https://www.hackthebox.eu/home/machines/profile/222

This is a write-up on how I solved OpenAdmin from HacktheBox.

Hack the Box is an online platform to test and advance your skills in penetration testing and cybersecurity.

about this box:

Recon:

nmap Network exploration tool and security / port scanner
-sV (Version detection)
-sC Performs a script scan using the default set of scripts.

Only two ports are opened 22 and 80. We have SSH on port 22 and default Apache2 page on port 80.

Nothing really interesting here, time for an enumeration.

gobuster dir -u http://10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

We have got 3 page

/music and /artwork are static ones, nothing really interesting here.

Let’s check what we have on /ona

We have OpenNetAdmin v18.1.1

OpenNetAdmin is an IPAM (IP Address Management) tool to track your network attributes such as DNS names, IP addresses, Subnets, MAC addresses just to name a few. Through the use of plugins you can add extended it’s functionality.

By the way, OpenNetAdmin v18.1.1 is vulnerable to remote code execution.

https://www.exploit-db.com/exploits/47691

To run this script successfully we need to pass it URL as a first argument.

Great, We just got low-privilege (www-data) shell back.

ONA saves database configure file in - /www/local/config/, see what we have here:

Oh, here it is. We got database configuration file with credentials on it.

To access MySQL we need to upgrade our Shell.

Grab PHP reverse shell from Pentestermonkey — reverse shell

Then, get the IP address with ifconfig tun0

After getting the IP address change IP address in the reverse shell file and finally start Python server python -m SimpleHTTPServer 80 for download the file.

Grab the reverse shell on OpenAdmin via RCE script.

To trigger the file open it via browser and get the reverse shell back. Before that, we need to set up a listener.

nc -nvlp 9001

We got the shell back!

We still can’t connect to the database

Mm wait, We also have port 22 opened. let’s try it.

before that, grab usernames from /etc/passwd

We have 3 users: root, jimmy and joanna

Oh, sweet! we are in but we still don’t have access to get the user flag. So, we need to access joanna’s account.

Remember useless static web pages? (/music and /artwork) where they are?

We can easily find it with the find command

find / -type d -name artwork 2>/dev/null

Bingo, they are located in /var/www/ instead of /opt/ where ona is located.

In /var/www/ we have 3 directory

html — where static pages are located

internal — it seems very interesting…

ona — Which is Symbolic link of /opt/ona/www

Checkout internal

So, we have a username jimmy and we want the password. Good for us, it is an easy password so, we can crack it with online service.

and we got password

jimmy:Revealed

The main.php file checks if we are authorized and gives us a private key of the joanna user.

We can’t access it by typically going to http://10.10.10.171/index.php/ because it is running locally!

We have it on port 52846

To access it we need port forwarding via SSH.

ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171

After port forwarding, We can simply access it via our browser.

Let’s log in and grab the private key

jimmy:Revealed

We got it!

Now, we can SSH via joanna's user.

Oh crap, it needs passphrase.

ninja is not the password, it should be something similar. with the ‘ninja’ text.

Before cracking it with john, grep only the passwords which contains ninja.

John needs a crackable format. Convert it with ssh2john

And, crack it!

joanna ssh pasphrase:bloodninjas

We have the passphrase, now we can log in as a joanna user.

Check what we can run as root by simply typing sudo -l

Oh man, It ruined the fun for me :(

Check gtfobins

We can easily execute system commands

^R^X
ctrl + R and ctrl + X
reset; bash 1>&0 2>&0

And we are root in 10 seconds!

I hope you enjoyed, follow me for future posts.

Born at a very young age.