CTF – Lazysyadmin

The story of a lonely and lazy sysadmin who cries himself to sleep. A beginner / intermediate CTF. Goal is to get root.

My Setup

Image at https://www.vulnhub.com/entry/lazysysadmin-1,205/

My Hints

If you are currently trying to solve this CTF yourself and have stumbled upon this page. Below are some hints you should try before giving in and looking and the solution.

  • what does nikto and enum4linux find?

My Solution

A quick nmap ping scan to find the target

I start with a more detailed scan of the target which finds a few open ports – which i start exploring. However once this finishes I also run a full port scan (-p-) in the background, just in case there are any higher ports its missed (like in the Rick and Morty CTF) – in this case there were none.

Note nmap -A 192.168.56.103 takes ~26 seconds to run, checking about 1000 TCP ports and nmap -A -p- 192.168.56.103 takes ~6,385 seconds (~1hr 45m) to run checking all 65,535 TCP ports.

Out of interest, I also check for open UDP ports.

Lets start with HTTP. Fire up Burp Suite and a browser, navigate to the site, run a spider and check the robots file. Website is Apache 2.4.7 / Silex v2. A few folders, test, old, TR2, Backnode_files. Nothing fun in the page source.

Running a quick Nikto scan finds a few things of interest

In the info.php (when opened in a browser) we find details about the php/apache versions used.

There is also a word press install where we get a potential username “togie”. Another post also mentioned he likes “yogibear”.

 

Lets check out the open NETBIOS shares using enum4linux 192.168.56.103 . This helps find / confirm some details. There is an open share “share$” and a user account named “togie”.

Using the command smbclient – L \\192.168.56.103 -N we see the shares.

We can also just browse these via the folder view but I want to get more familiar with the smb terminal.

To connect to say the folder “share$” we can use smbclient //192.168.56.103/share$ -N . This shows a few interesting folders. Note trying to manually connect to “print$” and “IPC$” both gave access denied.

To download a file back to our kali box we can use the get command while within the smb prompt. We can also use the more  command which appears to download the file to /tmp and then opens it.

In the deets.txt file we find a potential password but not sure for what, just yet.

In the todolist.txt we have a giggle while reading this via file browsing…

While the webpage running on TCP 80 appears to be Silex, there is also a wordpress structure in there too. A quick google shows DB passwords are stored in wp-config.php .

Lets check out the MySQL open port with the credentials we have found. I believe by Default remote connections are not allowed, confirmed by the error below.

However opening up http://192.168.56.103/phpmyadmin/ and using these credentials lets us in. We see the wordpress DB structure but nothing of interest here we haven’t already found out.

Lets also see if these same credentials work for the wordpress admin login http://192.168.56.103/wordpress/wp-admin/ and they do. We find more on this Togie person – last name (suitable) and email.

Lets next check the open IRC port 6667. I temporarily switched networks and downloaded HexChat (apt update && apt install -y hexchat). Then came back and found it under “unusual applications -> Internet”.  Opening it up we get a warning as running as root (acknowledged as we are running in a lab). Create a new network and put 192.168.56.103 as the server. We connect ok and tried a few commands that might reveal some details – /MOTD, /RULES, /UPTIME, /USERLIST. Spent a bit of time here but don’t find anything interesting – would have been cool to hide details in here somewhere.

Lets try some of the credentials we have found so far with the open SSH port.

After trying a few combinations of ‘Admin’ and ‘Togie’ we get in

Checking togie’s sudo permissions we easily elevate into root

I also had a quick play with the random strings to see if there was a hidden message in there – but couldn’t find anything. Calling it a day.

Other Alternative Solutions

Be sure to check out the other solutions below for solving this