HTB Admirer [Writeup]

HTB Admirer [Writeup]

For this machine, using gobuster command exposed the credentials to access the open FTP port which led to finding out about the vulnerable MySQL database that allows foreign server to import arbitrary data exposing credentials.

Summary:

For this machine, using gobuster command exposed the credentials to access the open FTP port which led to finding out about the vulnerable MySQL database that allows foreign server to import arbitrary data exposing credentials. i.e. you could implement a local database and table giving full privilege and connect it to the vulnerable MYSQL database.

For root, a script was found to execute as root using sudo command. Upon reviewing the script code, the Python Library Hijacking technique was then attempted to escalate privilege to get root.

Tools Used:

  • Nmap
  • gobuster
  • gunzip and tar -xvf
  • mysql -h localhost -u <username> -p
  • sudo -l
  • nc
  • Custom python script exploit

Enumeration

Nmap TCP Output

Image for post

***** PORT 80 HTTP ***

The** /admin-dir** directory was found within the robots.txt file.

Image for post

Looks like the /admin-dir has something juicy.

Image for post

vulnerability pentesting hackthebox htb database

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Benchmarking the Mainstream Open Source Distributed Graph Databases

The deep learning and knowledge graph technologies have been developing rapidly in recent years. Find out more about graph databases.

Database Design Tutorial - How to Design & Plan Database for Beginners

Learn how to design and plan a database for beginners. This database design course will help you understand database concepts and give you a deeper grasp of database design. Database design is the organisation of data according to a database model. The designer determines what data must be stored and how the data elements interrelate. With this information, they can begin to fit the data to the database model.

AlaSQL in Action: The JavaScript SQL Database

Overview on AlaSQL, the popular lightweight client-side in memory SQL database, including a real life example of AlaSQL in action. I was surprised to see that there aren’t more posts about this popular lightweight client-side in-memory SQL database online apart from this awesome article I found.

What is database continuous integration?

Have you ever longed for a way of making the delivery of databases more visible, predictable and measurable? Do you ever wish that they would be of better quality, quicker to change, and cost less? Grant Fritchey explains some of the secrets of doing Continuous Integration for Databases to relieve some of the pain-points of the Database Delivery process.

How to Build a Pokedex React App with a Slash GraphQL Backend

Take a look at how you can use use GraphQL to create a demo application of a Pokemon Pokedex app with React.