Admirer | HackTheBox Writeup

Overview

Admirer is an easy Linux-based machine in HackTheBox

User Part

Start with nmap scan found 2 open ports

We can see open ports 21,22,80. port 80 is available so go to the website

let’s check robots.txt file and i found ‘admin-dir’ folder.

going to that folder got permission denied

So let’s check for directories and files using ffuf and i found 2 files

 check what are in that files

I found a FTP user and password so i opened Filezilla with FTP credentials and downloaded that 2 files

In that file i found a database username and password , i tried in ssh but password is wrong

Then I dive into deep and found a file called db_admin.php with credentials and i tried with that password. that also wrong

Then i went to info.php , which shows phpinfo and i found the header with adminer cookie

Then i searched for adminer and it’s installation part

 

 From that i found the ‘adminer.php’ file is the login page of adminer

In that, I got the version and I searched for exploits, I got a bug bounty writeup.

Then i read that blog and I am trying with this method

 for that i need to install adminer in my system also, i done with that

In the attack scenario you can see ,i need to login to my adminer from the webserver adminer

 I log-in and created a table and column as ‘test’,beacouse above attack scenario they insert data to ‘test.test’

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Then i tried for ‘index.php’ but the file was not found

Then i tried ‘../index.php’ and got success

I went to the table and found a username and password

 Tried in ssh and got shell and ‘user.txt’

Root Part

I searched for available command which I can execute with all privileges and I found a file

 In that file all files having access denied except ‘/opt/scripts/backup.py’

 In the python program it is importing ‘shutil’ file operation

Then i searched for changing python environment path and i found i can change with the help of PYTHONPATH

Then i created a folder in tmp folder and ‘shutil.py’ file, in that file i wrote to read ‘root.txt’

And when i run the file i got root.txt

Share on facebook
Share on twitter
Share on linkedin