View on GitHub

GitPage

berzerk0's GitHub Page

Main Page | Blog | CTF Writeups | How-To Guides

CTF Writeup:

LazySysAdmin on VulnHub


a0

8 November 2017

A fun box from Vulnhub, written by Togie McDogie. You can find it here at https://www.vulnhub.com/entry/lazysysadmin-1,205/

Introduction

LazySysAdmin was a fun little box that reminds us to keep it simple. This write up assumes the reader has beginner knowledge of pentesting.

It also assumes the reader is using Kali, but all the tools are standard in distros like BlackArch as well. I ran it on my native Kali host machine using VirtualBox; on a host-only network.

Before beginning, I added its IP to my hosts file for convenience.

Here is a very quick summary that is entirely composed of spoilers -

It doesn’t show my methodology or process. It will tell you how to get the root flag, but you won’t learn much. It’s also encrypted (weakly) - but if you can root the box using just the spoiler, you’ll know how to decode it.

1. Initial Scans

As always, we start with nmap


A1

Alright, we have a website, so let’s launch our regular HTTP battery. After that we will investigate SMB, MYSQL, and IRC - if we need to. If we figure out the credentials, we can SSH in as well.

Run dirsearch, nikto, nmap w/ vuln scan, and manually browse the website. Run these scans in parallel.

I like to run dirsearch twice - a quick scan without specifying a wordlist to find common things, then a deeper dive. Even my quick can uses a large number of extensions - I usually don’t run it recursively until I find an interesting starting point, or get stuck and think I need to keep digging.


A2


A3
A4



A5

In the browser, I took a peek at the page sources for anything interesting. However, won’t find much there.


A6

I like steganography (there is some in this guide) - so I read “The answer is within you” as “Check this image for stego.”
Nothing came up with steghide, strings or stegsolve; so I checked my scan outputs.

The first thing I checked was robots.txt - something that the scanners might not be able to do for me. It didn’t contain anything too interesting… unlike my nmap vulnscan, which dumped out a ton of useful info.

2. Investigating the Website

I dove right in with

and browsed it myself while it ran.


A8

wpscan found a bunch of potential vulnerabilities - but I like to start simply. The default username is in use, so maybe the default password will be as well. The only blog post is just my name is togie 50 times - so maybe thats the password?


A7

I tried admin:admin, admin:togie, admin:mynameistogie, and admin:password as well as a few capitalized versions. No hits. I think it might be time to look at the other services and see if there is anything there.

3. Investigating the Other Services

SMB might hold some interesting information, and I know that it is running Linux, so I used enum4linux!


A9

Right off the bat, [+] Server lazysysadmin.ctf allows sessions using username '', password '' looks very promising.

It is shortly followed by //lazysysadmin.ctf/share$ Mapping: OK, Listing: OK

We connect with a simple

and just press enter when asked for the password.


A10

What looks interesting or new… hmm. todolist.txt, deets.txt… and ooh! A Wordpress directory! That might have our website setup in it!


A11

wp-config.php has given me passwords, or at least hashes, in the past. Let’s check it out.


A12

Why, hello there…

Let’s try this password at /phpmyadmin, and maybe we can drop a shell using a select ... into outfile!

Visit /phpmyadmin and try logging in with Admin:TogieMYSQL12345^^ - and get db access!

4. Plundering the SQL Database

Alright, let’s see what goodies we can find.


A13

wp_users looks appetizing, let’s view it.


A14

Hmm… maybe not. I tried logging out and back in with root:TogieMYSQL12345^^ - but to no avail.

There is the option to try manually inputting SQL commands, so let’s try that.

First thing I want to see is if I can write a file - that could allow me to drop a shell script and gain access. I try


A15

Hmm, this user has pretty limited privileges. Might be worth trying to view the db contents using SQL commands, however.

was forbidden, so I tried the more specific


A16

user_pass looks good to me, and some of the other fields aren’t bad either. I made sure the wordpress database was selected in phpmyadmin, then ran


A17

Great, a hash! Maybe we can crack it.
I wonder if it’s the same as the MySQL password…

Wait.

We can try just try logging in with that password to the wordpress site. Should have tried that first!


A18

5. Wordpress Admin Access

It’s a gift to be simple…

Let’s go ahead and drop a php shell into one of the plugins.

I’ve messed this process up before – so I always make a copy of the original text before trying any alterations. This also allows us to revert the plugin back to normal if we give ourselves another way in later.

From /usr/share/webshells/php/ I grab what I like to call the “monkey shell” and make a copy in my pentest directory.

I know the plugin code already includes <?php and ?> flags, so I chop those off and edit in the correct IP and port information.


A19

Then, we just paste it in at the end of our plugin code.


A20

Now we can start our listener with

and hit “Update File.”” My shell didn’t pop immediately, but after I clicked “Installed Plugins” again in order to make sure the plugin was active.


A21

We’ve got a shell, and it is time to enumerate!

6. Enumerating With www-data

Enumerating a system from the inside can sometimes feel like looking for a needle in a haystack. To be honest, if I lost a needle in a haystack, I’d just go look for another needle. But if I didn’t have another needle, I’d try to use a magnet. That can’t help us here, however.

The first thing I tried was looking in the /home folder for goodies left by users.


A22

Nothing here – I usually go right for the bash history to see what the user had been working on, but there isn’t one here.

Might as well upgrade my shell, too. Let’s see if we can run Python, then we might be able to run the python pty.

returns a version - the box runs python. Let’s get a TTY.


A23

After taking a quick peek at /etc/passwd to see all the usernames, I decided to see if I saw all there was to see on the website.


A24

Oh look, the files from the SMB share are here too. Hmm, I got so excited by the wordpress directory that I didn’t even give these a thorough look.


A25

Well, well, well. Togie did NOT seem to make it so users can’t see the web root – considering we could see into this directory via SMB. This suggests that togie did NOT remember to change the password either…

Could this have been laying here the whole time?

Use password 12345


A26

7. Call Me Togie!

This togie user seems to be the LazySysAdmin in question. I wonder if they can run anything as superuser.


A26

Well, it looks like Togie can run some things as superuser.
In fact, Togie can run every thing as superuser.

8. Did I say Togie? Sorry, my name is Oot. Richard Oot.

For presentation’s sake, I logged into SSH – but this is entirely optional and leads another entry in a log file. While doing the CTF myself, I continued to use the reverse shell.

Seeing that little # brings a smile to my face.


A27

Lessons Learned

Togie’s Questions:

What could you have done to speed up the enumeration process?

I dove pretty deeply into HTTP first out of habit, instead of starting with a shallow wade-through of all possibilities. In this case, it paid to do a breadth-first enumeration process instead of a depth-first process.

Are there any obvious things that you missed, which you shouldn’t have missed?

I didn’t look at all the files I had access to on the SMB. I found one lead and then just chased it. Had I taken the time to look at all the files, I would have saved a lot of time.

Did you learn anything interesting? and What have you added to your enumeration process to prevent you from wasting time?

The answer to both of these questions is related to breadth-vs-depth searching. I didn’t even realize that I was diving deeply instead of lightly browsing everything first.

Thanks Togie McDogie!

Good Luck on your next OSCP!


Main Page | Blog | CTF Writeups | How-To Guides
󠁈󠁔󠁂󠁻󠁴󠁲󠀱󠁴󠁨󠀳󠁭󠀱󠁵󠀵󠁟󠀱󠀴󠀹󠀹󠁽