In this post, I would like to share a walkthrough of the Admirertoo Machine from Hack the Box

This room will be considered as a Hard machine on Hack The box

What will you gain from Admirertoo machine?

For the user flag, you will need to exploit the adminer interface with the SSRF attack method to obtain a www-data shell. For us to retrieve the user flag, we need to explore for some credentials to get Jennifer Privileges Access

As for the root flag, you need to execute port-forwarding which leads you to another web interface where you are required to obtain RCE there. You also need to use PHP serialize code from phpggc command to send files to the machine where you will use the whois function to get a shell later.

Information Gathering on Admirertoo Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

However, there’s nothing that we see on the website itself except for the “admirer of the world

As a result, let’s run gobuster instead

From the gobuster output, we didn’t see any interesting directory to pop into

Let’s try to access the website by using a random directory. We received a page error saying “Not Found

Finally, we managed to obtain a domain when we viewed the source code of the error page.

Just in case, let’s enumerate the domain by using gobuster tool

Sadly, nothing be found from the gobuster result.

I was thinking if there’s any subdomain been configured inside the machine.

I managed to find two subdomains while waiting for the gobuster result to be finished.

Let’s access the subdomain on the browser

It does look like a PHPMyAdmin interface when u look carefully

Therefore, let’s see the source code in case we might find anything useful.

Wow! We have auth[username] and auth[password] but sadly the credentials cannot be used with another service that we found.

From the interface, we managed to verify that it’s running under 4.7.8. 4.81 version

Let’s do some research on the version where we might find any exploit available

There are a couple of vulnerabilities when we see the CVEdetails website

We managed to notice the cve name which it led me to a GitHub page that discusses the SSRF in adminer vulnerabilities

SSRF attack method used in adminer

I found some python code on the internet, but we cannot use the code above as the machine has been patched.

After a while, I found another python code from over here

Disclaimer: I didn’t own the python code above

As you see from the screenshot above, the file cannot be executed where it required Sudo privileges to access

Therefore, we should inspect the subdomain with the burp suite

I notice that the website is using elastic

As a result, we should be changing the value on the driver and server as follows:

  • driver = elastic
  • server = your vpn ip

We got the status code 302 on our redirect.py response

However, the website interface shows the error just like on the screenshot above.

We need to clarify the type of metrics been used over here.

We need to check what is stored on the website interface for port 424

As i notice that the website interface is running OpenTSDB.

Let’s check what is the version of the website API and we got something such as above.

Gaining Privileges Access on Admirertoo machine

Sadly, we cannot see the output of “whoami

Therefore, let’s try something that surely will work like a charm which is the ping command

Finally, we managed to get the result of ping from the machine

We should be starting our nc listener to retrieve the reverse shell connection back to us.

For this purpose, I will be using the reverse shell that is related to nc mkfifo

At last, we managed to retrieve the reverse shell connection

The screenshot above shows how to obtain a proper shell on our attacker’s terminal.

Maintaining Privileges Access on Admirertoo machine

Let’s check who is the user for this machine which lead me to devel (no /bin/bash privileges access) and Jennifer (have the /bin/bash privileges access)

The password.bak and shadow.bak cannot be accessed.

There’s an opencats folder inside the /opt/ directory

There’s a file that caught my eyes after I access the /opt/opencats/

I found the credentials for the database but sadly it cannot be used for ssh privileges access

We have found credentials within a file called servers.php inside the /var/www/adminer/plugins/data directory

Sadly, we cannot access it via admirer, but we have another username that we know

However, we can access it as Jennifer privileges access

We should be able to access the machine via ssh service and we did it.

Finally, we can read the user flag by running the command “cat user.txt

Escalate to Root Privileges Access

First, we should do some manual enumeration on the admirertoo machine by using the ps aux command

I found two services that caught my attention compared to another service listed above.

Aside from that, we need to see any other port that pen that didn’t raised by Nmap result before

Therefore, let’s do some port forwarding on the machine.

The port-forwarding result leads us to an opencats web interface. Sadly, we didn’t find any credentials that we can use to access.

I just remember that we found database credentials previously which we need to access MySQL

We successfully login to the MySQL database.

There are only two databases here

Let’s use the cats_dev database and dig deeper there.

There are a lot of tables, but we only need the user tables to get the credentials.

Finally, we have the admin and the password from the user table. Therefore, let’s try to crack the hashes

As a result, we know that the hash is encrypted with md5

We can update the admin hashes with our own password that has been encrypted with md5 but sadly, it is down to failure.

Therefore, let’s see if there’s user_id being saved inside the database.

We can update the password for the admin right now with the user_id

The decisive moment! We should be able to access the opencats dashboard with the username admin and the password that we can change on the previous activity

Opencats vulnerability on admirertoo machine

Voila! We have successfully accessed the dashboard.

Firstly, we are required to do some research if there’s any vulnerability or exploit related to opencats

As a result, we found a website that talks about some opencats vulnerabilities using phpgcc

Therefore, we need to install the phpgcc into our attacker’s machine

To be honest, this is my first time using phpggc seriously which that’s why i need to check the Gadge Chains that are available for these tools.

There are some invalid arguments that we are facing as shown above.

We should study the fail2ban file so that we can proceed with ease.

Let’s try whois our VPN IP which lead to some error

Let’s create our own whois conf such as above.

For the next step, we need to create a reverse shell command on any file inside our attacker’s machine

After that, we should start our nc listener such as shown above.

Why port 43?

Source: https://book.hacktricks.xyz/pentesting/43-pentesting-whois

As mentioned on the screenshot above, whois only run on port 43

For us to retrieve a reverse shell, we need to start our nc listener with the port that we use on the reverse shell.

We should execute our phpggc code to retrieve the PHP serialize code that we will use to send our file to the machine.

For us to send a file to the machine, we need to add some commands such as &paramtersactivity%3AActivityDataGrid=<your serialize PHP> after m=activity

It looks promising over here

Sadly, we got an error “connection reset by peer

The nc that serves port 43 has been canceled out.

I have tried the command multiple times but still nothing in return. I was frustrated with the response previously.

On the next day, i have asked a few of my friends that managed to root the machine for advice. Therefore, i try again with the same method and command as previously and i will try to find another way to root the machine if it still failed.

It is looking good for now.

For us to get a return on the reverse shell, we need to try to access the machine by slamming the wrong credentials using ssh service as root@10.10.11.137

Uwu! Finally, we have successfully retrieved a root shell

We can read the root flag by running the “cat root.txt” command

-THE END-

Happy Learning Guys!

Extra Information on Admirertoo machine

We can go to /etc/shadow so that we can unlock and read the write-up

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *