LazySysAdmin is an easy to crack VM. There are multiple ways to crack this machine, several ports and mis-configured services are present inside this box. The takeaway from this machine for me is to understand a service better and thinking simpler to get root privileges after we are able to exploit a badly configured service.
Starting with netdiscover to get the IP address of the machine.
Using Nmap to get the open ports and services:
While doing these machines, there is always a pattern of things that you should look out for like Ports 80 (or any server ports), 139 and 445 (SMB), 22 (SSH) and any new port like here IRC port (6667). I spent some time to understand what IRC port is for and researched about it but I couldn’t find anything that helped me get to the root.
Now it was time to check the website
Wfuzz with dirbuster medium directory list gave below output: With wordpress, I got to know two names “Togie” and “Admin“, there is phpmyadmin which can help us check the databases present and can help in privilege escalation over wordpress.
Let’s see if SMB public share is enabled: There is a “Share$” disk which shows “READ ONLY” access, We will check what info is shared from there:
The Share$ directory seems to show all the webfiles, Some of the interesting findings from here was deets.txt and wordpress config file – wp-config.php (which usually contains the db credentials of admins)
At this point we have two passwords one “12345” and other is DB password “TogieMYSQL12345^^“. I tried logging in to SSH with togie as username and password as 12345 and we got the shell. While checking what “togie” can run in the system, I got to know that togie is a sudoer:
but he has a restricted bash, you can read more about it here.
Our main goal is to get root. While looking for a correct command to substitute user, I got this link.
Different commands can work in this scenario: Sudo su, sudo su root etc. Here is the final flag:
There can be more than one ways to get access to this one, One of the other ways were to use wp-config.php password on phpmyadmin panel and then changing the admin password of wordpress.Once logging into wordpress uploading a shell and then try privilege escalation from there.