HackTheBox OpenAdmin

# HackTheBox OpenAdmin ## 1. Info * Name : OpenAdmin * IP : 10.10.10.171 * OS : Linux * Difficulty : Easy ## 2. Nmap * Payload: `sudo nmap -sC -sV 10.10.10.171 -oA nmap/10.10.10.171` ![](https://i.imgur.com/w1Uy0Ca.png) * Port 22: OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) * Port 80: Apache httpd 2.4.29 ((Ubuntu)) * No CVE to use. ## 3. Web Server * View: ![](https://i.imgur.com/hUsuXfh.png) * A very common Apache2 default paage * Run on Ubuntu * Gobuster * mode: dir * Payload:`gobuster dir -u "http://10.10.10.171/" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o gobuster.out -x html -b 403,404` ![](https://i.imgur.com/7HW0UWY.png) * Find Dir: * http://10.10.10.171/music/ * http://10.10.10.171/artwork/ * http://10.10.10.171/sierra/ * Dir: /music * View: ![](https://i.imgur.com/0zgA0F4.png) * Explore Web Page * Most link direct us to same page * There's interesting link: Login * Direct us to http://10.10.10.171/ona/ ![](https://i.imgur.com/ZZiUWoz.png) * It's OpenNetAdmin v18.1.1 * Google it! ![](https://i.imgur.com/s9zkYuz.png) * There is RCE PoC on ExploitDB, we can try to use it. ## 4. Exploit OpenNetAdmin * Exploit RCE: https://raw.githubusercontent.com/amriunix/ona-rce/master/ona-rce.py * Payload: * Use vuln checker:` python3 ona-rce.py check http://10.10.10.171/ona/ ` * Use Exploit: `python3 ona-rce.py exploit http://10.10.10.171/ona/` * Get Shell! ![](https://i.imgur.com/xf2eQVz.png) ## 5. Privilage Escalation To User Jimmy * Enum User * `cat /etc/passwd` ![](https://i.imgur.com/KmaEi46.png) * There two user: * jimmy * Web Admin ![](https://i.imgur.com/PA8dy73.png) * joanna * Find open port ![](https://i.imgur.com/Ps9RprZ.png) * Find 3306 Port(mysql) * Explore File * Interesting File: * /opt/ona/www/local/config/database_settings.inc.php ![](https://i.imgur.com/ju5opLT.png) * Find database username and passwd * Mysql * Login in with ona_sys * `mysql -u ona_sys -p` * Password: `n1nj4W4rri0R!` * Explore Mysql * Get Databases:`show databases;` ![](https://i.imgur.com/ZrAPAih.png) * Get Database ona_default's tables:`use ona_default;show tables;` ![](https://i.imgur.com/IqkqEyt.png) * Interesting Tables: users * Dump Tables user:`select * from users;`\ ![](https://i.imgur.com/lE6tHld.png) * We get username and password hash * Use hashcat to decode it * admin:admin * guest:test * Not very useful... * Try Login jimmy with su * Jimmy is web page administrator, maybe he use same password with mysql server * `su jimmy` * Passwd: n1nj4W4rri0R! * Success! ![](https://i.imgur.com/qMSVVzG.png) ## 5. Privilage Escalation To User Joanna * Enum * sudo -l * Nothing * Run Linpeas.sh ![](https://i.imgur.com/B4F5eSe.png) * Interesting Port: * Port 3306: Mysql server * Nothing interesting in Mysql server * Port 52846: Weird Port * We can find in `/etc/apache2/sites-available/internal.conf` ![](https://i.imgur.com/oIoNNJl.png) * Seams like another website * Web Server is ran by **Joanna** * Interesting User's Group * Jimmy:uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),**1002(internal)** * Interesting File(Jimmy Writable) * /var/www/internal ![](https://i.imgur.com/mLJOE8J.png) * Looks like we can write file which ran by internal server * Privilage escalation with internal web server * Explore file in /var/www/internal * index.php * Looks like a login page * Send login request py POST req * username = jimmy, auth with password hash(sha512) ![](https://i.imgur.com/rjuX1Ui.png) * logout.php * Logout, just logout(clean session). * main.php * There is a interesting php code ![](https://i.imgur.com/gVeDlJP.png) * It redirect us to index.php if wrong passwd, but no `die()` function * PHP code will execute but we can't see on web page * Use Burp Suite to get it * The web server get joanna's ssh file and send it to internal web server!? * add id command into main.php ![](https://i.imgur.com/EfR5XSK.png) * We can look deep into it * Explore internal web page * Forward 52846 port to our attacking machine:`ssh -L 52846:localhost:52846 jimmy@10.10.10.171` * We can view web page: http://127.0.0.1:52846 ![](https://i.imgur.com/9WvgJnW.png) * There is no `die()` function so we can view main.php with out auth by Burp Suite * Burp Suite * Use Burp repeater to get 302 response from web page ![](https://i.imgur.com/s2RuC8X.png) * The web server print the id command output that we add into main.php * Also Joanna ssh key * Web Server run on Joanna privilage * We can crack Joanna's ssh key's passphrase by john * Very 吃電腦效能== * Or add reverse shell in main.php * Add reverse shell in main.php ![](https://i.imgur.com/oYp6OgG.png) * **shell** is reverse shell * Resend request by Burp Suite repeater ![](https://i.imgur.com/siBk1CZ.png) * We get joanna! ![](https://i.imgur.com/cO1Zn4x.png) ## 5.Privilage Escalation To Root * Enum * `sudo -l` ![](https://i.imgur.com/3Qiz6jc.png) * We can run `/bin/nano /opt/priv` by root privilage * We can privilage escalation to root * Privilage escalation * Go to [GTFOBins](https://gtfobins.github.io/) * Search nano ![](https://i.imgur.com/hhGPWha.png) * Run payload: `sudo /bin/nano /opt/priv` * In nano: * `^R^X` (ctrl+r ctrl+x) * `reset;; sh 1>&0 2>&0` ![](https://i.imgur.com/FauVAfq.png) * We get root!