LazyAdmin is a Linux-based CTF from TryHackMe. This box features a poorly setup up CMS, opportunities to execute code, and some privilege escalation. I very much enjoyed this box.
- For more information visit our website at! Join server now! The Minecraft Server, Crazy Craft Mc - 1.7.10 -, was posted by NovoLenio.
- KYMS RAT v2.8 cracked 1; Latest 2; lazy ssh 1; leaked data email password 1; Learn Ethical Hacking From Scratch 1; Legacy 1; LeGend Rat v1.9 1; LeGend Rat v1.9 Cracked 1; licence 8; Life 2; Lime 2; Lime-Worm-0.5.8D 1; LimeStealer 1; LimeStealer cracked 1; LimeStealer cracked download 1; LimeStealer keylogger 1; Limitless 3; Link Exploit 1; link.
Task 1
1. What is the user flag?
To set up access to Github using different accounts, start by creating ssh keys for each account. $ cd /.ssh $ ssh-keygen -t rsa -C 'github-acct1' -f 'github-acct1' Then add the ssh key to the Github account. Next, create /.ssh/config to tell ssh when to use which account (set permission to be 600). Name: Lazy SSH 1.7.0.rar: Size: 2.42MB (2,532,812 bytes) Type: RAR archive data, v1d, os: Win32: First seen: October 8, 2015 at 1:42:42 PM GMT+2.
Nmap Enumeration
After running
nmap
, we can see there are 2 open ports: 22
, SSH 7.2p2
; 80
, HTTP on Apache 2.4.18
.Browsing to site
Nothing revealed on homepage; just default Apache page.
No robots, and no sitemap.
Ptcl smart tv android box. Lets try further enumeration with GoBuster.
No robots, and no sitemap.
Ptcl smart tv android box. Lets try further enumeration with GoBuster.
File/Directory enumeration
After the first GoBuster run, directory
The wordlist used is from
/content
is revealed. Which contains a badly setup CMS, powered by Basic-CMS.org
.The wordlist used is from
seclists
, which you can apt-get install
. The same list is avaliable by default on Kali under /usr/share/wordlists/dirbuster/directory....
On the second GoBuster ran, the target URL had
/content
appended, which revealed more folders. These folders are not protected and allowed directory traversal.Digging into the enumerated directories
Explored some of the directories from the second
gobuster
execution. Found http://10.10.221.127/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql
. MySQL backups may contain credentials that are repeated and exploitable against the SSH service open on port 22. Also downloaded some file cache.db
that contained hex, and converted to ASCII too see if any sensitive data.The MYSQL file contains a well hidden serialized javascript object, which contains a value next to ‘passwd’
After decyphering the text, got more usable data, which lends a pointer towards the username too.
The admin username looks like
Password looks like
manager
.Password looks like
42f749ade7f9e195bf475f37a44cafcb
.Lets see if can ID and crack the hash. Using some software determined it’s probably MD5. So testing with
hashcat
.The hash is cracked, lets try login.
Succesful login
After succesful login, turned the site ‘on’. As mentioned on the homepage. Hopefully this way we can return some malicious code. Potentially a PHP reverse shell. Though note, there is a MYSql execute option which can test after if can’t execute malicious code.
Ads code
Found that “ads” can be added to the site. Lets test some rogue PHP script.
On saving, site generates some JS code. Navigating to the SRC of the script created returns:
Looks like PHP code is executed here, as the
1+1
was calculated.Lets test some other PHP, we can get shell with this.
First listen on attacker machine with
nc -lvp 4444
. Then inject the following PHP code for reverse netcat shell.On navigating to the generated ad’s src script, we achieve shell, as the PHP executed.
We can than find the user flag in
/home/itguy/user.txt
.2. What is the root flag?
Lazy Ssh 1.7 Cracked
We can also
cat mysql_login.txt
, and reveal some credentials for the MySQL server.rice:randompass
There also a Perl script in
/home/itguy
called /backup.pl
. Which has an interesting interacting with /etc/copy.sh
.On running
sudo -l
we see it has root privileges.Lazy Ssh 1.7 Full Crack
And for some reason,
/etc/copy.sh
has an reverse shell running out of it???Created a reverse shell in the
/var/html/www/content
directory where user has shell access.Now to get
/home/itguy/backup.pl
to run the shell. We can’t echo
to backup.pl
directly, so instead we can try exploit the file it calls: /etc/copy.sh
.Preferably removing the old reverse shell that’s already in there…
Products certified by the Federal Communications Commission and Industry Canada will be distributed in the United States and Canada. Please visit the ASUS USA and ASUS Canada websites for information about locally available products. All specifications are subject to change without notice. Please check with your supplier for exact offers. Asus p5g41t m specs. ROG Strix XG438Q HDR Large Gaming Monitor — 43-inch, 4K (3840 x 2160), 120 Hz, Freesync™ Premium Pro, DisplayHDR™ 600, DCI-P3 90%, Shadow Boost, 10W Speaker.2, Remote Control. FSB 1333/1066/800MHz Dual-channel DDR3 1333(OC)/1066/800 ASUS Anti-Surge ASUS Turbo Key DirectX10 support Express Gate & EPU. Download ASUS P5G41T-M LX Atheros LAN Driver 1.0.0.26/1.0.0.14 (Network Card). Download Asus P5G41T-M LX Intel Chipset Driver 9.1.1.1020 WHQL (Motherboard).
We get shell on our other netcat listening on 4442.
Giving us root.
As for the flag, we can get it from
/root/root.txt
.