TryHackMe LazyAdmin CTF Writeup — Step-by-Step Guide
TryHackMe LazyAdmin CTF Writeup — Step-by-Step Guide
Platform: TryHackMe
Room: LazyAdmin
Difficulty: Easy
OS: Linux (Ubuntu)
Introduction
LazyAdmin is a beginner-friendly Linux CTF room on TryHackMe that teaches you core penetration testing concepts — from port scanning and web enumeration to CMS exploitation and Linux privilege escalation. If you are preparing for OSCP or just getting started in ethical hacking, this machine is an excellent real-world practice target.
In this writeup, you will find every step explained clearly so you understand what you are doing and why.
Target Information
| Field | Value |
|---|---|
| IP Address | 10.49.134.82 |
| OS | Ubuntu Linux |
| Difficulty | Easy |
Phase 1 — Reconnaissance
Good reconnaissance is the foundation of every successful penetration test. We start with fast port discovery and then move into detailed service fingerprinting.
Step 1: Fast Port Scanning with RustScan
RustScan is a modern, blazing-fast port scanner that can scan all 65,535 ports in seconds and automatically hands results to Nmap for service detection.
Flag explanation:
-a— target IP address
RustScan Output:
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
RustScan immediately identified two open ports: 22 (SSH) and 80 (HTTP). Now we hand those over to Nmap for a deeper look.
Step 2: Detailed Service Fingerprinting with Nmap
With our open ports confirmed, we run a targeted Nmap scan for version and OS information.
Flag explanation:
-sV— detect service versions-vvvv— very verbose output (useful for live feedback)-p 22,80— scan only the ports we already know are open
Nmap Output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
What we learn from this:
- Port 22 is running OpenSSH 7.2p2 — we will need valid credentials to use this.
- Port 80 is running Apache 2.4.18 on Ubuntu — there is a web application to explore.
- The target is running Ubuntu Linux, likely an older release based on the package versions.
Tip: OpenSSH 7.2p2 is an older version. Keep a note of it — there may be known CVEs if brute force fails.
Phase 2 — Web Enumeration
Now we know a web server is running. Let's explore it manually first, then use automated directory discovery.
Step 3: Visiting the Web Application
Open your browser and navigate to:
http://10.49.134.82
You will see the default Apache2 Ubuntu welcome page. This tells us:
- The web server is freshly installed or misconfigured.
- The real content is likely hidden in a subdirectory.
This is where directory brute-forcing becomes essential.
Step 4: Directory Brute-Forcing with Gobuster
We use Gobuster to discover hidden directories and files on the web server.
Flag explanation:
dir— directory/file brute-force mode-u— target URL-w— wordlist to use-t 50— 50 threads for faster scanning
Gobuster Output:
/content (Status: 301) [Size: 316]
We found a directory called /content. Let's investigate.
Step 5: Exploring /content — SweetRice CMS
Navigating to http://10.49.134.82/content, we are greeted by a SweetRice CMS installation page.
SweetRice is a lightweight PHP-based content management system. This is significant because:
- It is an older, less-maintained CMS.
- It has known public vulnerabilities.
- There may be default credentials or exposed configuration files.
Let's run Gobuster again specifically inside /content:
Output:
/content/as (Status: 301) — Admin panel
/content/inc (Status: 301) — Includes directory
/content/js (Status: 301) — JavaScript files
/content/images (Status: 301) — Images directory
/content/_themes (Status: 301) — Themes
The most interesting findings:
/content/as— the admin login panel
/content/inc— a directory that may contain sensitive files
Step 6: Finding Credentials in the MySQL Backup
Browse to:
http://10.49.134.82/content/inc/
Inside this directory, you will find a folder called mysql_backup. Open it and you will see a .sql backup file available for download.
Download it and open it in a text editor:
Inside the SQL dump, you will find something like this:
We have an MD5 hash for the manager user. Let's crack it.
Step 7: Cracking the MD5 Hash
Use an online tool like CrackStation or Hashcat:
OR
try crackstation.net
The hash cracks to:
Password: Password123
Credentials found:
manager/Password123
Phase 3 — Exploitation
Step 8: Logging into SweetRice Admin Panel
Navigate to the admin panel:
http://10.49.134.82/content/as/
Log in with the credentials we found:
- Username:
manager - Password:
Password123
We now have full administrative access to the CMS.
Step 9: Uploading a PHP Reverse Shell
SweetRice allows uploading files through the Ads section, which we can abuse to upload a PHP reverse shell.
Step-by-step:
- Go to Ads in the left sidebar.
- Click Add New Ad.
- In the content box, paste a PHP reverse shell payload. Use the one from PentestMonkey:
Replace
$ipwith your owntun0VPN IP — find it withip aorifconfig.
- Save the ad. Note the filename it assigns.
- Access your shell via:
http://10.49.134.82/content/inc/ads/your_shell.php
Step 10: Setting Up a Netcat Listener
Before accessing the shell URL, set up your listener:
Now browse to the shell URL — your listener should catch a connection.
You now have a reverse shell as www-data.
Phase 4 — Post-Exploitation & Privilege Escalation
Step 11: Stabilising the Shell
Upgrade your basic shell to a fully interactive TTY:
Step 12: Finding the User Flag
User flag found! Copy it into TryHackMe.
Step 13: Privilege Escalation via Sudo
Check what commands the current user can run as root:
Output:
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
We can run a Perl script as root without a password. Let's look at the script:
Output:
The Perl script executes /etc/copy.sh. Let's check what that file contains and whether we can write to it:
Output:
-rw-r--rwx 1 root root 81 Nov 29 2019 /etc/copy.sh
The file is world-writable! We can overwrite it with our own payload.
Step 14: Overwriting the Script for Root Access
Replace 10.X.X.X with your own TryHackMe VPN IP.
Set up another Netcat listener on your machine:
Now execute the Perl script with sudo:
Your listener catches a root shell.
Step 15: Capturing the Root Flag
Root flag found! You have fully compromised the machine.
Summary of the Attack Chain
RustScan → Nmap → Apache Default Page
↓
Gobuster → /content → SweetRice CMS
↓
/content/inc/mysql_backup → MySQL dump → MD5 hash
↓
Hash cracked → Admin login → Ads file upload → PHP reverse shell
↓
www-data shell → sudo -l → backup.pl → copy.sh (world-writable)
↓
Overwrite copy.sh → sudo execution → ROOT shell
Key Takeaways
| Lesson | Detail |
|---|---|
| Exposed backups | Never leave database backups in a publicly accessible web directory. |
| Weak password hashing | MD5 is not suitable for password storage — use bcrypt or Argon2. |
| CMS file upload | Restrict allowed file types; never allow .php uploads. |
| World-writable scripts | Files called by privileged processes must never be writable by non-root users. |
| Sudo misconfigurations | NOPASSWD rules that call writable scripts are a critical privilege escalation vector. |
Tools Used
| Tool | Purpose |
|---|---|
| RustScan | Fast initial port discovery |
| Nmap | Detailed service fingerprinting |
| Gobuster | Web directory brute-forcing |
| Hashcat / CrackStation | MD5 hash cracking |
| Netcat | Reverse shell listener |
| PentestMonkey PHP Shell | Reverse shell payload |
Happy hacking — and always hack on machines you have explicit permission to test.
Tags
Keep Reading