FTP
Nmap discovered a FTP server on the target port 21
The running service is vsftpd 3.0.3
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/admirer]
└─$ ftp $IP
Connected to 10.10.10.187.
220 (vsFTPd 3.0.3)
Name (10.10.10.187:kali): ftp
530 Permission denied.
ftp: Login failedThe target FTP server does not allow anonymous access A valid credential would be required to further proceed
ftpuser Session
A credential, suspected to be for the FTP server is discovered in one of the endpoints in the target web server.
┌──(kali㉿kali)-[~/…/htb/labs/admirer/ftp]
└─$ ftp $IP
Connected to 10.10.10.187.
220 (vsFTPd 3.0.3)
name (10.10.10.187:kali): ftpuser
331 Please specify the password.
password: %n?4Wz}R$tTF7
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> Authenticated! The credential was valid for the target FTP server
┌──(kali㉿kali)-[~/archive/htb/labs/admirer]
└─$ ssh ftpuser@$IP
ftpuser@10.10.10.187's password: %n?4Wz}R$tTF7
Linux admirer 4.9.0-19-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
last login: Thu Nov 16 10:19:54 2023 from 10.10.16.8
Connection to 10.10.10.187 closed.Additionally, this would mean that the ftpuser account is a valid system user.
While I succeeded authenticating to the target SSH server, the established connection was immediately cut off
This suggests that there is a form of access control, preventing the account to login to the target system via SSH
I’ll put this aside for now as the FTP server doesn’t have such and is ready for enumeration
ftp> ls
229 Entering Extended Passive Mode (|||41014|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 3405 Dec 02 2019 dump.sql
-rw-r--r-- 1 0 0 5270987 Dec 03 2019 html.tar.gz
226 Directory send OK.There are 2 files within the FTP server;
dump.sqlhtml.tar.gz
Those appear to be a DB dump and a backup for the web server
dump.sql
ftp> get dump.sql
local: dump.sql remote: dump.sql
229 Entering Extended Passive Mode (|||45971|)
150 Opening BINARY mode data connection for dump.sql (3405 bytes).
100% |*******************************************************************************************| 3405 4.85 MiB/s 00:00 ETA
226 Transfer complete.
3405 bytes received in 00:00 (34.29 KiB/s)Transfer complete
┌──(kali㉿kali)-[~/…/htb/labs/admirer/ftp]
└─$ cat dump.sql
-- MySQL dump 10.16 Distrib 10.1.41-MariaDB, for debian-linux-gnu (x86_64)
--
-- Host: localhost Database: admirerdb
-- ------------------------------------------------------
-- Server version 10.1.41-MariaDB-0+deb9u1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Table structure for table `items`
--
DROP TABLE IF EXISTS `items`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `items` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`thumb_path` text NOT NULL,
`image_path` text NOT NULL,
`title` text NOT NULL,
`text` text,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=13 DEFAULT CHARSET=utf8mb4;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `items`
--
LOCK TABLES `items` WRITE;
/*!40000 ALTER TABLE `items` DISABLE KEYS */;
INSERT INTO `items` VALUES (1,'images/thumbs/thmb_art01.jpg','images/fulls/art01.jpg','Visual Art','A pure showcase of skill and emotion.'),(2,'images/thumbs/thmb_eng02.jpg','images/fulls/eng02.jpg','The Beauty and the Beast','Besides the technology, there is also the eye candy...'),(3,'images/thumbs/thmb_nat01.jpg','images/fulls/nat01.jpg','The uncontrollable lightshow','When the sun decides to play at night.'),(4,'images/thumbs/thmb_arch02.jpg','images/fulls/arch02.jpg','Nearly Monochromatic','One could simply spend hours looking at this indoor square.'),(5,'images/thumbs/thmb_mind01.jpg','images/fulls/mind01.jpg','Way ahead of his time','You probably still use some of his inventions... 500yrs later.'),(6,'images/thumbs/thmb_mus02.jpg','images/fulls/mus02.jpg','The outcomes of complexity','Seriously, listen to Dust in Interstellar\'s OST. Thank me later.'),(7,'images/thumbs/thmb_arch01.jpg','images/fulls/arch01.jpg','Back to basics','And centuries later, we want to go back and live in nature... Sort of.'),(8,'images/thumbs/thmb_mind02.jpg','images/fulls/mind02.jpg','We need him back','He might have been a loner who allegedly slept with a pigeon, but that brain...'),(9,'images/thumbs/thmb_eng01.jpg','images/fulls/eng01.jpg','In the name of Science','Some theories need to be proven.'),(10,'images/thumbs/thmb_mus01.jpg','images/fulls/mus01.jpg','Equal Temperament','Because without him, music would not exist (as we know it today).');
/*!40000 ALTER TABLE `items` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2019-12-02 20:24:15Checking the dump.sql file indeed confirms that the file is a DB dump for the web server
It shows the items table that contains the gallery found in the index.php file of the target web server
html.tar.gz
ftp> get html.tar.gz
local: html.tar.gz remote: html.tar.gz
229 Entering Extended Passive Mode (|||48163|)
150 Opening BINARY mode data connection for html.tar.gz (5270987 bytes).
100% |*******************************************************************************************| 5147 kib 1.28 mib/s 00:00 ETA
226 Transfer complete.
5270987 bytes received in 00:04 (1.25 MiB/s)Transfer complete
┌──(kali㉿kali)-[~/…/htb/labs/admirer/ftp]
└─$ tar -xf html.tar.gzExtracting content
┌──(kali㉿kali)-[~/…/htb/labs/admirer/ftp]
└─$ ll html
total 36K
4.0k drwxr-xr-x 6 kali kali 4.0k nov 16 17:41 .
4.0k drwxr-xr-x 3 kali kali 4.0k nov 16 17:41 ..
8.0K -rw-r----- 1 kali kali 4.6K Dec 3 2019 index.php
4.0K drwxr-x--- 4 kali kali 4.0K Dec 2 2019 images
4.0K drwxr-x--- 2 kali kali 4.0K Dec 2 2019 utility-scripts
4.0K drwxr-x--- 2 kali kali 4.0K Dec 2 2019 w4ld0s_s3cr3t_d1r
4.0K -rw-r----- 1 kali kali 134 Dec 1 2019 robots.txt
4.0K drwxr-x--- 6 kali kali 4.0K Jun 6 2019 assetsThe extracted content indeed resembles the Admirer that the target web server has
While the admin-dir directory is nowhere to be found, there are 2 unfamiliar directories; utility-scripts and w4ld0s_s3cr3t_d1r
utility-scripts
┌──(kali㉿kali)-[~/…/htb/labs/admirer/ftp]
└─$ ll html/utility-scripts
total 24K
4.0K drwxr-xr-x 6 kali kali 4.0K Nov 16 17:41 ..
4.0K drwxr-x--- 2 kali kali 4.0K Dec 2 2019 .
4.0K -rw-r----- 1 kali kali 1.8K Dec 2 2019 admin_tasks.php
4.0K -rw-r----- 1 kali kali 53 Dec 2 2019 phptest.php
4.0K -rw-r----- 1 kali kali 401 Dec 1 2019 db_admin.php
4.0K -rw-r----- 1 kali kali 20 Nov 29 2019 info.phpWhile this directory contains several PHP files, it was never found during the web server enumeration. So I will first confirm the Admirer of it
admin_tasks.php
┌──(kali㉿kali)-[~/…/admirer/ftp/html/utility-scripts]
└─$ cat admin_tasks.php
<html>
<head>
<title>Administrative Tasks</title>
</head>
<body>
<h3>Admin Tasks Web Interface (v0.01 beta)</h3>
<?php
// Web Interface to the admin_tasks script
//
if(isset($_REQUEST['task']))
{
$task = $_REQUEST['task'];
if($task == '1' || $task == '2' || $task == '3' || $task == '4' ||
$task == '5' || $task == '6' || $task == '7')
{
/***********************************************************************************
available options:
1) View system uptime
2) View logged in users
3) View crontab (current user only)
4) Backup passwd file (not working)
5) Backup shadow file (not working)
6) Backup web data (not working)
7) Backup database (not working)
note: Options 4-7 are currently NOT working because they need root privileges.
I'm leaving them in the valid tasks in case I figure out a way
to securely run code as root from a PHP page.
************************************************************************************/
echo str_replace("\n", "<br />", shell_exec("/opt/scripts/admin_tasks.sh $task 2>&1"));
}
else
{
echo("Invalid task.");
}
}
?>
<p>
<h4>select task:</p>
<form method="POST">
<select name="task">
<option value=1>View system uptime</option>
<option value=2>View logged in users</option>
<option value=3>View crontab</option>
<option value=4 disabled>Backup passwd file</option>
<option value=5 disabled>Backup shadow file</option>
<option value=6 disabled>Backup web data</option>
<option value=7 disabled>Backup database</option>
</select>
<input type="submit">
</form>
</body>
</html>The admin_tasks.php file creates a basic web interface for administrative tasks, with a title and a form allowing the user to select a task from a dropdown menu.
- The available tasks include viewing system uptime, logged-in users, and crontab.
- Options
4-7are listed but marked as “not working” due to the need for root privileges. - The selected task is executed by calling an external shell script,
/opt/scripts/admin_tasks.sh, and the output is displayed on the web page.- If an invalid task is chosen, an error message is shown.
The PHP code mitigates OS command injection vulnerabilities to some extent by validating the user input for the task parameter. Before executing the external shell script, the code checks if the provided task value is within a predefined set of allowed values (1-7). This validation helps prevent arbitrary command execution by limiting the input to specific, predefined tasks and thereby reduces the risk of unauthorized system commands being injected through the web interface.
phptest.php
┌──(kali㉿kali)-[~/…/admirer/ftp/html/utility-scripts]
└─$ cat phptest.php
<?php
echo("Just a test to see if PHP works.");
?>This seems to be just for testing
db_admin.php
┌──(kali㉿kali)-[~/…/admirer/ftp/html/utility-scripts]
└─$ cat db_admin.php
<?php
$servername = "localhost";
$username = "waldo";
$password = "Wh3r3_1s_w4ld0?";
// Create connection
$conn = new mysqli($servername, $username, $password);
// Check connection
if ($conn->connect_error) {
die("connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
// todo: Finish implementing this or find a better open source alternative
?>While the db_admin.php file contains a SQL connection string with a CLEARTEXT DB credential, there is also a comment indicating that the file has not been completely implemented likely to the LIVE web server and an open source alternative option is being explored
the db credential is waldo:Wh3r3_1s_w4ld0?
info.php
┌──(kali㉿kali)-[~/…/admirer/ftp/html/utility-scripts]
└─$ cat info.php
<?php phpinfo(); ?>The phpinfo function
w4ld0s_s3cr3t_d1r
┌──(kali㉿kali)-[~/…/htb/labs/admirer/ftp]
└─$ ll html/w4ld0s_s3cr3t_d1r
total 16K
4.0k drwxr-xr-x 6 kali kali 4.0k nov 16 17:41 ..
4.0K drwxr-x--- 2 kali kali 4.0K Dec 2 2019 .
4.0K -rw-r----- 1 kali kali 350 Dec 2 2019 contacts.txt
4.0K -rw-r----- 1 kali kali 175 Dec 2 2019 credentials.txtThis w4ld0s_s3cr3t_d1r directory resembles the admin-dir directory as it contains both contacts.txt and credentials.txt files
Although the same files are present, the content might be different as this comes from a backup archive
contacts.txt
┌──(kali㉿kali)-[~/…/htb/labs/admirer/ftp]
└─$ cat html/w4ld0s_s3cr3t_d1r/contacts.txt
##########
# admins #
##########
# Penny
Email: p.wise@admirer.htb
##############
# developers #
##############
# Rajesh
Email: r.nayyar@admirer.htb
# Amy
Email: a.bialik@admirer.htb
# Leonard
Email: l.galecki@admirer.htb
#############
# designers #
#############
# Howard
Email: h.helberg@admirer.htb
# Bernadette
Email: b.rauch@admirer.htb
The contacts.txt file is identical to that in the web server
credentials.txt
┌──(kali㉿kali)-[~/…/htb/labs/admirer/ftp]
└─$ cat html/w4ld0s_s3cr3t_d1r/credentials.txt
[Bank Account]
waldo.11
Ezy]m27}OREc$
[Internal mail account]
w.cooper@admirer.htb
fgjr6q#s\w:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!The credentials.txt file, on the other hand, contains a single additional credential for Bank Account as claimed
waldo.11:Ezy]m27}OREc$