OSCP PREPROTİONS – HTB Admirer

Admirer machine is a vulnerable machine with Linux operating system which is among the retired machines. We are expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine


Classic Scan

Full Port Scan

As a result of port scanning, ports 21/tcp ftp vsftpd 3.0.3, 22/tcp ssh OpenSSH 7.4, 80/tcp http Apache httpd 2.4.25 were found to be open.
I tried ftp but could not get anonymous login
Since port 80 is open, we switched to the enumeration part via browser

We looked at the source code and developer mode and didn’t find much information.
We perform web fuzzing with gobuster and dirbuster.

As a result of the directory scan, we discovered /assets, /images, /index.php, /robots.txt, /server-status directories.
In the Nmap scan, /robots.txt and /admin-dir were detected, let’s look at them in order.

It redirected us to the /admin-dir directory

The /admin-dir directory gave us a forbidden error, which gives us a more suspicious domain, so let’s scan it again with gobuster
We found nothing in the Directory section

but that didn’t stop us, so we ran an extension scan.

We detected /credentials.txt, /contacts.txt pages, finally a few useful things 😊

Here we have identified contact information that may be useful to us so we note it down and move on

In the credentials.txt page we got a lot of credential information.
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!

We saw that our ftp port was open as a result of the nmap scan, let’s connect using the crendtial information here

We made the connection and imported all the files to our machine.

We’re starting to go through the files to see if there’s any useful information.

We could not find any useful information in dump.sql file
we are looking at the file like backup
robotos.txt

index.php

/w4ld0s_s3cr3t_d1r

/utility-scripts

We collected a lot of credential information on these pages.
I checked whether we could access these pages through the browser, we were able to access some of them and we provided enumeration.

We have started a gobuster scan under the /utility-scripts directory (with extensions) where you may be in different situations

As a result of the Gobuster directory scan, we discovered the adminer.php file, let’s go through borwser

Let’s try to log in with the credential information we have obtained here

We did not log in with the information here.
We investigated whether there is Adminer 4.6.2 exploit or not.

After some investigation, it appears that there is a security vulnerability that would allow us to read the data that passes in the background. When we investigate how we can do this, here are the steps to follow;
Exploitation takes place in 3 stages.
First, the attacker needs a modified, modified MySQL server to send data import requests to any client that connects to it.
Second, an attacker needs to find an open adminer.php on the victim system. We were able to detect this in the fuzzing process. The goal here is for the attacker to establish a connection with the mysql server
Third, in the Admin area, the attacker needs to connect to the mysql server, log in with credentials and immediately send a data import request for a specific file on the server. The victim can obtain the password of the site by examining the sent request.
Now let’s go through these steps in order;

Here we have created our sql environment, now let’s configure to connect to this machine

We change the bind-address in the 50-server.cnf file to 0.0.0.0.0 and save it.

We restart the service.

Then we connect to the sql on our own machine from adminer.php from our target machine.

We’re logged in.
Now we have the last step left, where we need to send a data and see the traffic that occurs behind it.

Let’s go to Sqlcommand and try to run the command.
LOAD DATA LOCAL INFILE ‘../index.php’
INTO TABLE aygun
FIELDS TERMINATED BY “\n”
We remember that the backup of the index.php file contains credentials. Let’s try to read this file. Since we are currently in the utility-scripts/scripts/ directory, a ../ is specified. Immediately after that we say execute.

We have successfully executed our command.

We have identified credentail information again 😊
Let’s try to make ssh connection with this credential information
We finally got Shell from user waldo

We were able to get our user flag
We are getting permission denied error not allowing us to go to root directory, now we will provide enumeration for privilege escalation.

Since we are in the admins group, we can develop this file with root privileges

Here we will see how to escalate privilege in python by adding a library

We created Shutil.py to give us Shell
Then, before running /opt/scripts/admin_tasks.sh, we specify with PYTHONPATH where the python library will run from, the purpose here is to enable it to read the code we write as library
We run ncati in the arc and run the code

Here we got our root flag and another long and tiring machine is over 😊