Main Page | Blog | CTF Writeups | How-To Guides

CTF Writeup:

LazySysAdmin on VulnHub

8 November 2017

A fun box from Vulnhub, written by Togie McDogie. You can find it here at https://www.vulnhub.com/entry/lazysysadmin-1,205/

Introduction

LazySysAdmin was a fun little box that reminds us to keep it simple. This write up assumes the reader has beginner knowledge of pentesting.

It also assumes the reader is using Kali, but all the tools are standard in distros like BlackArch as well. I ran it on my native Kali host machine using VirtualBox; on a host-only network.

Before beginning, I added its IP to my hosts file for convenience.

Here is a very quick summary that is entirely composed of spoilers -

It doesn’t show my methodology or process. It will tell you how to get the root flag, but you won’t learn much. It’s also encrypted (weakly) - but if you can root the box using just the spoiler, you’ll know how to decode it.

1. Initial Scans

As always, we start with nmap

• nmap -sV -T4 lazysysadmin.ctf

Alright, we have a website, so let’s launch our regular HTTP battery. After that we will investigate SMB, MYSQL, and IRC - if we need to. If we figure out the credentials, we can SSH in as well.

Run dirsearch, nikto, nmap w/ vuln scan, and manually browse the website. Run these scans in parallel.

I like to run dirsearch twice - a quick scan without specifying a wordlist to find common things, then a deeper dive. Even my quick can uses a large number of extensions - I usually don’t run it recursively until I find an interesting starting point, or get stuck and think I need to keep digging.

• dirsearch -u lazysysadmin.ctf -e sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar

• nmap -A -O -T4 --script=vuln lazysysadmin.ctf

• nikto -h http://lazysysadmin.ctf

In the browser, I took a peek at the page sources for anything interesting. However, won’t find much there.

I like steganography (there is some in this guide) - so I read “The answer is within you” as “Check this image for stego.”
Nothing came up with steghide, strings or stegsolve; so I checked my scan outputs.

The first thing I checked was robots.txt - something that the scanners might not be able to do for me. It didn’t contain anything too interesting… unlike my nmap vulnscan, which dumped out a ton of useful info.

2. Investigating the Website

• /wordpress/ suggests we have a very fertile ground for planting an attack. Wordpress admin access = shell.
• /phpmyadmin/ suggests there is a database ready to plunder.
• /info.php gives us Kernel, hostname and OS information immediately.

I dove right in with

• wpscan -u lazysysadmin.ctf/wordpress/ -e u,v,p

and browsed it myself while it ran.

wpscan found a bunch of potential vulnerabilities - but I like to start simply. The default username is in use, so maybe the default password will be as well. The only blog post is just my name is togie 50 times - so maybe thats the password?

I tried admin:admin, admin:togie, admin:mynameistogie, and admin:password as well as a few capitalized versions. No hits. I think it might be time to look at the other services and see if there is anything there.

3. Investigating the Other Services

SMB might hold some interesting information, and I know that it is running Linux, so I used enum4linux!

• enum4linux lazysysadmin.ctf

Right off the bat, [+] Server lazysysadmin.ctf allows sessions using username '', password '' looks very promising.

It is shortly followed by //lazysysadmin.ctf/share$ Mapping: OK, Listing: OK

We connect with a simple

• smbclient //lazysysadmin.ctf/share$

and just press enter when asked for the password.

What looks interesting or new… hmm. todolist.txt, deets.txt… and ooh! A Wordpress directory! That might have our website setup in it!

• cd wordpress
• ls

wp-config.php has given me passwords, or at least hashes, in the past. Let’s check it out.

• get wp-config.php
• exit
• less wp-config.php

Why, hello there…

Let’s try this password at /phpmyadmin, and maybe we can drop a shell using a select ... into outfile!

Visit /phpmyadmin and try logging in with Admin:TogieMYSQL12345^^ - and get db access!

4. Plundering the SQL Database

Alright, let’s see what goodies we can find.

wp_users looks appetizing, let’s view it.

Hmm… maybe not. I tried logging out and back in with root:TogieMYSQL12345^^ - but to no avail.

There is the option to try manually inputting SQL commands, so let’s try that.

First thing I want to see is if I can write a file - that could allow me to drop a shell script and gain access. I try

• select 'hello' into outfile 'hello.txt'

Hmm, this user has pretty limited privileges. Might be worth trying to view the db contents using SQL commands, however.

• select * from wp_users from wordpress

was forbidden, so I tried the more specific

• show columns from wp_users from wordpress

user_pass looks good to me, and some of the other fields aren’t bad either. I made sure the wordpress database was selected in phpmyadmin, then ran

• select user_login, user_pass, user_nicename, user_email from wp_users

Great, a hash! Maybe we can crack it.
I wonder if it’s the same as the MySQL password…

Wait.

We can try just try logging in with that password to the wordpress site. Should have tried that first!

5. Wordpress Admin Access

It’s a gift to be simple…

Let’s go ahead and drop a php shell into one of the plugins.

I’ve messed this process up before – so I always make a copy of the original text before trying any alterations. This also allows us to revert the plugin back to normal if we give ourselves another way in later.

From /usr/share/webshells/php/ I grab what I like to call the “monkey shell” and make a copy in my pentest directory.

I know the plugin code already includes <?php and ?> flags, so I chop those off and edit in the correct IP and port information.

Then, we just paste it in at the end of our plugin code.

Now we can start our listener with

• nc -lnvp PORTNUMBER

and hit “Update File.”” My shell didn’t pop immediately, but after I clicked “Installed Plugins” again in order to make sure the plugin was active.

We’ve got a shell, and it is time to enumerate!

6. Enumerating With www-data

Enumerating a system from the inside can sometimes feel like looking for a needle in a haystack. To be honest, if I lost a needle in a haystack, I’d just go look for another needle. But if I didn’t have another needle, I’d try to use a magnet. That can’t help us here, however.

The first thing I tried was looking in the /home folder for goodies left by users.

Nothing here – I usually go right for the bash history to see what the user had been working on, but there isn’t one here.

Might as well upgrade my shell, too. Let’s see if we can run Python, then we might be able to run the python pty.

• python -V

returns a version - the box runs python. Let’s get a TTY.

• python -c ‘import pty;pty.spawn(“/bin/bash”)

After taking a quick peek at /etc/passwd to see all the usernames, I decided to see if I saw all there was to see on the website.

• cd /var/www/
• ls
• cd html
• ls

Oh look, the files from the SMB share are here too. Hmm, I got so excited by the wordpress directory that I didn’t even give these a thorough look.

• cat todolist.txt
• cat deets.txt

Well, well, well. Togie did NOT seem to make it so users can’t see the web root – considering we could see into this directory via SMB. This suggests that togie did NOT remember to change the password either…

Could this have been laying here the whole time?

• su togie

Use password 12345

7. Call Me Togie!

This togie user seems to be the LazySysAdmin in question. I wonder if they can run anything as superuser.

• sudo -l

Well, it looks like Togie can run some things as superuser.
In fact, Togie can run every thing as superuser.

• sudo su

8. Did I say Togie? Sorry, my name is Oot. Richard Oot.

For presentation’s sake, I logged into SSH – but this is entirely optional and leads another entry in a log file. While doing the CTF myself, I continued to use the reverse shell.

Seeing that little # brings a smile to my face.

• cd ~
• ls
• cat proof.txt

Lessons Learned

• Try using passwords in multiple locations, password reuse is rampant.
• If you have access to a group of files, READ THEM. At least grep for “pass[word]”
• Don’t leave your web root in a publicly accessible SMB.
• Don’t leave your root password lying around! Or any other for that matter!

Togie’s Questions:

What could you have done to speed up the enumeration process?

I dove pretty deeply into HTTP first out of habit, instead of starting with a shallow wade-through of all possibilities. In this case, it paid to do a breadth-first enumeration process instead of a depth-first process.

Are there any obvious things that you missed, which you shouldn’t have missed?

I didn’t look at all the files I had access to on the SMB. I found one lead and then just chased it. Had I taken the time to look at all the files, I would have saved a lot of time.

Did you learn anything interesting? and What have you added to your enumeration process to prevent you from wasting time?

The answer to both of these questions is related to breadth-vs-depth searching. I didn’t even realize that I was diving deeply instead of lightly browsing everything first.

Thanks Togie McDogie!

Good Luck on your next OSCP!

Main Page | Blog | CTF Writeups | How-To Guides
󠁈󠁔󠁂󠁻󠁴󠁲󠀱󠁴󠁨󠀳󠁭󠀱󠁵󠀵󠁟󠀱󠀴󠀹󠀹󠁽