Admirer

# Enumeration ![b7ab16cc65e267935de946d72e62c6e5.png](5c434fc8b575490799a38bc5cc50a5e4.png) `/robots.txt` ![d524719514ca39f83d4c4a1c773ea884.png](a738e8d9041f43db9c354e4492548848.png) Running gobuster on the /admin-dir we find a couple interesting text files, contacts.txt and credentials.txt ![5fe01fa3d6fd7d477752e6090cecaefc.png](4f4cdb4748f44acc85e9e24b5ed4ce28.png) contacts.txt ![3aa76cec55f2da0dcd772eb6e04b4562.png](f43a51596a7b4a5eb40cf384cf38eeed.png) credentials.txt ![bdfd65fe92ae2e5846e1aee78d871a76.png](cf74193dc6e340ff90e002483b504483.png) Let's check out the FTP server first The site backup has an intresting new directory ![6e1cca8a147624aed2b480224d617c11.png](06f88fc3a6e047c896351e8bc1eb0395.png) Previous version of credentials.txt has a bank account: ![a6a6fcb99e1b3ce256344d5a877e6578.png](9f8484748c80484b815fee24206db3e8.png) More creds inside the db_admin.php script ![f318402318b5967f4a435879ee83f7ae.png](6b8f2bbb5cb34b69b7247fe34e7961f1.png) Creds in the index.php script: ![0da538bfd40dda80825b5990fc43a8ba.png](49398eb826604f86a1ef893447ce2173.png) ```creds \]F7jLHw:*G>UPrTo}~A"d6b" Wh3r3\_1s\_w4ld0? ``` Looking through the files in the backup, we can see that there's a lot of 'utility-scripts' and we can access all of them in the browser except for `db_admin.php` ![a0572bf66eeb21abb0fa2cecbc60d1ef.png](5fd3da110de24ee29766f2a0337db042.png) Since we can't access db_admin.php, maybe the dev found a better open source alternative? Googling for open source php database admin programs landed me on adminer `http://10.10.10.187/utility-scripts/adminer.php` ![6f1f89a1d72eaa1834949cc5c306b087.png](b8e720c468d84c498480fc5d5307e5a9.png) # Foothold Nice! Now maybe we can use some of the creds we found earlier!.... ...nope I found this: [https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool](https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool) By connecting back to our own database, we can use the `LOAD DATA LOCAL INFILE` command to pull data from the server into our own database. Since we're in the `utility-scripts` directory, let's traverse up and grab `index.php` More creds. neat. ![0185cae6521687138b905829631a7058.png](b35dc66fd46744faa5873510699d6f7a.png) Like all the creds we've pulled before, try to ssh using them `waldo`:`&<h5b~yK3F#{PaPB&dA}{H>` ![6f180ad09b6c94dead42cefbb4c389bf.png](5287b32d62ab49d28583d091bb05f462.png) # Privesc ![52cc77b604d30eea0861c572938ca915.png](3b2f159b374845778a2f6dc124202931.png) So we can run the `admin_tasks.sh` script as root. Viewing the script we see that it's calling a python script in the `backup_web` function ![55b47a946477718b02f4eea5cedcc75b.png](357475f716574bee8e045db28d1e44d5.png) ![e4172b29983b6d84cf5344d9396b2a57.png](18d86c66ef1e4e16b31ba5bc79bf9f94.png) Since we can set where python will pull the libary from, let's do some library hijacking ![fe750aa78ff8ecc4bef823fd344b8ba1.png](d3915257b7fb46de9cdee3b90ece1f78.png) my fake [shutil.py](http://shutil.py) library that will copy bash to tmp and give it SUID privileges Now by running `sudo PYTHONPATH=/home/waldo/newdir /opt/scripts/admin_tasks.sh` and checking /tmp, we see that it worked and now we can escalate by typing `./bash -p` ![26386fcec5ef493cf8da3abc51b5d2f4.png](b8535119c061429abb661d0802887dd7.png) Capture the root flag ![f18b26200611988d7addfbc5f447afdf.png](a3b7cb032f1a4b50b0c0cb9fbe4061f4.png) --- Back to [[HackTheBox Index]] Tags: #htb #directorybusting #ftp #adminer Related: