Hack the Box: Admirer
Admirer was an easy difficulty machine on Hack the Box. Here’s my take on solving the challenge.
User
Nmap reveals three running services:
FTP doesn’t allow anonymous connections. On the other hand robots.txt on webserver reveals an interesting directory:
User-agent: *
# This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
Disallow: /admin-dir
It also gives an idea what kind of files to look for in the dir. Indeed, admin-dir/credentials.txt yields a couple o logins with passwords:
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!
FTP account are working and give access to two files:
After unpacking the html.tar.gz it reveals folder structure of a webapp. Unfortunately it seems to be a an outdated version. For example w4ld0s_s3cr3t_d1r was renamed to admin-dir. Also database credentials in index.php are wrong and with a syntax error:
Nevertheless, the archive reveals another important directory: utility-scripts. The scripts in the dir are not very useful for attacker. But enumeration reveals one more script:
The adminer app has a known file disclosure vulnerability. It can be exploited using a Rougue-Sql-Server. Attacker needs to modify the script and add a local file path to files they want to read:
After running the rougue-sql script the adminer.php can be used to connect back to the attacker’s machine:
After that, the mysql.log will contain index.php content, this time with working credentials:
$username = “waldo”;
$password = “&<h5b~yK3F#{PaPB&dA}{H>”
As it turns out these credentials are reused in SSH, giving user access and flag:
Privlege escalation
Sudo allows waldo user to run admin_tasks.sh script with SETENV flag:
The script runs various administrative tasks depending on the option number given in argument:
Option number 6, backup_web runs a Python script:
This script loads and runs make_archive function from shutil library:
Because attacker has control over the enviromental variables (because of sentenv flag), they can overwrite the shutil library with their own code, for example with a reverse shell:
Now sudo running the script with overwritten PYTHONPATH variable should run the revshell with root privleges: