Hack the Lazysysadmin VM (CTF Challenge)
Today we are solving the LazySysAdmin: 1 machine from VulnHub. The credit for making this VM machine goes to “Togie Mcdogie” and it is another boot2root challenge where we have to root the server and find the flag to complete the challenge. You can get this VM from https://www.vulnhub.com/entry/lazysysadmin-1,205/).
Difficulty Level: Beginner-Intermediate
Table of Content
- Open ports and Running services (Nmap)
- SMB share folder enumeration
- Credential harvesting
- Login into WordPress
- WordPress shell upload (Metasploit)
- Sudo rights
- Capture proof.txt
Let us start form getting to know the IP of VM and as you can see in the screenshot below it is 192.168.1.16.
Time to scan the Target’s IP with Nmap. And if you refer the screenshot, we found the host has Samba; it has MySQL. It even has InspIRCd along with the usual http and ssh services.
nmap -p- -sV 192.168.1.16
As we have port 139 and port 445 is open, so we use smbclient: smbclient is a client that can ‘talk’ to an SMB/CIFS server) to look for the shared disk. Its operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.
As you can observe with the help of smbclient we are able to view the shares of the machine. Moreover, we can use smbclient for sharing the file in the network. Here we are able to login successfully using anonymous login and now we can access the ‘share$’ drive.
In ‘share$’ we found WordPress folder as well as three txt files named deets.txt, robots.txt and todolist.txt.
smbclient -L 192.168.1.16 smbclient '\\192.168.1.16\share$' get deets.txt get todolist.txt
Looking into ‘deets.txt’ we get a password:12345. Great! But as of now, we are not sure this password could belong to a user or root.
cat deets.txt cat todolist.txt
Looking further into the ‘WordPress’ folder that we have found earlier, we found the wp-config.php file. Let’s download it.
cd wordpress\ get wp-config.php
In the wp-config.php file, we find the username and password for WordPress login.
Username: Admin Password: TogieMYSQL12345^^
Now as we already know the WordPress page for admin from the previous list of WordPress content. We access the admin dashboard using the username and password that we found in the wp-config.php file.
Now that I am successfully logged in, I can upload a payload packaged as a WordPress plugin. The module used here will generate a plugin, pack the payload into it and upload it to server.
use exploit/unix/webapp/wp_admin_shell_upload set rhosts 192.168.1.16 set targeturi /wordpress set username admin set password TogieMYSQL12345^^ exploit
Now as you can see as soon as our payload is executed, we get our meterpreter session. But to get a proper shell, we have used the python one-liner to spawn the TTY shell. Now let’s get to the /etc/passwd file.
So, what have we got inside this file here was an entry for user togie and if remembered we had a password:12345 which we have obtained from deet.txt.
After logging in as togie by using the password then I checked the sudo rights for him where I found togie has ALL permissions as of root user as you can see in the highlighted text below. Therefore, we try to access root shell by executing the command:
sudo -l su sudo
Hereby going inside the root directory and listing its content we found our flag in proof.txt.
Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here