# Enumeration
![b7ab16cc65e267935de946d72e62c6e5.png](5c434fc8b575490799a38bc5cc50a5e4.png)
`/robots.txt`
![d524719514ca39f83d4c4a1c773ea884.png](a738e8d9041f43db9c354e4492548848.png)
Running gobuster on the /admin-dir we find a couple interesting text files, contacts.txt and credentials.txt
![5fe01fa3d6fd7d477752e6090cecaefc.png](4f4cdb4748f44acc85e9e24b5ed4ce28.png)
contacts.txt
![3aa76cec55f2da0dcd772eb6e04b4562.png](f43a51596a7b4a5eb40cf384cf38eeed.png)
credentials.txt
![bdfd65fe92ae2e5846e1aee78d871a76.png](cf74193dc6e340ff90e002483b504483.png)
Let's check out the FTP server first
The site backup has an intresting new directory
![6e1cca8a147624aed2b480224d617c11.png](06f88fc3a6e047c896351e8bc1eb0395.png)
Previous version of credentials.txt has a bank account:
![a6a6fcb99e1b3ce256344d5a877e6578.png](9f8484748c80484b815fee24206db3e8.png)
More creds inside the db_admin.php script
![f318402318b5967f4a435879ee83f7ae.png](6b8f2bbb5cb34b69b7247fe34e7961f1.png)
Creds in the index.php script:
![0da538bfd40dda80825b5990fc43a8ba.png](49398eb826604f86a1ef893447ce2173.png)
```creds
\]F7jLHw:*G>UPrTo}~A"d6b"
Wh3r3\_1s\_w4ld0?
```
Looking through the files in the backup, we can see that there's a lot of 'utility-scripts' and we can access all of them in the browser except for `db_admin.php`
![a0572bf66eeb21abb0fa2cecbc60d1ef.png](5fd3da110de24ee29766f2a0337db042.png)
Since we can't access db_admin.php, maybe the dev found a better open source alternative?
Googling for open source php database admin programs landed me on adminer
`http://10.10.10.187/utility-scripts/adminer.php`
![6f1f89a1d72eaa1834949cc5c306b087.png](b8e720c468d84c498480fc5d5307e5a9.png)
# Foothold
Nice! Now maybe we can use some of the creds we found earlier!....
...nope
I found this:
[https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool](https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool)
By connecting back to our own database, we can use the `LOAD DATA LOCAL INFILE` command to pull data from the server into our own database. Since we're in the `utility-scripts` directory, let's traverse up and grab `index.php`
More creds. neat.
![0185cae6521687138b905829631a7058.png](b35dc66fd46744faa5873510699d6f7a.png)
Like all the creds we've pulled before, try to ssh using them
`waldo`:`&<h5b~yK3F#{PaPB&dA}{H>`
![6f180ad09b6c94dead42cefbb4c389bf.png](5287b32d62ab49d28583d091bb05f462.png)
# Privesc
![52cc77b604d30eea0861c572938ca915.png](3b2f159b374845778a2f6dc124202931.png)
So we can run the `admin_tasks.sh` script as root. Viewing the script we see that it's calling a python script in the `backup_web` function
![55b47a946477718b02f4eea5cedcc75b.png](357475f716574bee8e045db28d1e44d5.png)
![e4172b29983b6d84cf5344d9396b2a57.png](18d86c66ef1e4e16b31ba5bc79bf9f94.png)
Since we can set where python will pull the libary from, let's do some library hijacking
![fe750aa78ff8ecc4bef823fd344b8ba1.png](d3915257b7fb46de9cdee3b90ece1f78.png)
my fake [shutil.py](http://shutil.py) library that will copy bash to tmp and give it SUID privileges
Now by running `sudo PYTHONPATH=/home/waldo/newdir /opt/scripts/admin_tasks.sh`
and checking /tmp, we see that it worked and now we can escalate by typing `./bash -p`
![26386fcec5ef493cf8da3abc51b5d2f4.png](b8535119c061429abb661d0802887dd7.png)
Capture the root flag
![f18b26200611988d7addfbc5f447afdf.png](a3b7cb032f1a4b50b0c0cb9fbe4061f4.png)
---
Back to [[HackTheBox Index]]
Tags: #htb #directorybusting #ftp #adminer
Related: