Introduction
TryHackMe: LazyAdmin outlines a story as old as time. Outdated software, exposed MySQL database backups, and easy to crack passwords that spell disaster for our lazy Linux administrator. Learn what could go wrong when these elements are combined below.
Information Gathering
To get started, scan for the open ports and services running on those ports. It looks like SSH and a web server are running on this server. We can use a tool like gobuster, to brute force if there are any open directories.
Going to http://10.10.222.75/content we were met with SweetRice installed webpage. SweetRice is an open-source website management system that creates common blogs or websites.
I could not find what version of SweetRice this website was running by inspecting the website’s source code.
Exploitation
Sometimes it is best to take a shot in the dark when trying to exploit a machine. SweetRice version 1.5.1 has a vulnerability that exposes their MySQL backup file for anyone to come in and download it.
Going to the URL, we can find a MySQL backup file from October 29, 2019.
Going through the MySQL file we can see the users of the website. There is a user manager with a convenient MD5 password hash value. We can run this hash through hashcat and crack the password to enter it into SweetRice’s admin portal.
Easy peasy, the administrator chose a weak password!
There are several ways to find the SweetRice admin portal. I found it on exploit-db when looking at SweetRice’s arbitrary file upload exploit. Alternatively, it could be found by recursively brute-forcing all the directories with dirbuster or looking through SweetRice’s documentation. All in all, the admin login page is located at /as/.
Using the username and password we just cracked, we can log into the SweetRice admin portal. Admins can Post, Change settings, and upload files.
We are interested in uploading files. Instead of using the arbitrary file upload exploit, I decided to use the reverse PHP shell from pentestmonkey. They’ll both get a shell on the web server.
Post Exploitation
After connecting to the web server. Head to the home directory and find a user named itguy and read the user.txt flag.
Finally, to escalate our privileges to the root user run the command sudo -l. It will display which commands can run as a super user that does not need a password.
It looks like we can run Perl as root on the itguy’s backup.pl file.
This is pretty straightforward. According to gtfobins, all we will need to run the superuser do Perl command using the backup.pl file and it will run as root. Unfortunately, we only have read and execute privileges on the backup.pl file. So let’s read the file and see what backup.pl even does.
It looks like backup.pl runs the script of copy.sh. When going over to the /etc/ directory it looks like we have read, write, and execute permissions on the copy.sh file. The plan is to overwrite the file with a reverse shell, run the backup.pl as root, and connect the server to our client as root.
Payload all the things is an open-source resource with hundreds of ways to create a reverse shell. I first tried the netcat traditional commands. However, after running them it said that the version of netcat the server was using was netcat-openbsd package.
Running the command exactly how it is written out in the sudo -l output is the only way for the terminal not to prompt with password input.
Lastly, launching another shell on my attacker machine and running the Perl command, I became root. It’s now as easy as going to the root directory and reading the root.txt flag.
Conclusion
This is a scenario that would most certainly happen in the real world. It doesn’t necessarily have to come down to laziness, projects come and go. IT staff need to be aware when this happens and take the necessary steps to avoid running vulnerable software on their systems.
