CTF Walkthroughs, TryHackMe

TryHackMe – LazyAdmin Walkthrough

June 19, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux machine that involved exploiting a backup disclosure issue in SweetRice CMS to gain remote execution and a misconfigured script with root permissions to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has revealed port 22 (SSH) and port 80 (HTTP) as open ports, next will be enumerating HTTP.

Enumerating HTTP

The default Apache2 page is displayed when accessing the web server through a browser:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The scan has found a /content entry, when accessing it, SweetRice CMS is displayed:

Since the home page does not reveal its version, navigating to the software’s GitHub page to see whether there are any files/pages that might reveal it:

The changelog.txt file looks interesting, when accessing it, version 1.5.1 is revealed:

Exploiting Backup Disclosure

Using SearchSploit to identify known vulnerabilities in this version of SweetRice CMS:

One of these vulnerabilities allows attackers to MySQL database backups generated by the web application:

https://www.exploit-db.com/exploits/40718

Proof of Concept :

You can access to all mysql backup and download them from this directory.
http://localhost/inc/mysql_backup

and can access to website files backup from:
http://localhost/SweetRice-transfer.zip

Accessing the directory mentioned in the exploit reveals a database backup:

Downloading the backup locally and searching for passwords:

It appears a password hash for the manager user is stored in the database backup. It can easily be cracked by using the CrackStation online tool:

Exploiting Ads Functionality

One of the other vulnerabilities in this version of SweetRice is a cross-site request forgery issue that can be exploited to trick administrator users into executing arbitrary code, through the “Ads” functionality, which allows to create arbitrary PHP files.

Because in this case administrative access was already obtained, gaining remote code execution will be fairly trivial:

https://www.exploit-db.com/exploits/40700

<html>
<body onload="document.exploit.submit();">
<form action="http://localhost/sweetrice/as/?type=ad&mode=save"
method="POST" name="exploit">
<input type="hidden" name="adk" value="hacked"/>
<textarea type="hidden" name="adv">
<?php
echo '<h1> Hacked </h1>';
phpinfo();?>
&lt;/textarea&gt;
</form>
</body>
</html>
<!--
# After HTML File Executed You Can Access Page In
http://localhost/sweetrice/inc/ads/hacked.php
-->

Authenticating as the manager user, who appears to be an administrator:

Clicking on the “Ads” option from the left-hand side menu:

Copying the Laudanum PHP Reverse Shell to the current working directory and changing IP address and port:

Navigating to Ads and pasting the content of the reverse shell, then hitting “Done”:

The file was successfully created and stored under /inc/ads/:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Navigating to the reverse shell created earlier:

This has triggered a callback on the Netcat listener, granting a shell as the www-data user:

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to the local host
  • Running “stty raw -echo” on the local host
  • Hitting “fg + ENTER” to go back to the reverse shell

Privilege Escalation

When enumerating common files and folders, the “itguy” user’s home directory appears to contain a Perl script that executes the /etc/copy.sh Bash script. The current user has access to edit this script, so this could be easily exploited:

It looks like the www-data user can execute the backup Perl script as root:

Amending the copy.sh script to create a copy of the Bash binary and assigning SUID permissions to it:

After executing the Perl backup script, the SUID bash binary was created, executing it with the -p flag, which allows to execute binaries as the owner of it, grants root access to the host:

Conclusion

This machine was quite nice as it exploited a backup disclosure issue which is quite unusual, and a built-in functionality that is intended for users to create PHP files, which shows just how administrative functions in web applications can often be maliciously abused by attackers.