Admirer was an easy rated Linux machine that had a lot more steps than I expected, given the rating. A robots.txt file hinted at the presence of credentials which were found with forced browsing. One of these creds worked on the FTP service, allowing us to download a backup file of the website. Inside this archive were various PHP files, more credentials and a clue about the directory structure. More forced browsing found an Adminer instance which was exploited to read a local file, this time containing credentials which worked for SSH. Finally, sudo access to a shell script as well as the ability to set an environment variable were used to gain a root shell. I added admirer.htb to my /etc/hosts and started doing recon.
Enumeration
nmap scan:
![](/content/images/2020/09/image.png)
Let's check the webpage:
![](/content/images/2020/09/image-1.png)
Clicking on the 'about':
![](/content/images/2020/09/image-2.png)
Initial Foothold
Nmap said there's 1 disallowed entry in robots.txt so let's check it out:
![](/content/images/2020/09/image-3.png)
Unfortunately we don't have access:
![](/content/images/2020/09/image-4.png)
I ran gobuster on the root directory and came up with nothing. Gobuster on the admin-dir came up with something:
![](/content/images/2020/09/image-5.png)
Ultimately, this didn't seem to help much other than letting us know someone is a fan of The Big Bang Theory:
![](/content/images/2020/09/image-6.png)
I scratched my head for a bit before thinking about how robots.txt mentioned contacts and creds, so I tried cred.txt and struck gold with credentials.txt:
![](/content/images/2020/09/image-7.png)
The ftp creds worked:
![](/content/images/2020/09/image-8.png)
There were a couple of juicy looking files so I grabbed them:
![](/content/images/2020/09/image-9.png)
Sql.dump was not helpful but I extracted the gzip file:
![](/content/images/2020/09/image-10.png)
This had some interesting content:
![](/content/images/2020/09/image-11.png)
There were creds in the index.php file that didn't work anywhere so I took a look inside the utility-scripts folder:
![](/content/images/2020/09/image-12.png)
There were more creds which again didn't work anywhere. The admin_tasks.php was accessible on admirer.htb but I didn't have any permissions to do anything fun, so I ran gobuster on the utility-scripts folder:
![](/content/images/2020/09/image-13.png)
Adminer.php looked interesting so I checked it out:
![](/content/images/2020/09/image-14.png)
Aah, it's nice when the version number is right there eh? A quick search found this article detailing a vulnerability in Adminer. In a nutshell, you need to have the Adminer instance connect to your own MySQL database and load data from a local file on admirer.htb. I spun up a MySQL service on my attacking machine and created a test database:
![](/content/images/2020/09/image-15.png)
Then I granted the root user on admirer.htb access to it:
![](/content/images/2020/09/image-16.png)
Now I could use the adminer.php file to log onto the SQL service on my attacking machine:
![](/content/images/2020/09/image-17.png)
This worked and some shady looking dude in a hoodie said 'I'm in':
![](/content/images/2020/09/image-18.png)
I created a table:
![](/content/images/2020/09/image-19.png)
Next, I loaded the contents of /var/www/html/index.php on Admirer into a table:
![](/content/images/2020/09/image-20.png)
Viewing the table revealed a password:
![](/content/images/2020/09/image-21.png)
We finally have a working password and a shell:
![](/content/images/2020/09/image-22.png)
User flag:
![](/content/images/2020/09/image-23.png)
Privilege Escalation
Waldo has sudo access to set an environment variable and to run a shell script:
![](/content/images/2020/09/image-24.png)
Running the script as-is didn't let me do much so I examined the script. Inside, this caught my eye:
![](/content/images/2020/09/image-25.png)
It checks if you are root and if you are, it runs /opt/scripts/backup.py. Let's see what's in that script:
![](/content/images/2020/09/image-26.png)
It became clear that the idea was probably to change the path for the python library, have it load my malicious library and run my own function named 'make_archive'. First, I checked if netcat was installed and confirmed that it had the '-e' flag available:
![](/content/images/2020/09/image-27.png)
Sweet. Next I created my own shutil.py in /tmp/.meow with a 'make_archive' function that would connect back to me with a reverse shell:
![](/content/images/2020/09/image-28.png)
The next step was to figure out what environment variable would tell python where to look for libraries. The answer was PYTHONPATH. Now to put it all together:
![](/content/images/2020/09/image-29.png)
With a netcat listener, I caught a root shell:
![](/content/images/2020/09/image-30.png)
Root flag:
![](/content/images/2020/09/image-31.png)