LazySysAdmin vulnhub walkthrough

lazysysadmin is a vulnerable box and we will enumerate this box

let’s start enumeration

first download box on https://www.vulnhub.com/entry/lazysysadmin-1,205/ this is official site of vulnhub you can download box using this link

After downloading this box we deploy this box on virtual machine if you don’t have virtual box follow this link https://www.virtualbox.org/ and download virtual box and configure machine

Using nmap scan live host

$ nmap -sn 192.168.1.226/24

Now we found three live ip address and we enumerate 192.168.1.204

Let’s check how many port are open on this box

$ nmap -v -p- 192.168.1.204

scan with nmap current scan and script default and see what services running on port

$ sudo nmap -sC -sV -sT -sU -A -p 22,80,139,445,3306,6667 192.168.1.204

first we enumerate port 80 service http so open your browser and hit your ip address on browser

now check robots.txt file and sitemap.xml files on http port 80

check disallow entry and and check but we check nothing is here in disallow directory so now brute force the directory using using dirsearch and gobuster tool

$ python3 dirsearch.py -u 192.168.1.204

dirsearch is a tool for directory bruteforcing so you can download and clone this tool by using this link https://github.com/maurosoria/dirsearch

after dirsearch brute force we found many hidden directory now we enumerate this directory

now we will use nikto tool for web vulnerability now scan with nikto

$ nikto -h 192.168.1.20

now we enumerate with whatweb tool and check result

$ whatweb --url 192.168.1.204

after whatweb let’s try gobuster

$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u 192.168.1.204

NOW try another tool wfuzz for directory fuzzing and see result

$ wfuzz -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt http://192.168.1.204/FUZZ

we check port 80 but we don’t have any information let’s check another port 139 or 445

using smbclient command we see information about smb

$ smbclient -L 192.168.43.142

see share directory and list the directory content using smbclient command

$ smbclient //192.168.43.142/share$

and see all directory is web directory location now check deets.txt file

wow we found password but we don’t know what is username so let’s enumerate username

we found a user togie on wordpress page so we have user and password let’s try user and password for ssh

$ ssh togie@192.168.43.142

wow we got ssh restricted shell on port 22

username- togie

password -12345

privilage escalation

first we check sudo -l and check suid permission

$ sudo -l

wow we see all privilage means user : togie run all command using sudo let’s try

we found flag on /root/proof.txt

this is good box for begginer if you start new journey with cyber security do this box

happy haking :)