LazyAdmin TryHackMe Writeup

Overview

LazyAdmin is an easy Linux machine that demonstrates common web application vulnerabilities and basic privilege escalation techniques. The machine features a vulnerable Content Management System (CMS) installation and misconfigured system permissions.

Enumeration

Starting with a comprehensive Nmap scan to identify open ports and services:

sudo nmap -sV -sC -A  -oN nmap_scan

The scan reveals several open ports:

Port 22: OpenSSH 7.2p2 Ubuntu
Port 80: Apache httpd 2.4.18

Basic web enumeration shows a default Apache page. Directory enumeration with Gobuster reveals additional paths:

gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt -o gobuster_scan

This discovers a hidden content management directory.

Vulnerable CMS Discovery

Exploring the discovered directory reveals a SweetRice CMS installation. SweetRice is a lightweight CMS that has known vulnerabilities.

Checking for common CMS vulnerabilities, including:

Default credentials testing
Directory traversal possibilities
Version identification

Initial Access

Exploiting the vulnerable CMS provides initial access to the system. Successful exploitation leads to shell access as the www-data user.

Basic enumeration of the compromised system:

whoami && pwd && ls -la

Looking for user and system information:

id && uname -a && cat /etc/passwd | grep -E "(admin|backup|manager)"

User Flag

Locating and capturing the user flag:

find /home -name "*flag*" -type f 2>/dev/null

Or checking common locations:

ls -la /home/*/

User Flag: THM{63e5bce9271952aad1113b6f1ac28a07}

Privilege Escalation

Checking for privilege escalation opportunities:

sudo -l

The sudo configuration reveals misconfigured permissions that allow privilege escalation to root. This is a common Linux privilege escalation vector involving:

Misconfigured sudo permissions
Abuse of legitimate administrative tools
Path manipulation techniques

Root Flag

Successful privilege escalation provides root access. Locating the root flag:

find /root -name "*flag*" -type f 2>/dev/null

Root Flag: THM{6637f41d0177b6f37cb20d775124699f}

Final Answers

What is the user flag?

Answer: THM{63e5bce9271952aad1113b6f1ac28a07}

What is the root flag?

Answer: THM{6637f41d0177b6f37cb20d775124699f}

Vulnerabilities Exploited

Web Application Vulnerability

The primary attack vector involves a vulnerable Content Management System. SweetRice CMS has documented vulnerabilities that allow:

Arbitrary file upload
File inclusion exploits
Remote code execution

Privilege Escalation

The privilege escalation occurs through misconfigured sudo permissions, allowing execution of privileged commands without proper password verification.

Lessons Learned

Always update CMS installations and monitor for known vulnerabilities
Regular security assessments should include web application testing
Proper file permissions are crucial for system security
Sudo configurations should follow the principle of least privilege
Directory enumeration can reveal vulnerable applications
Multiple privilege escalation vectors may exist - check sudo, SUID, cron jobs
Web shells obtained through CMS vulnerabilities provide initial foothold
Always verify what users can run with sudo privileges

Mitigation Strategies

Web Application Security

Keep CMS and plugins updated
Implement proper input validation
Use web application firewalls (WAF)
Restrict file upload capabilities

System Hardening

Configure sudo properly with least privilege
Remove unnecessary SUID binaries
Implement proper file permissions
Use security frameworks like SELinux or AppArmor

Monitoring and Detection

Implement intrusion detection systems
Monitor for suspicious file modifications
Log and alert on privilege escalation attempts
Regular vulnerability scanning

Tools Used

Nmap: Network scanning and service enumeration
Gobuster: Directory and file enumeration
Browser: Web application interaction
Linux terminal: Command execution and file operations
Exploit frameworks: Vulnerability exploitation

Difficulty Assessment

LazyAdmin is rated as an easy room due to:

Straightforward enumeration phase
Well-known CMS vulnerability
Basic privilege escalation technique
Limited rabbit holes and misdirection

Perfect for beginners learning web application exploitation and Linux privilege escalation fundamentals.

LazyAdmin Writeup

Overview

Enumeration

Vulnerable CMS Discovery

Initial Access

User Flag

Privilege Escalation

Root Flag

Final Answers

What is the user flag?

What is the root flag?

Vulnerabilities Exploited

Web Application Vulnerability

Privilege Escalation

Lessons Learned

Mitigation Strategies

Web Application Security

System Hardening

Monitoring and Detection

Tools Used

Difficulty Assessment