Lazyadmin | TryHackMe writeup

Overview

Lazyadmin is a easy Linux-based machine in TryHackMe

User Part

Start with nmap scan.

2 ports are open.

22 : SSH

80 : HTTP

HTTP is default apache2 page

Nothing much, so I ran ffuf for directory search, I got directories and got a file.

That was a login page, but i don’t have any credentials. So i started to look deeper

 

i started with GitHub, because the source code is available in Github and i got ‘changelog.txt’ for checking version

I checked for exploits, for the first exploit I need credentials. The 2nd exploit was the backup file is disclosure.

I got where will be the backup file from exploitdb and I opened that directory and got backup 

I downloaded it and I searched for the password, I got a username and a hash password

with the help of hash-identifier, I found that was an MD5 hash.

using an online hash cracker I got the password.

using the credentials I can login to the manager account

i search for exploit and copied that exploit to current directory

in this exploit, it adds ‘http://’ before host and ‘/as/’ after host

I run exploit and got the shell, I got user flag

Root Part

i searched for the command i can run with root privilege

in that file, it is executing /etc/copy.sh .

i copied code from PayloadsAllTheThings

i wrote that to ‘copy.sh’ and run that command which i have root privilege and got root shell

Share on facebook
Share on twitter
Share on linkedin