🧠 TryHackMe - LazyAdmin Write-up

🗂️ Room Info

• Room: LazyAdmin

• Platform: TryHackMe

• Date: 07-13-2025

• Author: Haz0x

🧾 Overview

LazyAdmin is an easy-level Linux CTF that focuses on misconfigured web applications and simple privilege escalation. It’s great for beginners looking to get hands-on with basic enumeration, password reuse, and sudo misconfig.

I started with scanning the open ports of the target.

nmap -sC 10.10.23.107

This is the http website of the target which is default ubuntu page.

My next step will be scan the sub directories with goBuster

gobuster dir -u http://10.10.23.107/ -w "$commondirs"

I checked all links in the source code and I can’t seem to go anywhere. It says sweetrice CMS’s admin panel is at site/as but i tried it and i just got a 404 not found. So I decided to run gobuster again, but this time I will use site/content/ as the target.

gobuster dir -u http://10.10.23.107/content/ -w "$commondirs"

Bingo. Apparently, the /as does exist. Its just under /content

This is the admin panel. We can bruteforce this but the problem is it would take so long. It would be fast if we could somehow get atleast the username of the admin. So what I will do is to have a look around on the other directories.

Everything else looks empty EXCEPT /inc

Try to find what is special about this page.. 5….4….3….2….1.

We have a mysql_backup folder. I assume that we have some kind of sql file in here.

Gotcha. Let’s download this and see what it inside.

cat mysql_bakup_20191129023059-1.5.1.sql

Upon checking the data, we found……………………………… THE ADMIN CREDS!!!!

Admin: Manager

the password is hashed. We will crack it using crackstation website

Admin: Manager

So Let’s go ahead and try these credentials on the admin panel.

Now that we are in, the most common exploitation for web application is Upload Vulnerability.

I tried for pages here with extension bypass technique. For some reason, Media Center Theme Ads doesn’t work.

Upon scraping web, I tried searching for vulnerabilities of the management system which is SWEETRICE CMS and i found this.

https://www.exploit-db.com/exploits/40716

I downloaded this and make it executable and see what happens. NOTE: You have to change the IP to your IP because this is where your shell will reach out to… which is you, PORT as well like 4444,9999, any port as long as its not in use by other services.

If you see here, it request us 4 paramaters. We just have to fill this in and see what happen.

There we go. Now we just have to open a new terminal a put a listener on the port we put on the shell which in my case. port 4444

nc -lvnp 4444

and then after we setup the listener we now go to our shell location to activate it.

There we goooo. We’re in! What I always do on shell exploitation is find out what user I am by typing whoami and checking what it can do by doing sudo -l. Also, most likely this is where the user flag is.

i also learned this recently, about making the shell stabalized or something. I forgot the term but it is really help when it comes to navigating the shell. The reason why shells from the usual pentestmonkey php shell which i used, they call it dumb as it has no job control , no proper prompt. Just dumb in general so they is a way to make it less dumber. That is by spawning a psuedo terminal

python3 -c 'import pty; pty.spawn("/bin/bash")'

and then we will put it to background by doing CTRL + Z.

stty raw -echo this will make the raw terminal and then bring back the shell u have on the website by typing fg then hit enter.

On the shell type export TERM=xterm and there you go. You should have a less dumber terminal.

Now, that it stable. Let’s see what is this /usr/bin/perl /home/itguy/backup.pl abou

It looks like these is a script within a script. once we run /home/itguy/backup.pl, it will run /etc/copy.sh

Before proceeding, let’s check out this /home/itguy directory. Turns out that is where our user.flag

The good thing is we have permission towards /etc/copy.sh by typing ls -l /etc/copy.sh

Basically, this means www-data can run Perl as sudo. We don’t have permission to write the script backup.pl BUT we can write /etc/copy.sh which runs if you run backup.pl.

We can also write to /etc/copy.sh.
nano /etc/copy.sh then hit enter and then edit the ip to our attack mahine ip and the port as well.

Save it and close it. Then we setup another listener nc -lvnp 4444. then run sudo /usr/bin/perl /home/itguy/backup.pl

There’s our root flag :)