This post documents the complete walkthrough of LazySysAdmin: 1, a boot2root VM created by Togie Mcdogie, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
The story of a lonely and lazy sysadmin who himself to sleep.
Information Gathering
Let’s start with a nmap
scan to establish the available services in the host.
# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.20.130
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
6667/tcp open irc syn-ack ttl 64 InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 192.168.20.128
|_ error: Closing link: ([email protected]) [Client exited]
I’m surprised to be honest. The host has Samba; it has MySQL. It even has InspIRCd beyond the usual http
and ssh
services.
Directory Enumeration
Besides the disallowed entries in robots.txt
, I found the following directories with dirbuster
and its largest directory wordlist.
Dir found: / - 200
Dir found: /apache/ - 200
Dir found: /Backnode_files/ - 200
Dir found: /old/ - 200
Dir found: /phpmyadmin/ - 200
Dir found: /test/ - 200
Dir found: /wordpress/ - 200
Dir found: /wp/ - 200
Hmm. The sysadmin has installed phpMyAdmin and WordPress. The rest of the directories is empty except for /Backnode_files
.
Image shows phpMyAdmin
Image shows WordPress
Samba Share
Using Gnome Files, I was able to mount share$
. Here’s what I did.
First, I connect to the Samba server.
Once connected, the available shares are in display—share$
should be interesting.
What a pleasant surprise—share$
is the webroot.
The sysadmin is lazy indeed. Plenty of juicy information to discover in the webroot.
# cat deets.txt
CBF Remembering all these passwords.
Remember to remove this file and update your password after we push out the server.
Password 12345
This is what I’m doing lol.
# cat todolist.txt
Prevent users from being able to view to web root using the local file browser
OOPSIE WOOPSIE!!
Uwu We made a fucky wucky!!
# cat wordpress/wp-config.php
...
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'Admin');
/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');
The sysadmin has messed up—big time.
WordPress Admin
Let’s use wpscan
to identify the users in WordPress.
# wpscan --url http://192.168.20.130/wordpress --enumerate u
...
[+] Enumerating usernames ...
[+] We identified the following 1 user:
+----+-------+---------+
| ID | Login | Name |
+----+-------+---------+
| 1 | admin | Admin – |
+----+-------+---------+
[!] Default first WordPress username 'admin' is still used
I was lucky. The lazy sysadmin used TogieMYSQL12345^^
—the database password as the password to the WordPress admin
account.
Low-Privilege Shell
Now that I’ve access to WordPress as admin
, I can edit one of the PHP files using WordPress Theme Editor to execute remote commands like so.
I sure can execute remote commands.
Let’s abuse the remote command execution to get a reverse shell.
On the attacking machine, do the following:
- Use
msfvenom
to generate a reverse shell and name it asrev
. - Host the shell with Python
SimpleHTTPServer
module. - Set up
netcat
listener to receive the shell.
On the remote command execution page, do the following:
- Use
wget
to transfer the shell over to/tmp/rev
. - Make the shell executable with
chmod +x
. - Execute the reverse shell.
If everything went well, you should have a low-privilege shell like this.
Privilege Escalation
We know the sysadmin is lazy and has a habit of using the same password for different accounts. That’s why I wasn’t surprised when I manage to su
to togie
using 12345
as the password.
What’s horrifying is this—togie
is able to sudo
as root
!
Although togie
is using rbash
—or restricted bash
, it’s trivial to change the shell back to bash
with chsh
.