Lazyadmin | TryHackMe writeup
Lazyadmin is a easy Linux-based machine in TryHackMe
Start with nmap scan.
2 ports are open.
22 : SSH
80 : HTTP
HTTP is default apache2 page
Nothing much, so I ran ffuf for directory search, I got directories and got a file.
That was a login page, but i don’t have any credentials. So i started to look deeper
i started with GitHub, because the source code is available in Github and i got ‘changelog.txt’ for checking version
I checked for exploits, for the first exploit I need credentials. The 2nd exploit was the backup file is disclosure.
I got where will be the backup file from exploitdb and I opened that directory and got backup
I downloaded it and I searched for the password, I got a username and a hash password
with the help of hash-identifier, I found that was an MD5 hash.
using an online hash cracker I got the password.
using the credentials I can login to the manager account
i search for exploit and copied that exploit to current directory
in this exploit, it adds ‘http://’ before host and ‘/as/’ after host
I run exploit and got the shell, I got user flag
i searched for the command i can run with root privilege
in that file, it is executing /etc/copy.sh .
i copied code from PayloadsAllTheThings
i wrote that to ‘copy.sh’ and run that command which i have root privilege and got root shell