OpenAdmin — HackTheBox
This is a write-up on how I solved OpenAdmin from HacktheBox.
Hack the Box is an online platform to test and advance your skills in penetration testing and cybersecurity.
about this box:
OpenAdmin is a relatively easy, super simple and straightforward box. Totally recommended for newbies. The user part was so funny for me, root takes about 1 minute. So, let’s get hands dirty!
Recon:
Use Nmap to scan the target ports:
nmap Network exploration tool and security / port scanner
-sV (Version detection)
-sC Performs a script scan using the default set of scripts.
Only two ports are opened 22 and 80. We have SSH on port 22 and default Apache2 page on port 80.
Nothing really interesting here, time for an enumeration.
gobuster dir -u http://10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
We have got 3 page
/music and /artwork are static ones, nothing really interesting here.
Let’s check what we have on /ona
We have OpenNetAdmin v18.1.1
OpenNetAdmin is an IPAM (IP Address Management) tool to track your network attributes such as DNS names, IP addresses, Subnets, MAC addresses just to name a few. Through the use of plugins you can add extended it’s functionality.
By the way, OpenNetAdmin v18.1.1 is vulnerable to remote code execution.
To run this script successfully we need to pass it URL as a first argument.
Great, We just got low-privilege (www-data) shell back.
ONA saves database configure file in - /www/local/config/, see what we have here:
Oh, here it is. We got database configuration file with credentials on it.
To access MySQL we need to upgrade our Shell.
Grab PHP reverse shell from Pentestermonkey — reverse shell
Then, get the IP address with ifconfig tun0
After getting the IP address change IP address in the reverse shell file and finally start Python server python -m SimpleHTTPServer 80 for download the file.
Grab the reverse shell on OpenAdmin via RCE script.
To trigger the file open it via browser and get the reverse shell back. Before that, we need to set up a listener.
nc -nvlp 9001
We got the shell back!
We still can’t connect to the database
Mm wait, We also have port 22 opened. let’s try it.
before that, grab usernames from /etc/passwd
We have 3 users: root, jimmy and joanna
Oh, sweet! we are in but we still don’t have access to get the user flag. So, we need to access joanna’s account.
Remember useless static web pages? (/music and /artwork) where they are?
We can easily find it with the find command
find / -type d -name artwork 2>/dev/null
Bingo, they are located in /var/www/ instead of /opt/ where ona is located.
In /var/www/ we have 3 directory
html — where static pages are located
internal — it seems very interesting…
ona — Which is Symbolic link of /opt/ona/www
Checkout internal
index.php is login page which checks username and password
So, we have a username jimmy and we want the password. Good for us, it is an easy password so, we can crack it with online service.
and we got password
jimmy:Revealed
The main.php file checks if we are authorized and gives us a private key of the joanna user.
We can’t access it by typically going to http://10.10.10.171/index.php/ because it is running locally!
We have it on port 52846
To access it we need port forwarding via SSH.
ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171
After port forwarding, We can simply access it via our browser.
Let’s log in and grab the private key
jimmy:Revealed
We got it!
Now, we can SSH via joanna's user.
Oh crap, it needs passphrase.
ninja is not the password, it should be something similar. with the ‘ninja’ text.
Before cracking it with john, grep only the passwords which contains ninja.
John needs a crackable format. Convert it with ssh2john
And, crack it!
Sweet! It just cracked it in seconds
joanna ssh pasphrase:bloodninjas
We have the passphrase, now we can log in as a joanna user.
Check what we can run as root by simply typing sudo -l
Oh man, It ruined the fun for me :(
Check gtfobins
We can easily execute system commands
^R^X
ctrl + R and ctrl + Xreset; bash 1>&0 2>&0
And we are root in 10 seconds!
I hope you enjoyed, follow me for future posts.