TryHackMe Lazy Admin Official Walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone welcome back to another video here on darkseac I am dark and today we're going to be taking a look at the challenge room lazy admin on try hack me uh this is an easy Linux machine to practice your skills this is a machine that's been on the website for a long time now uh but it's really really popular because it's a great beginner machine that even if you're coming back to this and you just want some nice practice a nice little uh dip into the pen testing uh pool so to speak this box is really great practice for that so with that being said we're going to go ahead and Dive Right In so the first thing you'll need to do is join the room I've gone ahead and already done that however you'll also want to deploy both the attack box if you're going to be using that as well as the machine itself in this case I've gone ahead and done that um since this is a challenge room and there's not exactly a lot here for us to work with I'm actually going to be moving over to another tab which has the attack box full screen let's go ahead and do that right now so first things first as uh with every single challenge box or every single box we want to pen test we're going to start off by scanning it in this case I've gone ahead and already done that with this command nmap Dash SV to get some service versions and then I have it saved as an nmap file uh in the current working directory with the name of lazyadmin dot nmap so I've gone ahead and already done that even then it's very quick especially if you're using the attack box because it's on the exact same network as the Box you're attacking and we can go and take a look at that scan now so here we can see the output of the scan it's not too exciting in this case we have it looks like two ports open we have 22 which is SSH which is very rare to actually be the one that we're going to be targeting it's just something that it's very common to see on web servers and then we have Port 80. uh traditionally in a production environment you're going to see Port 443 instead of 80 but otherwise this is very stereotypical Linux web server box as we can see from the Apache web server running here let's go ahead and if we hop over to the browser here we can see what exactly is living on Port 80. and it seems to just be a default Apache 2 landing page nothing too crazy there so that being said since we're not finding anything here next we want to move into using gobuster to see if we can find something hidden potential a little bit deeper in the web server we're gonna go move over to another tmux tab here and here we can see that I've gone ahead and completed that with the command Go Buster putting it in dur mode with the URL of my box IP make sure that this one is yours otherwise this won't work for you and then I used the directory list 2.3 medium with just go Buster default settings otherwise I've gone ahead and already let that completed and I found two directories it looks like one that's really of interest to that content expressionally since it's giving us a 301 the server status with that 403 we're not authorized to see that so can't do anything with that now if we go to the web server again in our browser and take a look at that content directory we can find that we have a landing page for a CMS that seems to be named sweet rice so cms's are very common targets especially for uh ocp style boxes and this box appears to be no different so we have a basic starting point of information here we know we're working with the sweet rice CMS now let's go ahead we're going to jump over to exploitdb and let's see if we can actually find something that this is vulnerable to doesn't appear that we have an actual version here but we can type in this name and see if we have anything we can work with so going into exploit DB and let me make this just a little bit bigger typing into sweet rice will get us quite a few interesting options here so it looks like this is a CMS that's had a little bit of a troubled history uh starting with remote file inclusion when it wasn't even the 1.0 version that that's rough uh however we we can see that we have a lot to work with here through the process of trial and error and this is something that expressionally since we don't have a version number this is one of those things that's worthwhile to look into and just kind of play around with eventually you're going to end up on the backup disclosure issue one here at the top and if we go ahead and click into that this is a very interesting vulnerability it's one of the uh very simple um more simple things that you're going to find on exploitdb in this case we can see that we have a proof of concept that says you can access all the MySQL backup data and download them from this directory we have localhost to the actual IP of the CMS here and then Inc and then MySQL backup which is interesting um if we can get this backup in theory we should be able to potentially get passwords for being able to authenticate to maybe the mySQL database or maybe just log into the web app proper so let's go ahead we can take this I'll copy that onto my clipboard and we can go into back here actually it's Inc and then MySQL backup let's see what it was my SQL underscore backup let's see if we can find it in here and we can actually just go here so it looks like we're in this content directory let's try just going straight to Inc and then forward slash my SQL underscore backup and see if that's on here and it doesn't look like it is however we know that the CMS was living in a subdirectory which was the content directory so maybe if we add that on here at the beginning looks like there we go so we can see sure enough this uh version is presumably 1.51 or 0.1 and it looks like we have the MySQL backup Meridian available for us to download I've gone ahead and already done that just for the sake of time this does take a hot moment to download just because the web server is a little bit slow and this is not a small file if we go up to the downloads we can go ahead and I'll just click open file I've already got this open so it should open it again let me see if I can make this bigger and it is not going to let me so here we can see that we have just a DOT SQL file which appears to be PHP nothing too fancy here however if we scroll through this file and this is where grep can be your friend we can find eventually when we scroll down to it we can see some actually useful text here so we have lazy admin websites author and then looks like we have the keywords description admin so it looks like the administrator account is named manager and then the password is going to be this piece of information now this is a password hash this is something that we can actually take and go back to our browser and see if we can actually crack this with a website called crackstation so let's go ahead and do that right now so go ahead and copy that to your clipboard I've gone ahead and already done that otherwise you would be grabbing it just right over here with this clipboard button and we can go to crackstution and I've gone ahead and already pasted that in you'll click the I'm not a robot to just do the captcha however we can see that it was an md5 hash which is something we could have gotten with hash ID anyways and the password is incredibly strong at password123 and again this is fairly straightforward this is something that you'll pretty commonly find in backups like this and it's actually pretty common to find backups like this Exposed on maybe Network shares or other things like that so keep an eye out for this and be aware a lot of times these are pretty weak passwords and you can crack them very quickly so we know our admin account for the actual web app and we know the password for that account let's head back to the trihackney attack box and see if we're actually able to log in so before we can do that we actually have to find the login window which is a little tricky this is actually something that you can find either by doing recursive go busting or you can just look up the documentation for this specific web app it's not very complex documentation it's actually pretty straightforward and we know that we're out of the content directory so we just know that we have to prefix everything with that so once you do a little bit of Googling around you can find that we go to the web server and then content and then if we put slash as the directory we can find that we have our login panel so pretty straightforward and you can see it looks like this has its copyright updated but this is pretty indicative that that's just updating with JavaScript so it's very likely that uh this probably has plenty of other problems with it as well so I've gone ahead and actually logged in another tab so I'm going to jump back over here we can see that we have the MySQL backup and once you log in you'll be greeted with this lovely sweet rice admin panel and after poking around in here a little bit you can find that there is an arbitrary file upload where you can just kind of add your own Pages uh where if you go to the advertisements link over here and then I'll middle click that to open it up a new new tab we can see that we can add in an ad and then just add the code for the ad which it's very interesting this is something that it looks like it was built with good intentions however this had allows us to just kind of Chuck a backdoor in the web server and get a shell off the machine that way so what we can go ahead and do and I've gone ahead and already done this just for the sake of time is we can grab a river shell off of our machine let me open up a new tab in tmux we can grab that from USR share uh web shells PHP PHP reverse shell we can go and copy that to our current directory which I've gone ahead and already done this so we're going to skip that and then we can open that up and we have ourselves a PHP shell now the one thing that we'll have to do is we will have to change these two pieces of information to match up with what we want so in this case this is going to be your attack box IP and I'm glad I didn't already launch this because that is incorrect for mine I should not have that zero at the end and then we need to set the port that we want to send our reverse shell back to uh what we can go ahead and do as well before we keep going is I'm going to hop over here and I'll restart this is we want to start a netcat listener to actually catch our shell once we launch it after putting it in the ad here so if we go ahead and we use the command RR app now this is something that isn't traditional with netcat shells I'll get into it in a moment and then netcat LV and P so this is listen this is verbose so it'll tell us when we have a connection n is going to be uh I forget what n is off the top of my head um it's just something I use out of habit with this and then p is going to specify the port that we're actually going to listen at uh rrap is an actual wrapper for this so netcat shells by default are kind of not great to work in if you do Ctrl C in them it will just outright kill them rrap gives us the ability to use up arrows in this and go back in our Command history it's really nice it's just a nice quality of life thing that we can do to make our shells a little bit better that being said let's go ahead and launch this and then we will go back to the PHP reverse shell and I'll do Ctrl a and then Ctrl C to copy that onto my clipboard and we'll name this shell and we'll paste in our fun code and there we go we should be able to save that and let's see it'll give me just a moment I'm gonna go ahead and make sure that that saved correctly and we'll be right back okay looks like it did save correctly so if we go ahead and navigate and this is something else that we would also find with either reverse uh recursive go busting or via just poking around at the documentation for this we can actually find that the advertisements for this are stir as are actually stored in a directory within the Inc folder uh so if we go here and then we go to content Inc and then let's see I believe it's just ads we should be able to find him here I don't know if this is going to be listable and there we go so we have our shaw.php and once we click on that that's going to go ahead and run the code and there we go we've gone ahead and gained access to this machine now if we do LS home looks like we have an IT guy uh let's see LS Tech LSA let's see if we can LS rather home it guy and see if we can get a flag out of there uh let's see cat home it guy user.txt and there we go so we're able to get that flag we can copy that out by highlighting it and then copy and then if we go over to the clipboard double click or triple click to select all of it we can go back to this tab and collect our user flag cool and it should give me my lovely streak all right so we've gone ahead we've gained our user flag and we are ready to go into privilege escalation so with privilege escalation you may notice that we are www.data uh having to escalate from this position is very common if you are ever going after web servers it's very common to end up as this user or I believe uh IIs has a user specifically on Windows which I'm sure will come across with doing a box on this channel at some point but for Linux this is the user that you end up as for the most part uh that being said it's very common to have to prevask out for this and one of the my favorite ways to check for prevas is by using sudo and sure enough so we don't have the actual password for our user however it looks like we have permissions to run uh without a password user bin Pearl on this script home itguybackup.perl now that's an interesting one because typically we don't work with pearl Pearl is just a scripting or scripting language it's similar to python it's a little bit more distinctive what it's used for but it's something that is worth being a little bit familiar with um at least the basic syntax that we see in it so let's go ahead uh we can take a look at what that actual file is since we can run it with pseudo powers so we cut it uh that's very straightforward so we have a shebang up here saying hey you need to run this with pearl and it looks like we're running system commands so sh so printing shell as opposed to bash and then we're running that on Etsy copy.sh and let's take a look at that file uh let's first see if we can actually modify this file because if we can just modify this file we'll just have it run a shell for us if we do LS Tech LSA home it guy uh let's see who owns that file and it is root so it looks like uh root has read and write to it and everyone else has read and it looks like execute Powers so interesting we can't actually write to that let's see if uh and let's go ahead and cap that again home it guy backup.pl ate let's see if we can actually modify that Etsy copy.sh file so let's do LS Tech LSA Etsy copy.sh I believe this should give us permissions just for that file and sure enough it looks like so this is the everyone part we have read write and execute powers on this even though it's owned by root so interesting that's not great um let's go ahead and Cat actually we don't even care what's in that at this point we can write to it and we know that it's going to be running as root so we can just have it spawn a shell in this specific case uh let me go ahead I'm going to look up a specific thing actually we can have it send us a reverse shell here in just a second let me go ahead and pause and grab my notes for that real quick all right and we're back uh so we're actually gonna do something a little bit more interesting rather than sending ourselves a reverse shell uh we're going to use a privilege escalation technique called root bash uh this is one that Tiberius covers pretty heavily in his uh Linux previous uh course on udemy so I definitely recommend checking that out and checking out the room associated with that on try hack me but with this we can go ahead and create an suid version of bash that we just Chuck in the temp folder that way it's gone when the sugar reboots easy cleanup and we can just run it with the dash P option to become root whenever we want it's a great way to uh especially if maybe the privilege escalation method that you have is a one shot or very finicky this is a great way to be able to actually uh provest consistently off of uh one exploit that you don't have to run it over and over again with that we can go ahead and Echo this into the Etsy copy.sh file that way we can just override it for this case typically we don't want to actually overwrite scripts like that because we don't want to be noticed uh if we're ever writing scripts we're going to break things especially something like that that looks pretty important typically we want to just check our stuff at the end and that way everything still works as normal and we would just restore it back to normal after we're done with this or we could even just copy it out and then restore it back to normal or make just a backup of it and then bring right over this one either way we don't want to be caught and if we're breaking functionality that's supposed to be as part of the web server someone's going to have to go and investigate and then we're going to start getting caught quite a bit more important when we're actually going through and doing red teaming as opposed to pen testing but just something to be aware of that being said let's go ahead and echo in our magical root bash command to the Etsy copy so we can go ahead and put this as we'll name it root bash so we'll copy The Bash binary into temp and rename it as root bash and then we're going to give it an suid sticky bit with uh trim mod since this is running as root and we can Echo that into Etsy copy dot sh and there we go so now if we do shoot attack L again just double checking that we have the correct path if we do sudo USR bin Pearl and then home it guy backup.pl we can see that it completes just nice and quietly there and if we take a look in temp we can see that we have that wonderful root bash binary that we can run with temp root bash Dash p and there we go this might not look like much but if we run who am I we can see that we are now root and we can go ahead and count out that wonderful root flag and there we go and that's done it so again we're abusing the fact that we can create our suyd binary that's just bash so it runs bash as root whenever we want creating a very nice way that we can uh pravast whatever we want let's go ahead and copy this out and we'll put this in the flag submission window if we go back over here and there we go that's gonna do it for this video if you have any questions as always I will have the dark SEC Discord as well as the try hack Me official Discord inside Reddit Linked In the video description below if you enjoyed this box please comment let me know what your favorite part is otherwise until next time happy hacking
Info
Channel: DarkSec
Views: 11,196
Rating: undefined out of 5
Keywords: infosec, tryhackme, box, hacking, learn, darkstar, darksec, educational, darkstar7471, try, hack, me
Id: Tf8mMs0lvPA
Channel Id: undefined
Length: 21min 0sec (1260 seconds)
Published: Fri Apr 30 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.