CTF: LazySysAdmin Walkthrough

      Nessun commento su CTF: LazySysAdmin Walkthrough

Hello dear friends, welcome back for another CTF Walkthrough. Today we will solve LazySysAdmin machine.

Description

Difficulty: Beginner – Intermediate

Boot2root created out of frustration from failing my first OSCP exam attempt.

Information gathering

TCP Scanning

Banner Grabbing

Nmap scanning

Dirb

When the samba server is running it’s always a good idea to test the configuration and try if there are some shared resources.

SMB

smbmap -H 192.168.1.163

Fantastic we can access the shared resources, so now we try to connect to  smb server:

There are a couple of interesting files, the first one is: deets.tx

Fantastic we got some password, the other interesting file is wp-confing, the path is wordpress/wp-config.ph

At this point, we have also the WordPress credentials.

Exploitation

Because we got the admin wp credentials, we can install a revshell into WordPress.

  • Modify the template with the revshell
  • /usr/share/webshells/php/php-reverse-shell.php
  • navigate to the page http://192.168.1.163/wordpress/wp-content/themes/twentyfifteen/404.php
    and bingo we got a revshell

Privilege Escalation

We can use the password found into deets.txt file to switch into the togie user

  • su togie
  • password 12345

Unfortunately, we have a restrict shell with the togie user

Escape restrict shell

  • awk ‘BEGIN {system(“/bin/bash”)}’

The final step is to become root,

sudo su and fantastic we are root

  • cd /root
  • cat proof.txt

Fantastic we have completed the LazySysAdmin machine.