Tryhackme : LazyAdmin

Now we are going to play with the lazy admin in tryhackme

so i m used to start with nmap : nmap -p 1-65535 -T4 -A -v $IP

two services found ssh in port 22 and web in port 80

Let's explore the web page :

the main page is about apache so i m going to try wfuzz to do a dir burteforce:

yes i found i webpage under /content beside  that i m dealing with sweetRice CMS
by looking in exploit db i found an authenticated exploit for arbitrary file upload in v1.5.1
but need some cred that i don't have until now plus i don't know if this is v1.5.1: great now i m thinking to see if their s any folder under this file : yes as expected /content/inc found

oooh juicy information :
lastest.txt confirm the information about the version
i found an .sql file maybe contain cred so let s explore:
as expeted i found the login and password hash in .sql file so it still one point i have to decrypt the hash
it was also very simple with online tool md5 decrypter
Now all the ingredient are here to start the exploit let s give a try
php reverse shell is here after understanding the exploit in the .py file from exploit-db i said that i will try it manually it'simple
in that's work i have shell as www-data user now it was very simple :

cat /home/itguy/user.txt to get user flag

for the root flag as usually i try to see sudo -l

yes i can see that i can execute a perl file in the itguy home folder great

so after checking the file i found that execute a shell file in /etc/ folder

checking the RW right for the shell file : it s writabe great now it simple i have added the line cat /root/root.txt then i have executed
the perl file and olaaa the root flag

Thank you for reading hint from lazyadmin in tryhackme

Abdel