This post documents the complete walkthrough of LazySysAdmin: 1, a boot2root VM created by Togie Mcdogie, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.
Background
The story of a lonely and lazy sysadmin who 
himself to sleep.
Information Gathering
Let’s start with a nmap scan to establish the available services in the host.
# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.20.130
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
6667/tcp open irc syn-ack ttl 64 InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.20.128
|_ error: Closing link: ([email protected]) [Client exited]
I’m surprised to be honest. The host has Samba; it has MySQL. It even has InspIRCd beyond the usual http and ssh services.
Directory Enumeration
Besides the disallowed entries in robots.txt, I found the following directories with dirbuster and its largest directory wordlist.
Dir found: / - 200
Dir found: /apache/ - 200
Dir found: /Backnode_files/ - 200
Dir found: /old/ - 200
Dir found: /phpmyadmin/ - 200
Dir found: /test/ - 200
Dir found: /wordpress/ - 200
Dir found: /wp/ - 200
Hmm. The sysadmin has installed phpMyAdmin and WordPress. The rest of the directories is empty except for /Backnode_files.
Image shows phpMyAdmin
Image shows WordPress
Samba Share
Using Gnome Files, I was able to mount share$. Here’s what I did.
First, I connect to the Samba server.
Once connected, the available shares are in display—share$ should be interesting.
What a pleasant surprise—share$ is the webroot.
The sysadmin is lazy indeed. Plenty of juicy information to discover in the webroot.
# cat deets.txt
CBF Remembering all these passwords.
Remember to remove this file and update your password after we push out the server.
Password 12345
This is what I’m doing lol.
# cat todolist.txt
Prevent users from being able to view to web root using the local file browser
OOPSIE WOOPSIE!!
Uwu We made a fucky wucky!!
# cat wordpress/wp-config.php
...
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'Admin');
/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');
The sysadmin has messed up—big time.
WordPress Admin
Let’s use wpscan to identify the users in WordPress.
# wpscan --url http://192.168.20.130/wordpress --enumerate u
...
[+] Enumerating usernames ...
[+] We identified the following 1 user:
+----+-------+---------+
| ID | Login | Name |
+----+-------+---------+
| 1 | admin | Admin – |
+----+-------+---------+
[!] Default first WordPress username 'admin' is still used
I was lucky. The lazy sysadmin used TogieMYSQL12345^^—the database password as the password to the WordPress admin account.
Low-Privilege Shell
Now that I’ve access to WordPress as admin, I can edit one of the PHP files using WordPress Theme Editor to execute remote commands like so.
I sure can execute remote commands.
Let’s abuse the remote command execution to get a reverse shell.
On the attacking machine, do the following:
- Use
msfvenomto generate a reverse shell and name it asrev. - Host the shell with Python
SimpleHTTPServermodule. - Set up
netcatlistener to receive the shell.
On the remote command execution page, do the following:
- Use
wgetto transfer the shell over to/tmp/rev. - Make the shell executable with
chmod +x. - Execute the reverse shell.
If everything went well, you should have a low-privilege shell like this.
Privilege Escalation
We know the sysadmin is lazy and has a habit of using the same password for different accounts. That’s why I wasn’t surprised when I manage to su to togie using 12345 as the password.
What’s horrifying is this—togie is able to sudo as root!
Although togie is using rbash—or restricted bash, it’s trivial to change the shell back to bash with chsh.
I Love Me Some Random Strings
