Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Admirer

December 10, 2020 by Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named Admirer.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Admirer, is retired.

The walkthrough

Let’s start with this machine.

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The Admirer machine IP is 10.10.10.187.
  3. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information as possible.
  4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
    nmap -sC -sV -oA Admirer 10.10.10.187

  5. As we can see, we have ports 21, 22 and 80 opened. Let’s start with their enumeration now.
  6. For port 21, it looks like anonymous logins are not allowed.
  7. Below is the webpage on port 80.
  8. As we didn’t get anything specific from the webpage, let’s start brute-forcing the directories with Gobuster.As can be seen below, we got some juicy files.
  9. Below are the contents of contacts.txt and credentials.txt.

  10. Since the FTP user password is displayed above, let’s use that as our FTP user account.
  11. Transferring html.tar.gz file to attacking machine as well as dump.sql.
  12. Extracting the files from the compressed folder gives us some interesting files. For example, the admin_tasks.php file below:
  13. We also got the DB file below. We tried to use the creds directly for user “waldo” but failed.
  14. Running Gobuster again under utility-scripts gives us a directory called “adminer”.
  15. Moving to adminer.php, we get the page below.
  16. The Adminer version was vulnerable and a remote attacker can get it to connect to its local MySQL server.
  17. So we set up a rogue MySQL server using this: https://raw.githubusercontent.com/Gifts/Rogue-MySql-Server/master/rogue_mysql_server.py
  18. We modify the SQL server to listen for 3306 on all.

  19. As can be seen, the MySQL connects back to the SQL server hosted on the attacking box.
  20. So, we get the contents of mysql.log. Browsing through this, we can use the password for user “waldo”.
  21. Let’s try this password for the user “waldo”.
  22. As we are now in as “waldo”, let’s enumerate to grab the user.txt file.
  23. Checking user sudo permissions, it seems like we can script under admin_tasks.
  24. Checking into this script, we can see that it is calling another script under /opt/scripts/backup.py.
  25. Let’s look into the content of backup.py. It seems like it is importing a function, make_archive, from “shutil”.
  26. Since shutil mobile is from the same directory, we can try to do a module injection by forging shutil with our own shutil and make_archive function.
  27. Below is what we are creating shutil.py and make_archive function but with our malicious code. Modify the PYTHONPATH to append the new path for shutil.
  28. Let’s set up a listener on our side.
  29. Executing the file as user waldo gives us a reverse shell back as root. Enumerating to grab the root.txt flag.

And we’re done!

This is definitely not an easy box and requires a lot of enumeration and a creative way to perform privilege escalation. A very good way to learn and improve your skills!

We will continue this article series with more examples of interesting HTB machines.

Posted: December 10, 2020

Uh-oh!

We've encountered a new and totally unexpected error.

Get instant boot camp pricing

Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.

Articles Author
Security Ninja
View Profile