Try Hackme LazyAdmin Walkthrough

So lets nmap scan the IP

Nothing peculiar lets try gobuster for hidden directories

SO the content directory seems interesting lets check it out

So it looks like the machine is running sweetRice CMS lets enumerate the content directory using gobuster

The inc directory seemed interesting on accessing it there was a folder named mysql backup present there so lets view its contents

So we get the admin credentials in the mysql backup file

the hash was cracked easily using crackstation

lets login into the cms and see what can be useful

on searching through web for rce in the cms it seemed that we can publish ads So we used the php-revshell and posted the ad online

the uploaded file can be accessed from the inc folder so we access it and get the shell

we get the user flag from the home folder

So on checking for sudoers we get that we can use perl as root

So i changed copy.sh to spawn a reverse shell(use pentestmonkey for help) and execute the perl script as root and got the root shell and found the root flag

We can also user other ways but this was the way I used to get root

Keep Enumerating!!