Writeups

LazyAdminFinal - A THM Box

IP-ADDR:10.10.215.16

nmap scan here

  Active Service at port:
  22 => ssh
  80 => HTTP

gobuster scan at port 80:

  /content -> SweetRice Website Management System

Looked at exploit-db for a SweetRice exploit and found one which is here
Exploit didn’t work since there was no username and password.
Again looked at the sub-dirs at /content and found some useful sub-dirs such as /as/ and /inc/ and found a backup sql on /inc/.
cat out the backup sql file and found the password in md5 hash for manager which was Password123.
Cracked the password and used the script to get a RFI in the server which is a php reverse shell.
Used the php reverse shell to get into the server as www.
Got the user.txt file.
Had a look into the sudo -l and found that /usr/bin/perl could be executed as sudo without password of www-data and a perl script which run a backup present in /etc/backup.sh could be run as sudo.
cat out /etc/backup.sh and for some reasons it was already an reverse shell, just changed the ip address and port.
Run the perl script as sudo /usr/bin/perl <script.pl> and got a reverse shell back.
The reverse shell was as root and finally managed to pwn the machine and got as sudoer. And got the root.txt file.

~ Machine Completed ~