LazyAdmin — Walkthrough THM

So, first things first we have to scan the machine to check ports which are open.

So as port 80 is open, As we know there is a Web Server running on port 80 so let’s enumerate Web Server first.

After this we have discovered a directory /content let’s check this.

So let’s enumerate futher. /content directory.

We got some interesting directories.

We got sql backup.

As we get sql backup , Download it , & search for passwords.

As we get password hash we have to encrypt it.

Now lets go to /as which has a login form.

So as we had the credentials let’s login.

Now we have to click on our reverse shell to get a connection.

After clicking on the shell.php we got a reverse shell.

Now you can read the user flag with “cat user.txt” command and we can also upgrade this shell.

As we have got our user flag let’s upgrade to root. Check permissions.

Privilege Escalation

So we checked what permission do we have with “sudo -l” command

we can see that there is a file that we can execute with Perl with the Sudo so we checked the file using “cat /home/itguy/backup.pl” command we don’t have permissions to write let’s read the file.

This script runs a bash script “/etc/copy.sh” let’s check this file

Now we checked for permissions we can write to this file and execute there is already a reverse shell script is present so we just have to change the IP address and port it will give us a reverse connection we tried editing the file using nano and vim but it didn’t work so we used “echo” command.

Now start a Netcat listener to get a reverse shell and execute this file

Well, we are root now!

I hope you’ve learned something.