Lazy Admin Walkthrough - TryHackMe

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone welcome back this video we're going to be going over the lazy admin try hack me box I saw this on stream yesterday on Twitch if you prefer a live walk through uh follow me on Twitch to see some more live uh try Hackney boxes I will demonstrate this one now so let's just get right into it I uh started the box here so let's go ahead and uh start what I usually start with is just a very basic nmap scan I sometimes use specific Flags sometimes I don't it depends most of the time I like something that's kind of quick and will give me versions numbers and then if I need a more uh you know robust output from nmap I'll use specific scripts and things like that depending on what I find from the original end map scan results so we will see what kind of information we get back from this and then we'll start poking around so it looks like we have SSH open and we have HTTP let's go ahead and check out the website and see what we can find we just have a default Apache uh you know default splash page we could do some poking around um let's start with some directory busting uh let's see yeah we'll do some uh directory busting and then maybe we could poke at the SSH script anything like that let's uh get this going because it can take a minute all right pick out a word list user share word lists and dirtbuster all right we'll get that started uh we could do some things too that we just like can check and see if there's an admin page uh we can check to see if robots has anything nothing crazy uh you know you could kind of poke around and do some manual uh directory busting if you prefer aside from like the robots.txt I don't really do a lot of manual uh directory busting mainly because I like dirt Buster or go Buster and it gives me results quicker now it looks like we have some positive matches here so content content images JavaScript Suite rice captcha let's just check out the content page it says welcome to sweet rice thank you for install sweet rice as your website management system this site is building now please come late and then it says if you are a webmaster or if you are the webmaster please go to dashboard General website settings so there's probably going to be some area for us to log in as the webmaster so we just need to find that area let's take a look I know there was the images so we can look at that see different things let's see anything that looks like super interesting um we have a captcha we have PHP had our background nothing entirely exciting but it is good that we know that we have this images directory so that maybe if we upload something we can try and find it here let's see what else we had found uh uh let's see images we already saw the index we could check out Js let's try that out just some JavaScript information here Let's see we could try and find something in there like if I don't know maybe credentials I don't entirely know what we would find uh sitemap could be interesting all right but this is still going so let's just wait to see if we get any other results another thing that we can poke around at while we're waiting is the open SSH port we could try some uh just you know normal or common default passwords so let's give that a shot here actually let's start with just admin all right let's try password admin password one two three and permission denied we could try the same thing on Roots so let's try the same thing just with root instead of admin the other thing we could try and do as well is Google uh just default login credentials since we know that there's sweet rice running so we can do that too let's try just some basic things here like admin password one two three no sweet rice d okay sweet uh oh it looks like the first thing that came up was this vulnerability there's a arbitrary file upload not exactly what I was looking for but interesting that these things come up so that might be worth looking into a little bit more let's see another one maybe this is the same uh this one says reset admin password hmm okay Let's see we still haven't gotten much else on our directory busting but it's still going so we can give that some more time uh it says this is interesting because it gives us this file pass file path here says this one really exist due to the AES index script to properly sanitize user supplied input as hacker could change the admin password interesting let's try this file path okay so we do have a login page which is what we were looking for now we don't have any credentials yet I wonder if we can find anything else with this as I'm assuming that this is going to be found in durbuster but let's look back at index please enter your admin email okay I guess we would have to have the admin email to try that hmm interesting good to know let me duplicate this and see if it gave us an admin email on this content page hmm oh it looks like we did get more uh information found on durbuster and there is a MySQL backup so that would be interesting to take a look at uh what did I copy all the way to content okay let's see what we find in this uh MySQL backup okay CD downloads cat MySQL all right so we have some information here related to a MySQL backup that we were able to find through durbuster we downloaded it and uh now it gives us kind of it looks like information on that original page that we saw under content where it says the site is building now if you're the webmaster please go to dashboard um this is interesting where it says password Here we can try and find that which looks like a hash so let's just Google that and okay so here it says like in the preview it says uh into the string is password with a capital P one two three and it looks like the username is manager let's try that on the login page that we had found oh no I think I typed it in wrong all right let's see sweet okay so we are logged in we see the current version is one five one and now we're gonna go and basically kind of poke through here and see what options that we have I know on the original page like we said it says if you're a webmaster please go to dashboard General website settings so this is the dashboard I guess their settings General here looks like we have some SQL database information let's poke around like a little bit more plug-in list ads oh okay so we do have an upload on plugin list as well that's interesting they also have this ad section so I think there's probably a couple different ways to solve this what I would like to do and see if this works is just add a shell and let me set up netcat uh we're gonna try Port 901 I am just using a shell that I found uh on this uh reverse shells website I really like this for something that you need if it's quick and easy they have a ton of different options so that's what I've been using lately although I also found uh Weebly which I really like that as well if you need something password protected like if you're using it during a pen test that's super helpful to have okay all right so we saved that and then it gives us a URL up here let's give it a shot let's see go back and see where I went wrong I hope I did the right uh ports what did I put 901 okay let's try it again I'll try it and a private window too we can see nothing okay if we look at our first hint when it told us to go to general settings website settings okay oh we do have this upload as well let's turn this close website off and then try again I'll try it in this just in case but I don't think I have oh okay I did have my net call listener on let's try this out here actually I'll just do ID okay uh CD home all right cool we were able to get the first user flag now what I'm gonna do is upgrade this shell so that we can do a little bit more poking around we're going to need two somehow privilege escalate and get the root flag now let me get this python command so that we can upgrade the show all right here we go so we see we have some information here okay we have a backup file which also could be interesting interesting okay now it says system copy sh interesting so the file copy dot sh already has a shell in it so what we could try and do is put our IP address in to that shell all right one more thing I want to do is see if there's any okay permission so that backup file we do have permissions no password to run that as Superuser so let's see if I can what is it called see what's in or edit the copy.sh all right uh program fam cannot be found another option that we can try and do is use Echo let's take this and see if we can edit it to add our IP in there what is all right 10 dot 13 Dot 0.59 2 slash ATC slash copy dot sh okay so basically what we're doing here is we are using sudo to oh maybe I can't use sudo okay so we're gonna Echo that shell that is in already in that copy.sh file and we updated the IP address to my IP address so that I can run netcat and uh try and see if I can get a shell that way using this file and then hopefully the idea is that I wonder if this needs to be after that the idea is that uh with that shell we will have a root privilege Ascot privilege access so that we could then go ahead and try and see if we can access the root flag so what I'm going to do is copy this set up another netcat listener with uh 5554 now I will try to all right cross your fingers okay now the next thing that I want to do is basically pseudo and then run this that we have access to so we can run this backup dot Purl file no such file or directory hmm did it work it worked okay all right we have root we were able to run the Pearl file which then kicks off the web shell and then the web shell contacted us and now we have it and we are root so let's go into root can't CD into root let's try this way cat rue.txt and there we go awesome it was much easier the second time around doing this than the first time was a little stressful even though it's not that difficult of a box sometimes you get tripped up on things that are a little simple but hopefully that was a good walk through for you and I was able to clearly explain it again if you want to watch me do live walkthroughs of these boxes you can follow me on Twitch and I'm streaming right now every Tuesday and Thursday around 5 30 Eastern Time U.S eastern time so come hang out with us it's a good time we all hack together back seating is allowed so yeah we're just solving them together so hopefully that was uh great and uh thanks for watching bye
Info
Channel: shenetworks
Views: 8,253
Rating: undefined out of 5
Keywords:
Id: vr2lfJT6M6A
Channel Id: undefined
Length: 23min 59sec (1439 seconds)
Published: Wed Nov 30 2022
Related Videos
Hackers Bypass Google Two-Factor Authentication (2FA) SMS
John Hammond
758K
Hack your grades
David Bombal
164K
TryHackMe! PickleRick - BYPASSING Denylists
John Hammond
266K
Try Hack Me : Linux PrivEsc
stuffy24
14K
I Challenged 3 Hackers for 1 Hour in TryHackMe's King of the Hill.
thehackerish
10K
TryHackMe! Sudo - CVE-2019-14287
John Hammond
46K
Hacking Complex Passwords with Rules & Munging
John Hammond
84K
Detect Hackers & Malware on your Computer (literally for free)
John Hammond
241K
TryHackMe Lazy Admin Official Walkthrough
DarkSec
9.8K
Bounty Hacker Walkthrough -TryHackMe
shenetworks
5.7K
Hack with this O.MG Cable - Setup
shenetworks
34K
TryHackMe! Ghostcat CVE-2020-1938
John Hammond
44K
Next Gen Hacker?
David Bombal
198K
Ex-NSA hacker tells us how to get into hacking! (2022 Edition)
David Bombal
680K
TryHackMe - Corridor Walk Through
shenetworks
4K
TryHackMe! Skynet - Wildcard Injection
John Hammond
105K
TryHackMe - Startup Walkthrough
Jason Turley
1.2K
Hack the box academy : Network enumeration with NMAP pt 1.
stuffy24
7.7K
Windows Pentest Tutorial (Active Directory Game Over!)
David Bombal
208K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.