VulnHub’s LazySysAdmin:A Walkthrough

Hello readers,

Today,we will be attempting to make our way through the ‘LazySysAdmin’ box available on Vulnhub.The credits for creating this box goes to Togie Mcdogie.Thanks mate for creating such a great box.I enjoyed pwning it.

You can download the machine’s zip file from here-https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip

RECONAISSANCE

Booting up our target machine and victim machine, we try to obtain the victim’s IP, using ‘netdiscover’ command, on our terminal

The Victim machine’s IP Address is underlined

Running a Syn scan over the IP, we get

ENUMERATION

Probing first into the HTTP port, we find

Hello Homer Simpson!

I couldn’t find anything interesting after downloading the images from the website and running exiftool analysis over it. Clicking on links didn’t help.

Let’s try to find directories linked to the website, using dirbuster

Command-dirb http://<IP>:80

Let’s see what it pulled up.

We probe each directory path that is given in the result, on the browser

Command:http://<IP>/Directory Path

What we got from the wordpress directory path was this:-

‘togie’ might probably be a username, either for the SSH or phpMyAdmin login.

Viewing the other directory paths seemed to reach a dead end

/javasscript/ path
/old/ path

We are back to square one, having attained no significant information, bar the username.

From the nmap scan report, we see netbios-ssn service on port 139 is open.

I learnt that this port, also known as ‘smbclient’ uses a login mechanism, similar to FTP and lets us view files and directories that are possibly hidden within it.

Command for smbclient-smbclient -L <IP>.

I used a common password ‘root’ to enter. No brute forcing really!!

We get the following directories:-

Let’s enter the share$ directory.

Command-smbclient ‘//<IP>/share$’

Upon ‘ls’ing we we get:-

It is advised to first download these directories and files, before probing them.

How do we download it?

I did download robots, deets and todolist .txt files, along with the wordpress directory. We then exit the smbclient prompt to view our downloaded files.

deets.txt
todolist.txt
robots.txt

Nothing interesting yet. We will try to use the possible credentials later.

Delving into /wordpress, I found this in wp-config.php.

This might possibly be the phpMyAdmin credentials. Let’s try it.

Yes, we are in.

GAINING ACCESS

From here, we have 2 approaches to gain entry into the box

— — — — — — — — — — — — — — — — — — — —— — — — — — — — — — — -

Method 1-Upload an exploit for phpMyAdmin, from Msfconsole and attempt to gain a shell on the victim’s machine

Enter msfconsole from our terminal. We then search for an exploit for wordpress, targeting the wp-admin, from the exploit library. We use an exploit for Wordpress, since the website is made from the same.

We enter the target uri (not url) for exploitation, credentials for gaining entry into phpMyAdmin and set the victim’s machine as the RHOSTS

Upon running the exploit, we get a ‘meterpreter’ prompt. We need to leverage our privileges. Before that, we run the ‘shell’ command.

MAINTAINING ACCESS

Now to escalate privileges, we perform:

Command-python -c ‘import pty;pty.spawn(“/bin/bash”)’

We get the machine’s prompt. Now try to hunt around for togie’s password. I couldn’t find anything, by poking around. Also /root was not accessible.

LEVERAGING PRIVILEGES

Let’s try possible common password combinations, for logging in as togie.

I tried out variants of togie’s pMA password and finally this worked out.

We perform ‘sudo su’ to login as root and access /root.

We find a file named ‘proof.txt’.This might be it!

Pwned!

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —-

Method 2-Brute force ssh login, using the hydra tool and togie as username.

We can take this method too, since SSH port is open, on the victim machine.

We employ rockyou.txt as the wordlist for the possible password.

Command-hydra -L togie -P /usr/share/wordlists/rockyou.txt ssh://<IP>

We get our credentials to login, via SSH

You can follow the steps given in Method 1,for leveraging privileges and finding the CTF file.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

REPORTING

Well,you have it now!

This was surely a rollercoaster ride, with lots of new stuff that I learnt. Hopefully we (you and me),can use it in our future CTF box attempts.

Writeup References:-

https://www.hackingarticles.in/hack-lazysysadmin-vm-ctf-challenge/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store