My TryHackMe Writeups

Writing THM excersise solvings here and my thoughts on how to solve them

Project maintained by NaystyX Hosted on GitHub Pages — Theme by mattgraham

LazyAdmin

https://tryhackme.com/room/lazyadmin

Tasks

Running nmap shows me that there are 2 ports open so I go visit the http site

image

In the HTTP I found apache2 ubuntu default page, so I decided to run gobuster to find other directories.

image

Running gobuster on /content/ I found a login page on /as/

image

image

I decided to go check exploit database for sweetrice and found multiple exploits

image

Reading the first one backup disclosure

image

After trying multiple urls I got http://10.10.80.159/content/inc/mysql_backup/ working and found a sql file

image

Viewing the file I found 42f749ade7f9e195bf475f37a44cafcb and using hash identifier identified it as MD5 hash

image

Running a hashcat on it I got it cracked with rockyou.txt, now I just need the login. Which is in the same sql file as password manager

After looking around for a while I found that I could upload a file in the Media Center so I decided to send a php-reverse-shell.php there

First I couldn’t send the .php file so I used a previously used trick so I renamed it to .php5

image

As I have done before I ran python -c 'import pty; pty.spawn("/bin/bash")' to give me more access to commands

After going to /home/itguy/ I found the user flag, now I need root access.

Doing sudo -l I saw I can run /usr/bin/perl /home/itguy/backup.pl without password

image

image

Looking at the file I could run I noticed it ran another file copy.sh which had a reverse shell, so I changed the reverse shell to my ip so I could get root access.

After running the file I got the access and now I was root, after that I found the root flag

Conclusion

This was an intresting one, I got to use previously known knowledge and had to also learn new ones like the SweetRice exploit. Also good training for reverse shelling.