Walkthrough for LazySysAdmin CTF

Download LazySysAdmin CTF


The first step to any engagement, is to know in which network you will be working.  To figure this out, I ran an ifconfig to see which IP address I pulled from DHCP:

 root@kali:~# ifconfig

With this information in hand, I could look for other hosts on this subnet using ARP scanner.

root@kali:~# arp-scan --local

There are a couple of hosts on the network. is the gateway and being our target machine.

Enumeration With the network mapped out, it was time to see what was open on our target.  I began with a basic nmap scan just to get a good idea of what was running on default/popular ports so I could start a more thorough scan later and just let it run:

root@kali:~# nmap -sS -Pn -vv 

For those unfamiliar with nmap, let’s break down the command:

  1. Nmap:  the application we are running.  This does the port scanning of the target IP

  2. -sS: this indicates the type of scan we are wanting to run.  In this case, we are doing a Syn Stealth Scan

  3. -Pn: this tells nmap to treat machines that don’t reply to ping (ICMP) requests as live targets.  This will certainly slow down a scan, but some machines are configured to not respond, so better safe than sorry!

  4. -vv: this means we want to see EVERYTHING (verbose) in our output.  I like to see the progress of my scans as they are running.

  5. our target machine’s IP address (LazySysAdmin)

Pretty verbose right?  The main things we are looking for are ports.  Now, in my scan, I did not specify I wanted to capture banners of each port (-sV), so I’m going to take the service listed as is (22 is actually SSH, 80 is actually an http server, etc.)

So straight out the gate, we have a couple of options.  Anytime I see a webserver running, I tend to gravitate towards that, so we’ll start there!

The Web Server (80/TCP)

I find this webpage to be interesting because normally, a website is interactive, but this one has static content (non-clickable buttons, dead links, etc.).  With no way to interact with the page, let’s kick off a nikto scan to see if there are any interesting tidbits of info we can gather:

root@kali:~# nikto -h 

So we go to and find a pretty basic wordpress site:

Unknowingly, they given us information that could help us.  Their name is: togie. keep this in the back of my memory.

 root@kali:~# nmap -sSCV -O

NetBIOS and SAMBA (139/TCP, 445/TCP)

Normally, I ignore NetBIOS and SAMBA during VulnHub VMs, but there wasn’t too much that seemed interesting in the nmap scan, so I decided to give it a shot.  To enumerate NetBIOS names, I used nmblookup:

 root@kali:~# nmblookup -A 

Alright, we have some NetBIOS names of LAZYSYSADMIN and the default WORKGROUP.  With a non-default NetBIOS name of LAZYSYSADMIN, I’ll use that in my smbclient command:

 root@kali:~# smbclient -I -L //LAZYSYSADMIN -N

The arguments are as follows:

  1. Smbclient: the application to run

  2. -I the IP address to connect to

  3. -L //LAZYSYSADMIN: get the list of shares on //LAZYSYSADMIN

  4. -N: don’t use a password (anonymous connection since we don’t have a password yet ☹)

So it appears as though we have three shares available to us: print$, share$, and IPC$.

root@kali:~# smbclient -I //LAZYSYSADMIN/share$ -N

we see that we are anonymously connected to LAZYSYSADMIN:

At this point, we browse the share with an “ls” which displays the following output:

I download the .txt files with a simple get request:

Now in another terminal, I print those files to my console:

It seems as though a lazy sys admin has given us a password (12345).  Since the only username I may have is “togie”, I give SSH a shot:

root@kali:~# ssh togie@

As you can see, I specified “togie” as my user, and upon entering “12345” as the password:

At this point it's restricted to get root.You have to give sudo permissions and for this type "sudo su" and give password : 12345

We are still in /home/togie, so let’s cd to /root and see if there are any goodies:

And here we found proof.txt. open it with command:

 cat proof.txt

There we go! We got root and got our proof.txt flag!