VulnHub’s LazySysAdmin:A Walkthrough
Today,we will be attempting to make our way through the ‘LazySysAdmin’ box available on Vulnhub.The credits for creating this box goes to Togie Mcdogie.Thanks mate for creating such a great box.I enjoyed pwning it.
You can download the machine’s zip file from here-https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip
Booting up our target machine and victim machine, we try to obtain the victim’s IP, using ‘netdiscover’ command, on our terminal
Running a Syn scan over the IP, we get
Probing first into the HTTP port, we find
I couldn’t find anything interesting after downloading the images from the website and running exiftool analysis over it. Clicking on links didn’t help.
Let’s try to find directories linked to the website, using dirbuster
Let’s see what it pulled up.
We probe each directory path that is given in the result, on the browser
What we got from the wordpress directory path was this:-
‘togie’ might probably be a username, either for the SSH or phpMyAdmin login.
Viewing the other directory paths seemed to reach a dead end
We are back to square one, having attained no significant information, bar the username.
From the nmap scan report, we see netbios-ssn service on port 139 is open.
I learnt that this port, also known as ‘smbclient’ uses a login mechanism, similar to FTP and lets us view files and directories that are possibly hidden within it.
Command for smbclient-smbclient -L <IP>.
I used a common password ‘root’ to enter. No brute forcing really!!
We get the following directories:-
Let’s enter the share$ directory.
Upon ‘ls’ing we we get:-
It is advised to first download these directories and files, before probing them.
How do we download it?
I did download robots, deets and todolist .txt files, along with the wordpress directory. We then exit the smbclient prompt to view our downloaded files.
Nothing interesting yet. We will try to use the possible credentials later.
Delving into /wordpress, I found this in wp-config.php.
This might possibly be the phpMyAdmin credentials. Let’s try it.
Yes, we are in.
From here, we have 2 approaches to gain entry into the box
— — — — — — — — — — — — — — — — — — — —— — — — — — — — — — — -
Method 1-Upload an exploit for phpMyAdmin, from Msfconsole and attempt to gain a shell on the victim’s machine
Enter msfconsole from our terminal. We then search for an exploit for wordpress, targeting the wp-admin, from the exploit library. We use an exploit for Wordpress, since the website is made from the same.
We enter the target uri (not url) for exploitation, credentials for gaining entry into phpMyAdmin and set the victim’s machine as the RHOSTS
Upon running the exploit, we get a ‘meterpreter’ prompt. We need to leverage our privileges. Before that, we run the ‘shell’ command.
Now to escalate privileges, we perform:
Command-python -c ‘import pty;pty.spawn(“/bin/bash”)’
We get the machine’s prompt. Now try to hunt around for togie’s password. I couldn’t find anything, by poking around. Also /root was not accessible.
Let’s try possible common password combinations, for logging in as togie.
I tried out variants of togie’s pMA password and finally this worked out.
We perform ‘sudo su’ to login as root and access /root.
We find a file named ‘proof.txt’.This might be it!
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —-
Method 2-Brute force ssh login, using the hydra tool and togie as username.
We can take this method too, since SSH port is open, on the victim machine.
We employ rockyou.txt as the wordlist for the possible password.
Command-hydra -L togie -P /usr/share/wordlists/rockyou.txt ssh://<IP>
We get our credentials to login, via SSH
You can follow the steps given in Method 1,for leveraging privileges and finding the CTF file.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Well,you have it now!
This was surely a rollercoaster ride, with lots of new stuff that I learnt. Hopefully we (you and me),can use it in our future CTF box attempts.