Lazy Admin Walkthrough

Lazy Admin Walkthrough

Jan 30, 2023 / By Securium Solutions

This is a Tryhackme easy Linux machine walkthrough


  • First we scan the ip :

The scan reveals two interesting ports & services are running. 22/tcp which is an SSH port running OpenSSH 7.2p2 and  80/tcp which is an HTTP port running Apache/2.4.18.

At first, We can try login in with default ssh and finding some known vulnerabilities but could not come up with something. After that, I switch my scope to port 80

We got a webpage of CMS SweetRice is used to manage content, allowing multiple contributors to create, edit and publish. Going through google we found that sweetrice is vulnerable.

  • We are able to download the file that might contain some useful information so we checked the MySQL backup database.

The downloaded file revealed the username and password but the password was in the hash so using an online hash decoder we decoded and got the password.

Our second directory fuzzing also revealed a second directory which is useful

Successfully logging in we got an endpoint named media where we can upload a file so here we upload our PHP reverse shell and receive it with our netcat listener.

  • Click on the file that we upload and check the NC we got our first shell

  • We successfully got a shell.  Now we can read the “user.txt” flag and also upgrade this shell.

Privilege Escalation

  • Now we check what permissions we have using the “sudo -l” command.

  • We can see there is a file we can execute with the sudo name “backup. pl”. So we “cat backup. pl”

  • Which tells us that it runs a sh script so we “cat /etc/”

We checked the permissions and know that we have written permission. So we changed the content without reverse shell and then executed the file while keeping our new netcat listener on

 And we got the root.

After that, we can just cat the root flag.

Aryan Majumder
Securium Solution Cyber Security Intern

Table of Contents

Social Media