Lazy Admin

An nmap scan shows ports 22 and 80 were open.

Through directory fuzzing a login screen was found. 

Another interesting file was also found for mysql.

After opening the directory we are brought to a file.

Downloading and opening the contents of the file shows us some interesting results.  Admin or manager could be a username, but it also looks like there’s a password hash.  Going to Crackstation and inputting the information gives us a password to use for the site.

A vulnerability in SweetRice version 1.5.1 allows unrestricted file uploads through Media Center.

This vulnerability allowed for a reverse shell on the machine.

The sudo -l command shows that a couple of items can run as sudo.  The file has code that runs another file (etc/  Rewriting the /etc/ and running through perl and sudo should give a reverse shell as root.