🤦♂️Lazy Admin
Throughout this writeup, I will reference the machine IP address as 10.10.10.10.
Enumeration
I started with a network scan using rustscan
.
-a | Host/address
-- | Arguments following will be piped into Nmap
-sC | Default scripts
-sV | Version detection
With this, there are two open ports on the machine. 22(ssh) and 80(http). I started by browsing to the webpage, but it was just the default Apache installation page. So, I then ran feroxbuster
to check for any other interesting directories on the server. The only directory found was /content/
, with multiple subdirectories: /content/inc
, /content/as
, /content/attachments
, etc. Browsing to http://10.10.10.10/content reveals the website is hosting SweetRice.
The next thing I did was look in the /content/inc
directory, as that can usually include core-components to the website, like database logins if not setup properly. I found two interesting files. 1) latest.txt
which included just “1.5.1”, which I assume was the SweetRice version. And mysql_backups
which had a mySQL backup. First, I looked up SweetRice 1.5.1 vulnerabilities, and found an Arbitrary File Upload. This exploit requires a username and password to use, so let’s find it.
Password Cracking
In the backup file, we can find the username and a hashed password. All we have to do is run the hash through JohnTheRipper
or Hashcat
and we will crack it.
Exploitation
With the username and password, we can now run the exploit. I first started by getting a PHP reverse shell from pentestmonkey and started a listener:
I ran python3 exploit.py
and gave the username, password, and file to upload, and it said it uploaded successfully. However, when browsing to http://10.10.10.10/content/attachments/rev.php I was given a file not found, so the exploit didn’t seem to be working.
I then went to http://10.10.10.10/content/as and logged in to the administrator account. I did some digging and noticed that you can go to the Ads section and upload code. So, I uploaded the PHP reverse shell and started listening again, and went to http://10.10.10.10/content/ads/rev.php and was given a reverse shell.
A whoami
reveals we are www-data
, and doing cd /home
and then ls
shows an itguy
home folder. ls itguy
will reveal our user.txt
which can be accessed via cat user.txt
.
Privilege Escalation
We can start with sudo -l
to see what all www-data
can run as sudo. The only thing is a perl script, backup.pl
. We can analyze the backup.pl
file with cat
and notice it runs a shell command, /etc/copy.sh
. We can cat
this and see it runs:
So, we have a shell reverse-shell that we can access as sudo. We just need to modify the IP address to ours. I first tried using nano, but it wouldn’t work. vim and vi didn’t work either. The only solution I could think of was to overwrite the file with echo:
Now, we will create another listener with
and run the Perl script as sudo, which will call our modified copy.sh
.
This will give us a root reverse shell.
Last updated