ad upload test, we see the add runs as a .php file, so let’s search pentestmonkey for an exploit that will work as that. The first option on there seems good enough, so let’s modify the script to our machine and set up a netcat listener.
From there, navigate to the site or curl the URL, whatever you want and our netcat listener should start a shell:
It is simple enough to find the user flag, no different than any other box on THM. Now we do not have root access, but there is a way to get it with a quick sudo -l
search:
We cannot edit this perl script directly, but we see that it runs a bash script, which we can check out. The “copy” script starts its own shell, all we have to do is edit in our own address and again another port with another listener to start a root shell for ourselves this time:
Once that happens, we’ll get a root shell in our other window and can easily get the root flag from there:
And that is all for this box. Cheers,
Wes