# Enumeration

`/robots.txt`

Running gobuster on the /admin-dir we find a couple interesting text files, contacts.txt and credentials.txt

contacts.txt

credentials.txt

Let's check out the FTP server first
The site backup has an intresting new directory

Previous version of credentials.txt has a bank account:

More creds inside the db_admin.php script

Creds in the index.php script:

```creds
\]F7jLHw:*G>UPrTo}~A"d6b"
Wh3r3\_1s\_w4ld0?
```
Looking through the files in the backup, we can see that there's a lot of 'utility-scripts' and we can access all of them in the browser except for `db_admin.php`

Since we can't access db_admin.php, maybe the dev found a better open source alternative?
Googling for open source php database admin programs landed me on adminer
`http://10.10.10.187/utility-scripts/adminer.php`

# Foothold
Nice! Now maybe we can use some of the creds we found earlier!....
...nope
I found this:
[https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool](https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool)
By connecting back to our own database, we can use the `LOAD DATA LOCAL INFILE` command to pull data from the server into our own database. Since we're in the `utility-scripts` directory, let's traverse up and grab `index.php`
More creds. neat.

Like all the creds we've pulled before, try to ssh using them
`waldo`:`&<h5b~yK3F#{PaPB&dA}{H>`

# Privesc

So we can run the `admin_tasks.sh` script as root. Viewing the script we see that it's calling a python script in the `backup_web` function


Since we can set where python will pull the libary from, let's do some library hijacking

my fake [shutil.py](http://shutil.py) library that will copy bash to tmp and give it SUID privileges
Now by running `sudo PYTHONPATH=/home/waldo/newdir /opt/scripts/admin_tasks.sh`
and checking /tmp, we see that it worked and now we can escalate by typing `./bash -p`

Capture the root flag

---
Back to [[HackTheBox Index]]
Tags: #htb #directorybusting #ftp #adminer
Related: