Welcome back, everyone. On this new thread I will be posting my solution to the LazySysAdmin hacking challenge found in Vulnhub and my overall thoughts about it. I have to be honest, I struggled with completing this challenge primarily because I spend countless of hours looking for web applications flaws and inspecting every single avenue of exploitation. In hindsight, the challenge could have been completed in a matter of minutes, but of course the reality of arriving to such solution takes…hours.
The description of the challenge follows – The story of a lonely and lazy sysadmin who cries himself to sleep. According to the author, enumeration was key to solve this puzzle.
– Dirbuster (or alike tools)
– Python, for automating tasks on the fly (more on this later).
There were a couple of open ports upon scanning the target, your standard HTTP port, SMB port, and SSH port. At first, the service on port 80 looked promising! I was wrong, big time. I spend a couple of hours a day looking at directory listings, analyzing WordPress install files, and PHPInfo(), however, this was a huge diversion. After giving up, I took another approach and was curious what the SMB daemon offered.
smbclient -L 192.168.0.14
I saw a couple of shares, 2 of which could not be used to leverage a vulnerability. I was able to connect to the share$ share and list the files on the document root.
The deets.txt file grabbed my attention so I decided to download it and find its contents:
CBF Remembering all these passwords.
Remember to remove this file and update your password after we push out the server.
Brute Forcing Fun and Flag
I knew that 12345 was the password to something, but I was not sure what. Based on my research on the WordPress site previously, possible users were Admin, togie, or root. In context with the challenge (a lazy admin), I was positive that root login was enabled on the SSH daemon. The first thing I tried, despite having a possible password, was to brute force the root SSH account. I was shocked to find the following:
hydra -l root -P cracker/rockyou.txt 192.168.0.14 ssh
The root password was indeed 12345. I was able to sign in via SSH and retrieve the flag.
After I completing this challenge, I had questions and I was wondering how secure the WordPress site was, after all it was running the latest version. After doing some recon on the file system, I placed the Admin’s password in one of my word lists to see if local brute force protection was enabled.
After 50 password attempts, I was able to brute force the admin page through XMLRPC. This password grants you access to the WP dashboard and MySQL database. What I found aligns with the context of a lazy system admin.
What did I learn? Well at first, I got lost in the sea of files and checking to see which ones were world-readable. I got very frustrated and I knew my last ditch was a brute force attempt – little did I know that was the fastest way to solve this challenge. A SSH brute force attack would have gotten you root access and the solution to this challenge. Once everything was figured out, everything looked simple, but I cannot hide the fact that this took me a couple of days to riddle! What was your solution?
Until next time,
May the s0urce be with you.