Summary
Admirer is an easy-rated linux machine created by polarbearer and GibParadox. Initial foothold focuses on discovering ftp credentials on the web server that leads to discovery of files. User access is gained after finding credentials by exploiting a vulnerability in adminer database. Root privileges are obtained by exploiting sudo privileges that lets us set a python environment to our own package that has a malicious python module.
Reconnaissance
Nmap only shows port 21(ftp), 22(ssh), and 80(http) open.
FTP service doesn’t allow anonymous login so I went and check the http service. It displays some sort of gallery and an about button at the bottom.
The about button displays a form which redirects us to the homepage after sending.
Robots.txt shows us an admin-dir directory and a possible user ‘waldo’.
Checking the admin-dir gives me 403 status code. Time to bruteforce files and directories.
The directory brute force found two text files.
The contacts.txt file gives me more potential users and the credentials gives me ftp credentials, email, and wordpress credentials.
I successfully logged in to the FTP service and downloaded the files.
I found more potential credentials on the downloaded index.php file from the FTP server.
The db.php file gives me another set of credentials and a note that mentions a better opensource alternative for database management.
I tried visiting the directories and files on the HTTP service. I get 403 on the directory ‘utility-scripts’.
The admin_tasks.php isn’t that useful as well.
Since db.php does not exist on the server, I tried looking up admirer database and found adminer. Going to adminer.php displays a login page to a database. The version is also exposed which lead me to finding an article online that explains how to exploit this version of adminer.
Exploiting Adminer
Basically, I need to set up my own database, connect to it using the adminer web app on port 80. Upon logging in, I will use ‘LOAD DATA LOCAL’ command on SQL in order to read local file contents on the server.
After setting up the database, we create a table where the local files on the target will be stored into.
Log in to the target’s adminer instance with the created database and credentials locally.
After logging in, I clicked the SQL command on the left side in order to query local files.
This will be the payload on the SQL Command. The command will load the contents of the index.php file into our table ‘test’.
Now we can check our table and see that the index.php contents were inserted into the table. We now have our valid user credentials.
Gaining User Access
I was able to log in to SSH with the credentials and grabbed the user flag.
Privilege Escalation
Checking sudo rights tells me that I can run SETENV on the admin_tasks.sh file in the target machine.
Upon checking the contents of the bash script, I discovered that it runs /opt/scripts/backup.py
The backup.py will import make_archive module from shutil and create an archive backup of the web service.
Since I can run SETENV with sudo rights, I can create my own malicious shutil package and module, set the python environment to the created package which will then give me a root shell upon executing the admin_tasks.sh.
In /tmp directory, I created an shutil directory and an shutil.py script inside it. The module contains a make_archive function that will take 3 arguments. It needs to take 3 arguments for the backup.py to run without errors even though we don’t need the arguments being passed to our malicious script.
After setting up the listener, I set the PYTHON ENV to the directory I created then I ran admin_taks.sh. Choosing option 6 will run backup.py and execute the reverse shell as root on the module shutil.py.
Finished up by grabbing the root flag.
That is it for admirer. Thank you for reading and have a great day all!
