VulnHub Walk-through - LazySysAdmin
netdiscover -i eth18.104.22.168.100 will be our target for this exercise.Running NMAP (
nmap -T4 -A -v 192.168.1.100in this case) on our target shows a few interesting things:As we can see, this is an Ubuntu machine with the following ports open: 22, 80, 139, 445, 3306, and 6667. This tells us a few things. SSH is enabled on port 22 on this machine. There is an Apache web server running on port 80. The exposed robots.txt list gives us 4 directories that we can save for further analysis. NBT is open on port 139 and SMB is open on port 445. MySQL is exposed on port 3306. And finally, there is an InspIRCd IRC server running on port 6667 (and yes, it will allow you to login with an IRC client).The continuation of the NMAP scan reveals further detail on SMB:Since we know a web server is running on this machine, we can run
which python) and see that Python is installed, so let's try spawning a shell with the command
python -c 'import pty; pty.spawn("/bin/sh")'. It works! Now we can run normal commands and navigate through directories. We don't have access to /root, though. The first and most simple thing we should try is seeing if the "togie" user has rights to sudo (surely it wouldn't be that easy, right?):Except...it is. The "togie" user, with a password of 12345, has sudo access and can elevate to root. Let's check /root and see what we have in there:And there's our flag!I hope you enjoyed this walk-through and found it easy to follow along. With the services running on this machine, I'm confident there are other ways of exploiting it to gain access. If you have other methods, submit them to VulnHub and post them in the comments here!
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!