Another day, another machine from Vulnhub. This time it’s the one called LazySysAdmin.
First thing we have to do is to scan the machine for open services.
We can already see a bunch of open ports, but for now, we’re going to focus on port
That’s a bunch of directories, but only
/Backnode_files/ wasn’t empty. From there we get the directory of called
wordpress, to which we can navigate using the browser.
But in the meantime, I stumbled upon something very interesting -
smb share can be accessed by
anonymous user. And there’s a lot of goodies.
Firstly, let’s view the
It seems that we have the password, but to which account? Wordpress didn’t work so I decided to move on with the
smb share. Maybe we’ll find something interesting in the
Great, we have the
MySQL credentials. Unluckily, when we want to view the
wp-users table, we are greeted with this error.
Moving on with my attack, I decided to look at the login page in
Wordpress. If the password to
MySQL, maybe the
Wordpress one will be similar?
But nope, password to
Admin account is the same as to
MySQL. Don’t reuse your passwords!
After logging in, I decided to paste the reverse php shell in
404.php page of twentyfifteen theme.
After that, change the essential info about your IP and port to use, and navigate to
In the meantime, run a listener.
Great, we have the connection. From the directories, we know that there is only one user
Remember the password from the note earlier on? Maybe it will work for this account?
In addition, upon first things to find was that the
togie user can run anything as