TryHackMe: LazyAdmin
Walk-Through
Intro
Hola Gente!! This time I’ll tell you how to solve Lazy Admin from Tryhackme. So without a further ado, let’s exploit.
Initials
nmap -sC -sV $IP After nmap scan, Port 80 was found to be open. Upon visiting the site:
Ran the directory searching with gobuster, we found /content/inc
Downloaded the file and got the password hash:
Cracked the password with hashcat and rockyou.txt as wordlist, got the password
We found the login panel at /content/as, logged in as admin and got the CMS admin dashboard
Exploit:
After we logged in, we found there were a section in which we can add out code
Added the php reverse shell code and added the file name as reverse.php
we can access the code at /content/inc/ads
Start the listener and run the reverse shell to get the shell.
Now time for root :D
There were a rabbit hole with the file containing the mysql credentials. But aside of that rabbit hole, we found that the user can run one command with root permission.
Checking the backup.pl file
It was running one bash script. Checked the shell script
It is a reverse shell code, and that user has write permission to that file.
Changed the contents of the file
So what this line will do?
This will copy the local /bin/bash file to /tmp and give the SUID permission so that we can run the /tmp/bash file as root
Run the command to get the SUID permission and then execute the bash file to get the root
Outro
With this we completed the this room, we’ll meet in next room. Till then, Happy Hacking o7
