LazySysAdmin: 1

[ vulnhub  ctf  walkthrough  ]

Goal

uid=0(root) gid=0(root) groups=0(root)

Download

https://www.vulnhub.com/entry/lazysysadmin-1,205/

Walkthrough

Initial nmap shows ports open on 22, 80, 139, 445 and 3306
alt text

Nothing special with web page as the links don’t work and nothing in source
alt text

nikto reveals a wordpress instance and after some enumeration the most we got was a username ‘togie’
alt text

wpscan reveals latest version of wordpress nothing more after further enumeration
alt text

Went back to open smb ports and enumerated open shares using nmap script
alt text

Using smbclient we’re able to get full read-only access to www folder and it shows a file deets.txt
alt text

Opening deets.txt up in a browser reveals a password
alt text

Using that password with found username togie, we have a shell
alt text

Simple sudo -i elevates us to root
alt text

Written on October 29, 2017
Share on: