Today we are working on LazySysAdmin from Vulnhub.com. This boot2root VM is rated Beginner/Intermediate.
Initial Enumeration
After getting the VM set up in VMWare Player we start with our nmap scans.
Press enter or click to view image in full size
Press enter or click to view image in full size
HTTP Enumeration
The homepage is pretty basic with not much to work from. The http-enum script that we ran in nmap gives us some things to check, however nothing jumps out at me at being particularly interesting as an attack vector. I tried a wp-scan on the Wordpress folder.
Press enter or click to view image in full size
Other than detecting a user of “admin” it didn’t find anything useful. Let’s move on.
SMB Enumeration
nmap also told us that SMB is active on the box. We get plenty of interesting stuff in the share$ folder. This looks like the webserver root folder.
Since these folders are accessible from the web server, I attemped to upload my php reverse shell from pentestmonkey in the hopes of getting a quick shell. None of the folders appear to be writeable.
I downloaded all the files to my attacker box to look through them.
One of the files in the root folder gives us a possible password.
Get Jeff’s stories in your inbox
Join Medium for free to get updates from this writer.
MySQL
In the /wordpress folder I checked wp-config.php to get MySQL database information.
I tried to remotely connect to the database with the mysql client (remember tcp/3306 is open) but no luck.
Press enter or click to view image in full size
IRC
From our scans this box has an IRC server. I installed hexchat and connected to the box, but nothing jumped out at me as being useful.
Wordpress
I went back to the Wordpress site to see if I could log on with any of the information we found. http://<ip address>/wordpress/wp-login.php is the default login page. Knowing that our admin is lazy and may resuse creds, I tried user ‘admin’ and password ‘TogieMYSQL12345^^’ that we found from our SMB enumeration and logged into the Wordpress admin page.
Press enter or click to view image in full size
I googled exploits for the available plugins since they are so often vulnerable, but didn’t find anything interesting. The admin page always has a quote mentioning “Dolly” so I tried ssh with that user and some of the passwords we’ve discovered, but didn’t have any luck. I then checked out the admin’s profile page.
We have seen “Togie” before in another password, so maybe our admin uses that for ssh.
Press enter or click to view image in full size
After a couple tries, I found that password “12345” works! Our sysadmin really is lazy. That couldn’t also be the password for his sudo priviliges, could it?
After we find that togie has “All” sudo privilges, getting the root flag is trivial.
Thanks for reading!