HTB CDSA
Certified Defensive Security Analyst by Academy. Get started now!
Machine Synopsis
AdmirerToo is a hard rated Linux machine. The initial port scan reveals a few filtered/internal ports along with port 22 running SSH & port 80, which is serving a photo gallery webpage. Enumerating the website leads us to the Adminer service running on one of the sub-domains. The installed version of the Adminer service is vulnerable to an SSRF vulnerability, [CVE-2021-21311](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21311) which can be exploited to enumerate the service running on the internal port 4242. The internal port 4242 is running the OpenTSDB service which is vulnerable to [CVE-2020-35476](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35476), allowing command injection via HTTP requests, through which we eventually get a shell as user `opentsdb`. System enumeration reveals credentials that can be used to move laterally and SSH into the remote host as user `jennifer`. Further host enumeration reveals that OpenCATS service is running on the internal port 8080 which is vulnerable to [PHP Object Injection vulnerability](https://snoopysecurity.github.io/web-application-security/2021/01/16/09_opencats_php_object_injection.html) that results in arbitrary file write ([CVE-2021-25294](https://www.cvedetails.com/cve/CVE-2021-25294/)). The remote host is also running `fail2ban` with mailing configuration that can be exploited by chaining together with the vulnerability present in OpenCATS to override the `whois` configuration file and obtain a `root` user shell.
Machine Matrix