LazySysAdmin Walkthrough

Well it’s a Sunday, I’m sick and thus can’t go near my daughter and I need a bit of a break from labbing my OSCE. So with that in mind I’ve decided to give the Lazysysadmin box on a go. Here’s the walkthrough.

  1. We start off with some basic enumeration of the box and immediate find a few interesting ports that warrant further inspection.

    2. I spend some time enumerating and poking around on the web server, simply because in many cases this is the entry point for a machine. I find nothing and return to my nmap scan and decide to focus on SMB which reveals very permissive shares.

    3. I mount the share share$ and begin poking around. We have read access but don’t have the ability to write.

    4. In my earlier web server enumeration I noticed two directories that would potentially be helpful at this stage : wordpress and phpmyadmin. The share$ folder we’ve been able to mount looks to be the web root which gives access to at least two interesting files. The first of which is the deets.txt file which gives up a password, the second of which is the wordpress/wp-config.php file that specifies database connection details (which appear to use an Administrative user).

    5. I decide to use WordPress as my attack avenue and upload a shell to the 404.php. I kept getting 500 errors when trying to upload a Meterpreter or Weevely shell so I decided to go old school and upload a simple PHP reverse shell and trigger.

    Trigger said shell with cURL.

    6. With a limited shell I decide to poke around and notice that there’s a user directory named togie in the /home directory. I attempt to SSH into server with the super secure 12345 password discovered in the deets.txt file and am greeted with a native shell, but still limited access.

    7.  After logging in with the togie user we are greeted with a restricted shell. Luckily this will be one of the easiest escalations as togie exists in the sudo group which means all it will take to become root is a sudo su command.

    All in all a pretty easy box, but a fun one nonetheless. Thanks to Togie Mcdogie for putting this one together.