# Technical Report
## Technical Security Report: "LazyAdmin" System
### Purpose of the Report
This document provides a detailed technical assessment of the "LazyAdmin" system. The objective is to describe, in a structured manner, the vulnerabilities identified and the methodologies used to exploit them. Additionally, this report offers actionable recommendations to mitigate security risks.
***
### Methodology
The security evaluation was conducted using a structured approach, consisting of the following phases:
1. **Reconnaissance:** Identifying open ports and running services through automated scanning tools.
2. **Enumeration:** Exploring public directories and files to extract valuable information.
3. **Exploitation:** Utilizing known vulnerabilities to gain unauthorized access.
4. **Privilege Escalation:** Obtaining root-level access through insecure configurations.
***
### Detailed Findings
#### 1. Reconnaissance
**Tool Used:** `nmap`\
**Command Executed:**
```bash
sudo nmap -F
```
**Description:** A quick scan of the 100 most common ports was conducted to identify exposed services.
**Results:**
* Port 22: SSH Service
* Port 80: HTTP Service
> **Impact:** These open ports indicate potential entry points for an attacker. Given that port 80 serves a web application, it was prioritized for analysis.
#### 2. Enumeration
**Tool Used:** `dirbuster`\
**Command Executed:**
```bash
dirbuster -u http://:80 -w /usr/share/wordlists/dirb/common.txt
```
**Description:** Several publicly accessible directories and files were identified, including:
* `/content/`
* `/content/inc/`
* Files such as `htaccess.txt`, `lastest.txt`, and a `mysql_backup/` directory.
**Key Findings:**
1. `htaccess.txt`: No valuable information was found.
2. `lastest.txt`: Confirmed the CMS version (SweetRice 1.5.1).
3. `mysql_backup/`: Contained a database backup file.
> **Impact:** The exposure of sensitive files facilitated access to critical information, such as administrative credentials.
#### 3. Exploitation
**Findings:** Administrative credentials were discovered in the database backup.
**Procedure:**
1. Downloaded the backup file from `mysql_backup/`.
2. Extracted user credentials:
* Username: `manager`
* Password (MD5 hash): `Password123`
**Tool Used:** CrackStation\
**Result:** The hash was successfully cracked, revealing the plaintext password.
**Next Step:** Logged into the admin panel at `/content/as/` using the extracted credentials.
> **Impact:** Gained administrative access to the web application, enabling modifications to site configurations and content.
#### 4. Remote Code Execution (RCE)
**Vulnerability:** SweetRice 1.5.1 contained remote code execution (RCE) and CSRF vulnerabilities.
**Exploit Used:** CSRF script available on Exploit-DB.
**Modifications Required:**
* Updated the `action` field in the script to target `/content/as/`.
**Procedure:**
1. Uploaded the exploit script via the admin panel.
2. Executed the script to deploy a reverse shell.
**Listening Tool Used:** `netcat`
```bash
nc -lnvp 4444
```
> **Impact:** Established remote control over the system using the reverse shell.
#### 5. Privilege Escalation
**Insecure Configuration:** The `www-data` user was allowed to execute the script `/home/itguy/backup.pl` with root privileges without a password.
**Procedure:**
1. Analyzed the contents of `backup.pl`:
* Executed `/etc/copy.sh`, which was writable.
2. Overwrote `/etc/copy.sh` to execute `/bin/bash`.
3. Executed `backup.pl`:
```bash
sudo /usr/bin/perl /home/itguy/backup.pl
```
**Result:** Gained root access.
> **Impact:** Full system control was achieved, enabling data exfiltration and complete server manipulation.
***
### Recommendations
#### Short-Term Actions
1. Restrict access to sensitive directories through proper web server configurations.
2. Upgrade SweetRice to the latest version and apply all security patches.
3. Implement a robust password policy with secure hashing algorithms such as bcrypt or Argon2.
#### Long-Term Actions
1. Conduct periodic security audits to identify and mitigate configuration issues.
2. Train personnel in secure development and cybersecurity best practices.
3. Deploy continuous monitoring systems to detect suspicious activity in real-time.
***
### Conclusion
The assessment of the "LazyAdmin" system revealed multiple critical vulnerabilities that significantly compromise security. Implementing the recommended mitigations will enhance the system's security posture and reduce potential threats. This evaluation also underscores the necessity of proactive security assessments and ongoing improvements to maintain a resilient security environment.