LazySysAdmin – VulnHub Walkthrough

Machine: LazySysAdmin

Enumeration:

Started CTF with the FULL PORT scan to find the open ports and services running using nmap.

Command: nmap -Pn -p 0-65535 –open <target IP-address>

I found that 6 ports are open and running some interesting services.

To enumerate more I ran nmap with -sC, -sV options.

Command: nmap -sC -sV -p 22,80,139,445,3306,6667 <target IP address>

From the above command I found the below result:

As I saw that port 139 and 445  are open, so I can use smbclient( smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the ftp program. source: https://www.samba.org/samba/docs/current/man-html/smbclient.1.html)

To use smbclient, first we should know about the shares of the machine we can access. To get that either we can run smbclient -L <target IP-address> or enum4linux <target IP-address>

I always prefer enum4linux because it gives some more information about the target. After I ran enum4linux I found the below result(specific to the machine shares):

Now, it was time to use the smbclient with the share. To do that I ran below command.

smbclient //192.168.64.36/share$ and found the below output.

(Note: I was able to access the share of the machine without knowing any username and password of the target because target machine allows anonymous login and access to the share$ drive)

I found one interesting directory wordpress and some interesting files like deets.txt, robots.txt & todolist.txt.

Now, I tried to access each one by one.

When I accessed http://192.168.64.36/wordpress/ I found one name togie.

Now, deets.txt and when I accessed the file surprisingly I found a password.

From the nmap scan I knew that SSH service was running, So without wasting a time I thought to give this username and password a try to login via ssh.

Username : togie

Password: 12345

 To SSH we use ssh [email protected]<target IP-Address> but when I did that I gott to know that shell was rbash restricted, so I have used ssh [email protected]<target-IP-address> -t “bash –noprofile” In my case the command was:

ssh [email protected]4.36 -t “bash –noprofile”

The first thing I tried was id  command to know the type of user I was logged in and It was a normal user.

And when I listed the current directory I found one of the flag i.e local.txt

To list the user’s privileges and specific commands the user can run, I ran sudo -l and found something really interesting.

The togie user can run any command with sudo, that means togie has all permissions of the root user.

From the CTF experience the second flag i.e proof.txt usually found under the root directory, so I ran sudo cat /root/proof.txt(check the above screenshot) and I was able to capture the second flag as well.

I tried to access root shell by sudo su –

Leave a Reply

Your email address will not be published. Required fields are marked *