TryHackMe - Lazy Admin Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey what's up everyone Jason Turley here back with another video today we'll be looking at try hack me lazy admin challenge the little description reads easy Linux machine to practice your skills if we scroll down here we see I've already started the machine I got the IP address loaded and ready to go and we have one task that has two I guess questions what is what is the user flag and what is the root flag there's no hints no guides nothing like that so without further Ado let's just grab the IP address and start enumerating and see what we can find on this machine I already have a VPN running in a separate tmux window that's good if you're not using a virtual machine like this you can optionally start the attack box that try hack me comes with and you can use that totally in your web browser I just prefer using a virtual machine so let me create a little working directory I'm just going to call this lazy admin and CD into that directory we have our IP address we can ping it make sure it's up that's good and we can scan it with nmap RWS V and S C IP address and then save your results to a file I'm just going to call this nmap scan.exe so to explain these two options attack SV is telling nmap to when you find an open port scan it for the service version so if there's like HTTP find what web server that is is it Apache is it nginx Etc what version and then SC run any default scripts example I like to use is FTP if that's running and it finds it it'll see if it has FTP Anonymous logon which is a really common thing for these kind of ctfs FTP Anonymous logon to get some type of upload and web shell remote code execution so that scan came back pretty quickly it only took 26 seconds we see two ports are open 22 secure show remote login and then Port 80. so there's a website running we see here already since we did the attack SC for the scripts it already tells us the title of the website it's just the default Apache landing page if we want to confirm that we can open up a new tag and just browse to that IP and yeah they're right it's just a default landing page whatever you create an Apache site it's nothing really special here you can hit control U to look at the source code sometimes there's little comments or hints or notes especially capture Flags like this maybe not so in like actual production environments this is HTML syntax we see here um like these are the comments you can see it's a different color but this isn't anything useful we can keep looking keep looking not really seeing anything so we can try to like manually enumerate this sometimes websites have robots.txt which tells like scanners don't look at these Pages sometimes there's like a upload folder no so like an admin okay so we can keep poking around and doing this manually or we can use a tool called Go Buster to do this for us to automate it there's also durbuster and like derb that like come pre-installed right um go Buster you have to install that and you have to have like the go binary as well so we can use derb or we could use Go Buster just for fun I'm gonna use Go Buster looking at the help we know we need alert list some type of uh information to give it so it knows where to Traverse and we need the URL you can give it other options if you'd like but we're just going to start with that so the URL is just HTTP Slam in that IP address and our alert list there's a lot of them let's start with a user share word list durg type I'm just going to hit tab complete I can pipe this into gobuster.txt just to get the scan results save that to a file all right we see some results but in error code 403 so we can't access those those are probably permission denied so nothing helpful right there oh this is cool we see a slash content so we can grab that and click here okay sweet rice notice welcome to sweet rice thank you thank you for install sweet rice as your main website management system the site is building now please come late if you are the webmaster please go to dashboard General website and uncheck blah blah blah tip for basic CMS sweet rice installed so CMS in like website terminology in this lingo it means content management system so it's just a way to like build and manage websites the most popular one that people are familiar with is like WordPress I've never heard of sweet rice so we can like poke around and use Google and just like sweet rice vulnerability or sweet rice like exploit spelled that wrong all right and we see some results here right so we start clicking we see something from the exploit database poke here sweet rice version 1.5.1 unrestricted file upload that's interesting so this is a python script okay so this payload needs a username and password we don't have either of those and we also don't know the version we see some URL stuff here let's keep poking around code execution oh triac me lazy admin write up we don't want to read that we don't want to cheat anything here zoom in is that super tiny okay it says in the sweet rice CMS panel in the ad section allows an admin to upload PHP files so if we can upload PHP files perhaps we can do like a reverse shell and then it gives us the URL to go to sweet rice as add equals mode save that's interesting sweet rice ink ads can we go to that can go to content what was that URL sweet rice is that a thing ads no okay so let's hit up arrow on our go Buster and then instead of just scanning uh the base URL let's add slash content as well maybe you can find some other like hidden Pages where we see themes all right we can click on that all right we get like the default theme I guess of the website okay so we see dot PHP so the website does support PHP files so we probably can eventually upload a PHP show we should see Slash a s oh a little login page that's interesting control U are the creds here anywhere control f look for password no okay it's got some JavaScript code in here as well I don't think the password is going to be hard coded into this though all right we can just try admin admin admin admin login failed admin password login failed I also don't know the username I'm just assuming it's something like admin you could throw a Hydra at this and just like brute force it but we don't know the username we don't know the password that's not really smart to just blindly Brute Force um a website like this I know this is just a CTF but in real life you don't want to just slam something with a bunch of uh requests you're gonna get your IP blocked there's a we're going to leave this here right click duplicate tab Inc what is that oh this is interesting 404.php alert cash K HTT access is there anything in there now that's some garbage okay MySQL backup not really sure what this is MySQL backup and then we see the date of 2009 or 2019 rather Okay click on there all right it downloaded it open it up make that a little bit bigger okay what are we looking at here PHP return array so this is a bunch of like SQL commands I guess syntax like that is there anything worth worth it in here all right we're scrolling down we're looking all right this is a this is a lot right here what's going on we see the URL thank you for installing sweet rice this is your website oh here we go description we see admin manager password and get this we get this big string is that the password right click copy this might not be the password right because this is a database and it probably wouldn't store the password in plain text but it might store it in like a hash and if we want to crack a hash we can go to something like a hash cracker or crackstation I think is what it's called crackstation yeah crackstation.net let's see this is a really cool tool free password hash cracker let's slam that in there I am not a robot unfortunately so click there the guy do all these captures all right bridge bridge bridge I think that's it rage it's not that's not really a bridge verify okay track hashes that was fast password one two three grab that and we could we could be taking notes the whole time as well uh I could be like then readme.md uh username admin password and then we could throw in the hash as well that we found you know we could throw in the URLs and the results of uh the Go Buster scans and everything like that but let's let's come back here let's do the password one two three does that let us log in okay that's not the password or that's not the username is it manager is that the username yeah login success nice now before I go any further here we also saw what did we see from our nmap scan we saw 22 is open SSH didn't mean to do that can I log in with SSH manager at grab this IP yes password one two three Mission denied maybe if I hit the enter key harder no okay so that user it exists on the system but it can't log in with SSH perhaps they're just denied they only have access to the website I could try again perhaps later once we get like the root user the root password okay we saw something here we go we saw this write-up this uh vulnerability cve from packet storm it pointed at where was it ads something about ads and then PHP remote code execution let's see if we can do some of that all right category post comments ads let's go on ads okay so you can name this whatever and then you can paste in some code what do they have here let me just test this out with this copy just name it hack slam that in done here's our script a few minutes says go to this URL pretty much see let me pull this up what am I doing curl all right let's curl this we don't want that content add ink hack.php did I do that right not found all right that's better question mark is that what I wanted let's type that the less hack value hacked if I was struggling to get that to work through curl but perhaps just using the wrong URL so I'm back here uh um I'm back here IP address content slash Inc I can go to ads and then hacked.php click on it okay I didn't like to download that whatever but if I right click this URL copy link and if I try to curl that does it like that grab pack I don't know it's doing something not the best test case but let's go to web shells all right we want PHP LS we want this PHP reverse shell I'm just going to grab it and copy that into my little working directory YouTube try hack me lazy admin and then CD back there LS oops LS let's rename it just just for fun I'm gonna call it not a show PHP let's open that up in Vim let's edit this because we're going to paste this to the website right so we might not want all this uh comments all this code describing what it is just to be a tiny tiny tiny bit more stealthy cool so very nicely it tells us to change these variables I want my IP address to be my VPN IP address that you can see in the lower right hand corner that's a neat trick of using tmux if you guys want I can show you that in a different video instead of using Port 1234 as the Callback let's use something a little bit different a little bit more stealthy 4891 set up my netcat listener all right let me name this not a show doesn't seem any way to like upload this it seems like you have to like copy and paste it and doing that in Vim is a little bit tricky or like doing it from the terminal um it's kind of tricky if I just want to highlight all this just because it's a lot and it goes through like multiple uh terminal screens let me just open this up in mouse pad that way I can just do control a right click copy come back here slam that in got some extra new lines scroll back up okay confirm this is the correct IP address the correct Port hit done now I can come here refresh not a shell click on that and we see we got our connection we got our call back so that PHP code executed and it told we told it call out to uh our IP address on this port and I didn't go over this but if you look at if you uh that's gone okay Vim not a show so if you look where is it at scrolling down so this is the Shell Code flash ID oh right here show so as soon as you get your connection it's going to run these commands you name pack a so this is that right here is going to get the uh operating system so Linux it's going to get the name the host name try hack me challenge the version of Linux the kernel we're on 4.15 so on and so forth this is a 32-bit machine it's going to print out W so is there anyone currently logged in yeah there's us dubbed up data and then it's going to start then sh so that's why when you get the shell it automatically prints out these things those are commands that are hard coded to run if you really wanted to um you could add more Linux commands here like um whatever cat Etsy password for example and it'll do that on initial connection so we can figure out what directory we're in we're in slash la okay nothing here let's look at the home directory slash home it guy Let's uh poking around in that slash home oh no tab complete do I have python installed on this which python K python let's see if I know this by heart hit Ctrl Z send that to the background scty raw minus Echo and foreground expert term X term Explorer and equals X term two five six all right whatever Z oh no whatever but I can't clear the screen it doesn't like my term variables to unset I feel like I struggle with this every single video okay I tried doing it for memory but I'm bad at that so I have on my website and I can click here you can see my little uh anime character thing that's not really important go to blog control F for shell here we go how to stabilize a reverse shell I wrote this a long time ago you think I'd have it memorized I really don't let's do it like this so I'm gonna grab this value you can exit on the current show slam that in okay this seems to have died yes like EF h okay let me just kill this PID kill pack nine that PID okay yeah I don't know what's wrong with that my cat and lvp 40 891 let's do this again fresh right we're on target in bash all right cool come back here stabilize if you don't have python you can use Ruby or Pearl control Z and then we want this scty raw minus Echo control Z let's do Echo dollar sign term let's set our term to this let's see if that makes it happy here there we go okay so maybe we need to go back and update that blog sorry for the hassle guys so the issue was I was exporting my terminal variable my uh my session for this right I was doing it to something I couldn't understand the X term thing I guess it's easier if you do it to whatever your host whatever your virtual machine if you're using that so this is using screen Tech 256 color so I'm also using pin bash instead of nsh I don't know if that makes a difference as well for that but now I should have the tab complete at last night La slash home and I can also hit control L um to clear the screen and do other bash shortcuts awesome so with that out of the way let's just go into their directory uh La see what they have going on okay the best history goes to devino this user can use sudo that's cool we see user.txt we have access to read that we see my logon our MySQL log on that text let's start with the user.ext because we need that for the challenge question grab that thank you very much slim that in okay now we need the root flag but let's cut out the MySQL login rice and random pass is there a MySQL running on this and it's that and you hey it looks like it on localhost I always screw up the MySQL syntax I like that axis denied all right whatever so we have this rice and random pass I'm not sure if that's an actual user on the system we can cat out Etsy password there's a lot going on let me make this easier to read I'm just going to grep for back and Etsy password there we go it looks like the only users are guests I.T and root okay so I don't know if that's like an Easter egg or if that's something we should enumerate a little bit further poke around at that local SQL session that's running maybe I'll do that after I escalate to Green let me do pseudotuck l see what I can run as like a more privileged user all so I can run Perl follow my t-kai home it guide backup that Pearl is that here LS Backup Pro I don't even see that cool let me cat that out so this is a pearl script which is just a scripting language just like bash or python system so run shell Etsy copy that sh does that exist on the system let's see copy that sh it let's cut that out remove temp whatever okay so this might look like gibberish it might look like nonsense but what this is it's actually executing a reverse shell we can see netcat right here so it's executing a reverse Shell at this IP in this port so I'm curious if I start yet another netcat listener I can get rid of this so netcat and LEP ore 5554 and then I can edit this right and give it my IP address instead and just run it and have a call back on my IP address so is this script running at all is there any like a cron jobs at Etsy home type no nothing really there contact l nothing for my current user can I edit this once you've been there's no bi Nano I do have Nano Nano Etsy Poppy unable to create working directory permission denied oh okay whatever so let's change this to our IP address I don't really like Nano as a text editor I'd rather use something like them but you work with what you have right we'd also use cat as a text editor that's a neat little trick yes Save okay let's just make sure that's saved okay it has rip address let's do sudo it's easier in Pearl on that do we have the password for this guy is it password one two three no we don't have his password but when I did pseudotek l it didn't ask me for a password it says no pass so what's going on the thing that's kind of confusing with this is it wants the exact path right and once this complete thing so I gave it a relative path I just did on the current like directory right back up PL but if I give it sudo and then this entire execution line this entire entry now it runs with no password and we see here I got my connection and instead of a dollar sign I have a pound that's just like a neat little syntactic sugar highlight kind of thing that the root user has instead of like the dollar sign or like a carrot it'll have pound so that's how you know you are the root user so we can do the same thing um we know we're not in like a real show we're in like a crappy crummy shell that's not like tab complete or anything like that so you can upgrade it with that python trick but I don't think we'll be here too long so let's uh CD to root oh that's like la there we go Dot txt and there we have it so we are the root user we can poke around some more since we have full permission full privilege to the system we can cat out Etsy Shadow and secron tab and we can try to crack the hash for this user because we did see that SSH is installed right so it's weird that like neither of these usernames need to use passwords really worked but let's uh we can give that a try I'm going to SSH as root maybe password one two three will work no that didn't work no not sure we could keep poking around uh maybe no one has SSH access maybe no one can do it so yeah that's uh I'll leave that a mystery for the viewers but overall we solved this machine it wasn't too bad right we kind of fumbled around a little bit with like the ads and getting that to run but and we did fumble with the reverse show you think after doing this so many times I have this like down pat I'll probably update this isn't good just to hard code it anywho that's how I solve this challenge guys I'd be very curious to see how you guys did it what other techniques you tried what other avenues you explored and went down but you know that's it you know remember to like comment and subscribe check the description for anything else I'm affiliated with as always take it easy and see you guys in the next video hey what's up everyone back again I was playing around after I ended that last segment that last video and it was there were some few things that like I really wanted to poke around and look at a little bit further and one of them being that SQL service that is running and we can see that in like the netstat listening right and that's the pant you see SQL is running the Daemon if I do the PS like EF and just like rep I guess for SQL we see that the process is running so there is something going on as I cat out um those creds that we saw MySQL login and if I try to log in with just this MySQL user rice and the host name of localhost I get error access denied using password no and before I kind of just glanced over that and skipped this whatever who cares but if you add attack p to specify a prompt for password you can type it in here so if I type in random pass we see that I have a SQL show I can do show databases okay let's I haven't looked at any of this before let's use website show tables I'm not sure if there's anything useful if there's any other like sensitive data or threads since this is just a CTF um so I won't poke around probably too much more but this is like a cool uh realistic kind of trick right it did not have SQL running externally that's why we never saw it in the nmap output because it's not a public-facing service it's run internally um only people on this machine you could use it perhaps if this is like a corporate Network it'd have like a internal IP address so other users connected to that Network either physically or through the VPN they can access it so that's just a neat thing um I guess the error on their part is just saving their creds in their directory like the username and password just saving it there so you know just another thing if this was like a pen test we could like report that like hey you know we were able to access the SQL internal server and poke around it doesn't seem like there's anything like too pertinent it's useful but I just wanted to let you guys know um there are a couple rabbit holes that you can like dive down and explore so that's it for real this time take it easy and see you guys in the next video [Music]

Info

Channel: Jason Turley

Views: 470

Rating: undefined out of 5

Keywords: tryhackme, penetration testing, linux, security

Id: a0VkepqxTQU

Channel Id: undefined

Length: 31min 45sec (1905 seconds)

Published: Mon Jun 26 2023