Introduction

Admirer taught me the basics to dirb and using proper Word Lists. It also taught me that I am really bad at creating my own MySQL database (even for testing).

Like the other boxes I ran AutoRecon:

Copy

The main thing that stood out was Port 80 was open.

I ran DirBuster with the /usr/share/dirb/wordlists/big.txt

The contacts turned out to be useless but I highlighted the Admin address for my notes.

The contacts turned out to be useless but I highlighted the Admin address for my notes.

The credentials.txt gave me the access I needed to the FTP.

The credentials.txt gave me the access I needed to the FTP.

I logged into the FTP Account first. I pulled the html.tar.gz file:

An export of the entire website including a utility-scripts directory.

An export of the entire website including a utility-scripts directory.

This pointed me to the utility-scripts directory. I ran DirBuster again well checking the files within the FTP. The PHP Info alongside the comment was enough to point me in the right direction. A short Google later took me to the Adminer login page.

Adminer mentioned in PHPInfo

Adminer mentioned in PHPInfo.

Open Source alternative mentioned.

Open Source alternative mentioned.

I ran through this guide here – https://medium.com/bugbountywriteup/adminer-script-results-to-pwning-server-private-bug-bounty-program-fe6d8a43fe6f and after (multiple) attempts I connected to the GUI using my local MySQL.

Me finally getting the proper database dump syntax.

Me finally getting the proper database dump syntax.

Waldo credentials from database dump.

Waldo credentials from database dump.

After this, I logged in using SSH the Waldo credentials. LinPEAS showed me that backup.py was being run by root/admins.

Backup.py showed me a Python script running.

Backup.py showed me a Python script running.

admin_tasks.sh showed that the backup_web task was referencing the python script.

admin_tasks.sh showed that the backup_web task was referencing the python script.

After a lot of bad ideas I finally found https://rastating.github.io/privilege-escalation-via-python-library-hijacking/. I created a directory and file in the tmp directory called fake/shutil.py.

Copy

I setup an nc session bound to 4444. After spelling tmp temp???? a few times I finally got the reverse shell to work as intended.

Running the script to load my fake shutil.py

Running the script to load my fake shutil.py

I got my session as root and grabbed the flag.

I got my session as root and grabbed the flag.

Rooted

Published On: September 26th, 2020 / Categories: HTB, Technology / Tags: , , , , , /

Leave A Comment