VulnHub

Lazy SysAdmin

https://www.vulnhub.com/entry/lazysysadmin-1,205/

 

 

Boot2root created out of frustration from failing my first OSCP exam attempt.

LazySysadmin – The story of a lonely and lazy sysadmin who cries himself to sleep!

 

From reading the above blurb Im fully expecting that this challenge is going to violate the few golden rules we have on weak credential game, misconfigured software/settings, unpatched software etc. But lets not assume too much either.

 

I run an nmap scan which comes back with some surprising results:

139 – SMB – Samba

6667 – IRC – InspIRCd

 

I was not expecting to see this. Im instantly hooked. At this stage I want to skip right past the web server which would be my usual first stop- I have to check out this SMB.

 

 

Notice above ^^….. I can’t believe that just worked. I was able to connect to the SMB as an anonymous user. And you can see in the screen cap above there is a text file (deets.txt) with a password in it. Plus there is a WordPress config file here with admin credentials for the MySQL database.

 

 

Honestly. At this stage I was getting bored fast and considering wrapping it up. Im less than 5 minutes into the challenge and I have SMB access to server + admin credentials for the database + password for another account.

At my very next step I ran into a weird problem. I wasn’t able to login to the database. I tried to navigate to WordPress website and this is also failing. I keep getting a database connection error on both counts. Scans are failing too with obscure errors. WPScan for example is coming back that WordPress is not installed- however I have a config file that says otherwise and a dirbuster scan also proving the point.

Okay….. this is taking an interesting turn. Im thinking, not only is he a Lazy Sysadmin, he has also screwed up his server.

I spend the next hour or so wracking my brain trying to figure out what the hell could he have done, and slowly, Im starting to realise that this ‘hacking’ challenge has turned into a ‘fix my server’ challenge.

I keep working through it…. but something about this is really not sitting right with me. Just to humour myself I boot up a clean image of the VM and I instantly connect to both MySQL and WordPress without any problems whatsoever.

 

Time for a break I think. Fresh air…. coffee…. zen!

Any thoughts I had of not finishing this challenge are gone. Im way too invested at this stage to walk away now.

I have the admin credentials for WordPress. If I wanted I could just upload a webshell and put this server to bed in the next 5 minutes. But after that little fiasco Ive just gone through- Im not prepared to write it off that fast. I’m going to pick this one apart.

There is an OpenSSH server running on this box and an IRC application.

Lets take a look at the SSH first.

 

(BTW: Im working on the new VM at this point so there is an IP change from here in.)

 

 

Its not taking the credentials I pulled from the WordPress config document. Im genuinely surprised…. but at the same time, lets be honest with ourselves, it would have been a little disappointing if it would have let us right in. Time to bring out the big guns.

 

hydra 192.168.80.144 ssh -l root -P ‘usr/share/wordlists/rockyou.txt’

 

Hydra is hitting that SSH server with ~250 passwords a minute against the root account. While thats brute forcing in the background Im going to take a look at this IRC server.

Turns out Kali doesn’t come with an IRC client (anyone else think this is odd?). Whilst downloading the client I suddenly remembered about the password saved in that deets.txt file I found earlier.

I went back and got the password, the file doesn’t specify a user account so I ran it against root + admin accounts. But no luck on either of them.

Not to worry. Im sure Google will know how to enumerate SSH users. And first result comes back with a native metasploit auxiliary module. What more could I ask?

auxiliary/scanner/ssh/ssh_enumusers

 

I let that run through and it didn’t pick up a single user. That is not a problem. Let me go back and check that MySQL database and grab some user accounts from there. When I opened up my minimised browser from earlier, the front page of the website, this is what was staring at me:

 

 

Hmm…. let me try that. I tested it along with password from the deets.txt and it lets me right in.

 

 

After some browsing on the file system I find a proof.txt file.

 

 

Im happy enough with that. Thats another server to add to the list of submissions.

 


 

Hardening Recommendations

 

  1. Lock down that SMB share
  2. Don’t save passwords anywhere on a machine unless its a password manager
  3. Update software (This particular version of wordpress is horribly vulnerable)

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *