Admirer Writeup — HackTheBox

Made by RebornSec ®

Machine Maker(s) :

• polarbearer
• GibParadox

Overview :

• Finding some credentials from the directory admin-dir/
• Checking the files in ftp using the credentials we found
• Create our MySQL db and link it to adminer administration platform
• Get the credential and login as waldo
• We getUser.txt
• Creating file function make_archive() inside file called shutil.sh
• Launch shutil.sh using the option 6
• We get Root.txt

Enumeration phase :

As usual let’s start with Nmap scan :

Nmap -sC -sV 10.10.10.175

As we can see http port is open. Let’s check it on the browser :

It looks like photos gallery website and there is no important link so far in the main page, so i decided to Dir buster the website and i found some important paths :

http://10.10.10.187/admin-dir/credentials.txt

http://10.10.10.187/admin-dir/contacts.txt

Let’s see what it contains :

curl -XGET http://10.10.10.187/admin-dir/contacts.txt

curl -XGET http://10.10.10.187/admin-dir/credentials.txt

As expected ! We got ftp credential, let’s use it :

ftpuser : %n?4Wz}R$tTF7

We get couple files : dump.sql and the compressed backup for html files html.tar.gz

Let’s look further now into the files we got : /utility-scripts/

admin_tasks.php we will use it later :

db_admin.php that i had some clue about it to access the MySQL server :

Digging more i found also other path :

http://10.10.10.187/utility-scripts/adminer.php

Using all the credentials i got to login but nothing worked so i searched for a way to bypass it and i stopped in 2 articles demonstrate the way to bypass adminer as an administrator MySQL and PostgreSQL databases that are below 4.7.0 :

Adminer leaks passwords; Magecart hackers rejoice

Serious Vulnerability Discovered in Adminer database Administration Tool

So i made the necessary setup of my own database as mention it in this article :

How to Create and Select MySQL Databases

I did login with my own database “madcjdb” :

I did enter into my table “cjtable” :

Then i executed the command like it mentioned in the article above :

“load data local infile “/app/data/local.xml into table cjtable fields terminated by “\n”

but an error has occurred :

So i executed the path ../index.php :

“load data local infile “../index.php into table cjtable fields terminated by “\n”

Then i went to select :

And we got the new credential of Waldo :

waldo:&<h5b~yK3F#{PaPB&dA}{H>

Trying now to ssh using the new waldo credential :

And we got our user.txt :D

Root phase :

To the root face i checked what rights do waldo have :

So Waldo have the rights to use admin_tasks.sh file as root that we mentioned before and reading /opt/scripts/backup.py we got the way to bypass the root restriction by creating file function make_archive() inside file called shutil.sh :

Then we need to execute after running my nc :

sudo -E PYTHONPATH=$(pwd) /opt/scripts/admin_tasks.sh 6

VOILA WE GOT OUR ROOT !