# LazyAdmin ## Nmap ``` sudo nmap 10.10.43.217 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Port 80 lands us on to the Apache Ubuntu default installation page. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0de7a3948068a122262c4bf81dd2f1266a5c7acf%2Fimage.png?alt=media) With nothing interesting in the page source code we can move onto directory enumeration with dirsearch. ``` python3 dirsearch.py -u http://10.10.43.217 -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -t 60 --full-url ``` dirsearch soon picks up the /content/ directory. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-98cff6160bdf130d97447b1aecb63b115d23be9a%2Fimage.png?alt=media) Browsing to the directory reveals SweetRice. Research on Google shows this is CMS software: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-90721976028e77f249895996bd43a74991ad5d78%2Fimage.png?alt=media) Running dirsearch further on the /content/ directory with the raft-large-files.txt wordlist from seclists finds the changelog.txt page: ``` python3 dirsearch.py -u http://10.10.43.217/content/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -t 60 --full-url ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f8cf504fafc67b18b4edfae5a14bbfbee5fb4e84%2Fimage.png?alt=media) We are now aware we are running version 1.5.0 of SweetRice. Looking at the directory of /content/as/ we arrive at a login page. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4a72983b26b22a512d4a4b2d39a16a88ead25a7b%2Fimage.png?alt=media) The directory /content/inc/ also contains various files: Of particular interest the the .sql backup in the mysql\_backup folder. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2f87997f3bf166dc99503a3fe9c5f8d0aaf62123%2Fimage.png?alt=media) Downloading the file and running the strings command against it reveals login information: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9ee7ce0d43d601514275c064217da1a7d1d414bd%2Fimage.png?alt=media) Where we have a username of manager and a password has of: 42f749ade7f9e195bf475f37a44cafcb. This hash MD5 hash and was cracked using Hashcat on Windows with the rockyou.txt wordlist. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-90569431787748bac6be4b5ed7523953d44d55d9%2Fimage.png?alt=media) We now have credentials `manager:Password123`. We can then login to the CMS. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e84790e510e42281c4f664257c020982f1d8149d%2Fimage.png?alt=media) Looking at the Media Centre blade on the right we can upload files to the server. Initially i tried a standard PHP reverse shell and this was filtered out. Saving the Shell as a .php5 was not filtered out for upload. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bfadbefe94a7b448c6190cfe208b10b76036dfd0%2Fimage.png?alt=media) At which point I set up a `netcat` listener and executed the uploaded file. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d411453d6c14c8c6284c2b18fc0cd471d8e49ef1%2Fimage.png?alt=media) From here we have access to the home directory of 'itguy' in /home/itguy. This directory contains some interesting files namely the backup.pl file. The perl file is not writeable us but, looking at the containing script it executed /etc/copy.sh which we have write access to. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-00fdedc2545b46baebd661502a0ce8fd7fa8ea91%2Fimage.png?alt=media) I then transferred over [pspy32](https://github.com/DominicBreuker/pspy/releases) to analyze if anything gets executed on a schedule in regards to either backup.pl or /etc/copy.sh. After waiting some time I assumed not. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f6587d6179c6317fd791333920a3b73d1e3cf934%2Fimage.png?alt=media) After checking sudo privileges we see that www-data can run backup.pl as any user without specifying a password. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7d1b2145ddf23f9e97ca5af19f6b9a3fac4dea5c%2Fimage.png?alt=media) From this we can replace the contents of /etc/copy.sh with a reverse shell knowing we can execute it with root privileges. Checking the contents of /etc/copy.sh looks like it already contains a reverse shell... From here I echo out the contents then replace it again this time with our attacking machine IP and port. Then execute /home/itguy/backup.pl using sudo under the context of root. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e5aa480d0e1376347ce25d0ebc4bd0fee288af99%2Fimage.png?alt=media) At which point we receive a reverse shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8fc774f3475716b222d8451427d75d75c3db6193%2Fimage.png?alt=media)