Preparing for the OSCP exam, I found a gem prepared by Clutch to assist people that want to get a feel of what the exam is all about through machines from VulnHub that'd replicate the environment. The Pre-Exam can be found here. One of those machines is LazySysAdmin, which truly stands up to its name. This machine was configured by a lazy system administrator and thus, one clear thing to be looking for is a mis-configured system. Lets dive in!
netdiscover allows us to find out the IP on the internal network of the virtual network.
netdiscover -i eth0 -r 192.168.56.0/24 where
-i stands for the interface and
-r stands for the network range that we want to scan.
Knowing where the machines stands, the process continues with port scanning. Using
NMAP, the below results are generated.
From the above, it is clear that a Linux system is running. Based on the priority of each port,
SMB is the first on the discovery analysis process, followed by
HTTP, and last, the
IRC server can be checked for any hidden messages or public exploits.
smbmap is one of the best tools to map out the permissions and folders that can be accessed using
SMB which when accessed, appears to be the web directory. An interesting file to always be checked is the
wp-config.php in the
Another interesting file is the
deets.txt,which is not generally found on web servers. A line stating that the password is
12345 is shown. After grabbing the crucial files, the web service is then traversed.
Mainly, two spots take my attention. The
WordPress application, and
PHPMyAdmin. They can both be accessed using the user and password mentioned above. Grabbing a reverse shell from
WP is usually pretty easy. That's where I stopped and looked back. That password,
12345 was not used in any of those applications. The user
togie is mentioned as well on the landing page of
WordPress. Those surely can lead to something ... Let's try to
SSH to that machine using
Success! It truly was that easy.
One of the quickest ways to grab
root, since we have the password of the user at hand, is through checking the permissions that user has under
sudo. Since that user is part of the
sudo group, a quick user substitution is done and guess what! We're root!
Having a sloppy admin is one of the easiest ways to get your systems compromised. I'd like to thank Togie for creating this machine which is to some point, a real life scenario where sysadmins forget to lock down their services and clean up their files and directories that are public.
If you enjoyed my writing, don't forget to follow me on Twitter as @7hunderson!