room info  
Name: LazyAdmin
OS: Linux
Difficulty: Easy
Link: TryHackMe



Nmap Scan

# nmap -Pn -sV -sC

Nmap scan report for
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

Only two ports are open: 22 and 80. it’s clear that the machine is web focused. Let’s enumerate the web server.

Directory Enumeration

# gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
Starting gobuster in directory enumeration mode
/content              (Status: 301) [Size: 312] [-->]

Gobuster discovered the path /content. which is using the SweetRice content management system (CMS).

Further research revealed that SweetRice CMS is known to have multiple vulnerabilities.

└─$ searchsploit sweetrice           
----------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                       |  Path
----------------------------------------------------------------------------------------------------- ---------------------------------
SweetRice 0.5.3 - Remote File Inclusion                                                              | php/webapps/10246.txt
SweetRice 0.6.7 - Multiple Vulnerabilities                                                           | php/webapps/15413.txt
SweetRice 1.5.1 - Arbitrary File Download                                                            | php/webapps/
SweetRice 1.5.1 - Arbitrary File Upload                                                              | php/webapps/
SweetRice 1.5.1 - Backup Disclosure                                                                  | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery                                                         | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution                                    | php/webapps/40700.html
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload                                                | php/webapps/14184.txt
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

We can access the backup file at /inc/mysql_backup

Exploiting the Backup Disclosure vulnerability, I came across a MySQL database containing a username and a hashed password. This hash could be decrypted using tools like CrackStation.



I discovered that the ads page allows for the injection of PHP code, which can be executed by the system. This can give us initial access by submitting a PHP reverse shell payload from PentestMonkey through the ads page. The code can be accessed at the path: inc/ads/filename.


Initiate netcat and execute the payload. We got a reverse shell as www-data user.



  user flag   THM{63e5bce9271952aad1113b6f1ac28a07}


Privilege Escalation

Using sudo -l we observed that we can run without password. However, we lack write permissions for this file.

Untitled Untitled we can see that runs another file located at /etc/ Fortunately, we have write permissions so we can inject our reverse shell payload into this file. We can then trigger its execution by using the following command: /usr/bin/perl /home/itguy/

Untitled Untitled


  root flag   THM{6637f41d0177b6f37cb20d775124699f}