This is my write-up for TryHackMe's LazyAdmin Room
Enumeration
Using nmap, we see that SSH and HTTP ports are open.
Let's check the website:
This is just the default page. We need to dig deeper. For this, we use dirb.
Looking at the /content/ directory, we find SweetRice CMS.
Checking Searchsploit, we find a number of available exploits for SweetRice.
Let's look at the Backup Disclosure vulnerability:
We can see that the mysql_backup file can be downloaded.
And looking at the contents, we find the admin password hash.
Exploitation
Using JohnTheRipper, we can crack the password.
So now we have admin credentials. We can logon to the site and use the vulnerability described in Cross-Site Request Forgery / PHP Code Execution (40700.html from the earlier Searchsploit query).
Using the above method, we can inject a php backdoor using the php-reverse-shell from pentestmonkey. We run netcat as listener on our attacker, and get shell!
Privilege Escalation
Running sudo -l, we see that the user can run the perl script backup.pl
We see that backup.pl is only readable, and that it calls the script /etc/copy.sh.
Checking pentestmonkey's reverse shell cheat sheet we can modify copy.sh and have it call netcat instead.
Running backup.pl with sudo gives us a reverse shell!
No comments:
Post a Comment