In this post, I would like to share a walkthrough of the Admirertoo Machine from Hack the Box
This room will be considered as a Hard machine on Hack The box
What will you gain from Admirertoo machine?
For the user flag, you will need to exploit the adminer interface with the SSRF attack method to obtain a www-data shell. For us to retrieve the user flag, we need to explore for some credentials to get Jennifer Privileges Access
As for the root flag, you need to execute port-forwarding which leads you to another web interface where you are required to obtain RCE there. You also need to use PHP serialize code from phpggc command to send files to the machine where you will use the whois function to get a shell later.
Information Gathering on Admirertoo Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
However, there’s nothing that we see on the website itself except for the “admirer of the world“
As a result, let’s run gobuster instead
From the gobuster output, we didn’t see any interesting directory to pop into
Let’s try to access the website by using a random directory. We received a page error saying “Not Found“
Finally, we managed to obtain a domain when we viewed the source code of the error page.
Just in case, let’s enumerate the domain by using gobuster tool
Sadly, nothing be found from the gobuster result.
I was thinking if there’s any subdomain been configured inside the machine.
I managed to find two subdomains while waiting for the gobuster result to be finished.
Let’s access the subdomain on the browser
It does look like a PHPMyAdmin interface when u look carefully
Therefore, let’s see the source code in case we might find anything useful.
Wow! We have auth[username] and auth[password] but sadly the credentials cannot be used with another service that we found.
From the interface, we managed to verify that it’s running under 4.7.8. 4.81 version
Let’s do some research on the version where we might find any exploit available
There are a couple of vulnerabilities when we see the CVEdetails website
We managed to notice the cve name which it led me to a GitHub page that discusses the SSRF in adminer vulnerabilities
SSRF attack method used in adminer
I found some python code on the internet, but we cannot use the code above as the machine has been patched.
After a while, I found another python code from over here
Disclaimer: I didn’t own the python code above
As you see from the screenshot above, the file cannot be executed where it required Sudo privileges to access
Therefore, we should inspect the subdomain with the burp suite
I notice that the website is using elastic
As a result, we should be changing the value on the driver and server as follows:
- driver = elastic
- server = your vpn ip
We got the status code 302 on our redirect.py response
However, the website interface shows the error just like on the screenshot above.
We need to clarify the type of metrics been used over here.
We need to check what is stored on the website interface for port 424
As i notice that the website interface is running OpenTSDB.
Let’s check what is the version of the website API and we got something such as above.
Gaining Privileges Access on Admirertoo machine
Sadly, we cannot see the output of “whoami“
Therefore, let’s try something that surely will work like a charm which is the ping command
Finally, we managed to get the result of ping from the machine
We should be starting our nc listener to retrieve the reverse shell connection back to us.
For this purpose, I will be using the reverse shell that is related to nc mkfifo
At last, we managed to retrieve the reverse shell connection
The screenshot above shows how to obtain a proper shell on our attacker’s terminal.
Maintaining Privileges Access on Admirertoo machine
Let’s check who is the user for this machine which lead me to devel (no /bin/bash privileges access) and Jennifer (have the /bin/bash privileges access)
The password.bak and shadow.bak cannot be accessed.
There’s an opencats folder inside the /opt/ directory
There’s a file that caught my eyes after I access the /opt/opencats/
I found the credentials for the database but sadly it cannot be used for ssh privileges access
We have found credentials within a file called servers.php inside the /var/www/adminer/plugins/data directory
Sadly, we cannot access it via admirer, but we have another username that we know
However, we can access it as Jennifer privileges access
We should be able to access the machine via ssh service and we did it.
Finally, we can read the user flag by running the command “cat user.txt“
Escalate to Root Privileges Access
First, we should do some manual enumeration on the admirertoo machine by using the ps aux command
I found two services that caught my attention compared to another service listed above.
Aside from that, we need to see any other port that pen that didn’t raised by Nmap result before
Therefore, let’s do some port forwarding on the machine.
The port-forwarding result leads us to an opencats web interface. Sadly, we didn’t find any credentials that we can use to access.
I just remember that we found database credentials previously which we need to access MySQL
We successfully login to the MySQL database.
There are only two databases here
Let’s use the cats_dev database and dig deeper there.
There are a lot of tables, but we only need the user tables to get the credentials.
Finally, we have the admin and the password from the user table. Therefore, let’s try to crack the hashes
As a result, we know that the hash is encrypted with md5
We can update the admin hashes with our own password that has been encrypted with md5 but sadly, it is down to failure.
Therefore, let’s see if there’s user_id being saved inside the database.
We can update the password for the admin right now with the user_id
The decisive moment! We should be able to access the opencats dashboard with the username admin and the password that we can change on the previous activity
Opencats vulnerability on admirertoo machine
Voila! We have successfully accessed the dashboard.
Firstly, we are required to do some research if there’s any vulnerability or exploit related to opencats
As a result, we found a website that talks about some opencats vulnerabilities using phpgcc
Therefore, we need to install the phpgcc into our attacker’s machine
To be honest, this is my first time using phpggc seriously which that’s why i need to check the Gadge Chains that are available for these tools.
There are some invalid arguments that we are facing as shown above.
We should study the fail2ban file so that we can proceed with ease.
Let’s try whois our VPN IP which lead to some error
Let’s create our own whois conf such as above.
For the next step, we need to create a reverse shell command on any file inside our attacker’s machine
After that, we should start our nc listener such as shown above.
Why port 43?
As mentioned on the screenshot above, whois only run on port 43
For us to retrieve a reverse shell, we need to start our nc listener with the port that we use on the reverse shell.
We should execute our phpggc code to retrieve the PHP serialize code that we will use to send our file to the machine.
For us to send a file to the machine, we need to add some commands such as ¶mtersactivity%3AActivityDataGrid=<your serialize PHP> after m=activity
It looks promising over here
Sadly, we got an error “connection reset by peer“
The nc that serves port 43 has been canceled out.
I have tried the command multiple times but still nothing in return. I was frustrated with the response previously.
On the next day, i have asked a few of my friends that managed to root the machine for advice. Therefore, i try again with the same method and command as previously and i will try to find another way to root the machine if it still failed.
It is looking good for now.
For us to get a return on the reverse shell, we need to try to access the machine by slamming the wrong credentials using ssh service as root@10.10.11.137
Uwu! Finally, we have successfully retrieved a root shell
We can read the root flag by running the “cat root.txt” command
-THE END-
Happy Learning Guys!
Extra Information on Admirertoo machine
We can go to /etc/shadow so that we can unlock and read the write-up
No responses yet