Vulnhub Walkthrough : LazySysAdmin 1.0
A simple boot2root machine set up by a lazy system administrator. This box teaches us a lot about basic linux enumeration. The main goal of the box is to get root access through privilege escalation and find the flag.
Initial Analysis:
The IP of the target’s Machine can be found out by netdiscover. We found the IP address to be 192.168.80.225.
With a basic nmap scan, we find out the open ports available. We see a mysql port open and Samba smd running on port 139 and 445. We also notice that a web server is running on port 80.
Then, I try to gain access to the samba with anonymous login.We try to do that with the smbclient. Smbclient is samba client with an “ftp like” interface. It is a useful tool to test connectivity to a Windows share. It can be used to transfer files, or to look at share names.
Since we can succesfully login with anonymous login, we try opening the share$ drive.
In the share drive we find different directories and files.Here we find the wordpress directory and three other text files.We download deets.txt and todolist.txt as part of our enumeration.
We then open both of them to view its contents. Looking into the deets.txt file we get the password as “12345”.
Next, we move to the wordpress folder and find a wp-config.php file.We then download the file with the get command.
Inside the wp-config file we find the mysql database username and password.
Username: Admin
Password: TogieMYSQL12345^^
With the wordpress credentials found in the wp-config.php file, we access the admin dashboard.
Exploit:
Now that we are logged in we try to upload a payload packaged as wordpress plugin.
After setting up the payload we execute it. With the execution of our payload we can see that a meterpreter shell has been spawned.
With the following command we get a better shell. We then get to the etc/passwd file and find an entry for a user togie.
Getting Root Access:
With the password that we had found earlier and the username togie, I login as user togie.
Then I switch users with the “sudo su” command and after giving the password for togie I become root. This is because togie has all permissions as a root user.
We then go to the root directory and list the contents. Here, we find the proof.txt file.
Now that we have got the flag, the challenge has been successfully completed.
Cheers !!
