LazySysAdmin vulnhub walkthrough
lazysysadmin is a vulnerable box and we will enumerate this box
let’s start enumeration
first download box on,205/ this is official site of vulnhub you can download box using this link
After downloading this box we deploy this box on virtual machine if you don’t have virtual box follow this link and download virtual box and configure machine
Using nmap scan live host
$ nmap -sn

Now we found three live ip address and we enumerate
Let’s check how many port are open on this box
$ nmap -v -p-

scan with nmap current scan and script default and see what services running on port
$ sudo nmap -sC -sV -sT -sU -A -p 22,80,139,445,3306,6667

first we enumerate port 80 service http so open your browser and hit your ip address on browser

now check robots.txt file and sitemap.xml files on http port 80

check disallow entry and and check but we check nothing is here in disallow directory so now brute force the directory using using dirsearch and gobuster tool
$ python3 -u
dirsearch is a tool for directory bruteforcing so you can download and clone this tool by using this link

after dirsearch brute force we found many hidden directory now we enumerate this directory
now we will use nikto tool for web vulnerability now scan with nikto
$ nikto -h

now we enumerate with whatweb tool and check result
$ whatweb --url

after whatweb let’s try gobuster
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u

NOW try another tool wfuzz for directory fuzzing and see result
$ wfuzz -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

we check port 80 but we don’t have any information let’s check another port 139 or 445
using smbclient command we see information about smb
$ smbclient -L

see share directory and list the directory content using smbclient command
$ smbclient //$

and see all directory is web directory location now check deets.txt file

wow we found password but we don’t know what is username so let’s enumerate username

we found a user togie on wordpress page so we have user and password let’s try user and password for ssh
$ ssh togie@

wow we got ssh restricted shell on port 22
username- togie
password -12345
privilage escalation
first we check sudo -l and check suid permission
$ sudo -l

wow we see all privilage means user : togie run all command using sudo let’s try

we found flag on /root/proof.txt
this is good box for begginer if you start new journey with cyber security do this box
happy haking :)