Open in app

Sign in

Write

Sign in

HacktheBox — OpenAdmin

Siva Rajendran
7 min readMay 2, 2020

This following write up is for the machine: OpenAdmin

Hack the Box is an online CTF platform where you can hone your penetration testing skills. It’s similar to boot2root machines. The goal is to find two flags namely, User flag and the Root flag to successfully root the machine.

This is my third writeup, and I would like to explain how I understood about the machine and what steps I have followed to obtain the two flags. If you have any questions, please let me know. Thanks.

OpenAdmin

Synopsis:

OpenAdmin is described as an Easy box that is vulnerable to the OpenNetAdmin [1] exploit by which an attacker can get the initial access and enumerate it to next level access to get User and then to Root.

For User: We exploit the OpenNetAdmin because there was a remote code injection that is available for that specific version 18.1.1. With that, we get our initial shell running, from there we escalate our privilege to the high-level user by obtaining the SSH private key and decrypting it with SSh2John[3] to get the hash and then crack the hash with johntheripper[4] tool. After that, ssh the server with the obtained username and password and get the USER flag.

For Root: Root is pretty straight forward, thanks to the GTFObins[2] which helped me to get the ROOT flag.

Getting the User flag was a little bit frustrating than root. Because of the problems with the initial shell I got. Root took me less than 10 min.

Personally, I learned more about certain new commands in Linux and the importance of ssh keys.

1. Scanning the target network

I always take this part seriously since I do not want to miss any of the hidden details of my target.

I have used Nmap to scan the network.

root@kali:/HTB# nmap -sC -sV -oA output 10.10.10.171Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-04 14:34 ESTNmap scan report for 10.10.10.171
Host is up (0.13s latency).
Not shown: 998 closed portsPORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelRead data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 11 17:50:07 2020 -- 1 IP address (1 host up) scanned in 20.31 seconds
  • sC: To scan with default Nmap scripts.
  • sV: To determine service/version info.
  • oA: To write the output file in the three major formats at once.

Alternatively, I use this tool called Autorecon in the background, It is a multi-threaded network reconnaissance tool that performs automated enumeration of services [6]. From the results of Autorecon, I had a quick look into Dirbuster results. I have found some interesting URL’s listed

URL: http://10.10.10.171/music/

I have visited the above URL in the browser and found a website.

OpenAdmin-Music Website

When I clicked on the Login button, it redirected me to another URL http://10.10.10.171/ona I have found an interesting Guest Login Page which revealed the Version of the software.

OpenAdmin-ONA-GuestLogin-Portal

Next step, I have looked for the available CVE for the above service versions in google and found an exploit.

For ONA 18.1: There was a straight forward exploit available in ExploitDB [1].

2. Exploiting the target network

So I ran the exploit and popped out the limited shell by utilizing this RCE vulnerability[1].

OpenAdmin-ONA-LimitedShell

For the first time, I have got this kind of limited shell where I couldn’t able do much outside the current directly. Everything I can execute only from this current location. So, I have tried to find any sensitive files to get more information. I have ended up finding the database_settings_inc.php file in the local/config/ folder which has the password of some user.

OpenAdmin-ONA-Includes Folder

Then, I found the multiple users name from the /home/ directory

Users-List in /home/ directory

Now, we try to log in for the users with the password through SSH.

OpenAdmin-Jimmy-SSH-Access

Now, we entered shell as Jimmy.

After enumerating inside with jimmy user, we can’t able to access the user flag.txt. So, we need to escalate our permission to another user named Joanna.

3. Privilege Escalation

There are many privilege escalation scripts available for Linux such as LinEnum which can automate the process. My personal favorite for Linux is Linpeas. In addition to it, I used the following checklist for my privilege escalation.

Basic Linux Privilege Escalation

Before starting, I would like to point out — I’m no expert. As far as I know, there isn’t a “magic” answer, in this…

blog.g0tmi1k.com

Checklist — Linux Privilege Escalation

Checklist for privilege escalation in Linux

book.hacktricks.xyz

So, after enumerating and I have executed the Linpeas.py script by transferring the file via FTP to /tmp folder into our target system.

OpenAdmin-LinPeas-Priv-Escalation-Results

I have found some interesting files inside /var/www/internal folder.

OpenAdmin-Internal Folder-Retrieval

Now I have found that we can get the private_key of joanna. Unfortunately, Port 80 doesn’t server this file. So, I have looking for the local system ports to find out from which port the files are being served.

OpenAdmin-NetStat-Ports

From this, we have found that port 52846 is being used to serve the files inside /var/www/internal. So, I have the CURL the request of the main.php file and got the private key of joanna user.

OpenAdmin-Joanna-Private-Keys

I have used similar machines that I have used for Postman, Traverexec HTB machines after finding out the private ssh keys.

Once we got the id_rsa.bak file let us pass it to ssh2john and get the hash.

python3 ssl2john.py id_rsa.bak>ssh2johnres

Then, decrypt the hash using john to get the password of the private key for the user Joanna.

OpenAdmin-Joanna-SSH_Privkey-Passwd

As now from the above image, we have identified the password (bloodninjas)for the user Joanna. Then, I have added the joanna ssh private keys to our ~/.ssh folder and try to login via SSH.

ssh -i openadmin joanna@10.10.10.171

And now we got the shell as joanna

OpenAdmin-joanna-shell

Now, we have got our user flag. Let’s go for the root flag now to fully compromise the machine.

OpenAdmin-User_Flag

I have followed the first step to escalate privilege to the root user and found that joanna user can able to execute nano without the password for/opt/priv file.

OpenAdmin-Joanna_User-Nano

Then, I have checked GTFObins to find the command which gives the root access to this machine.

sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0
OpenAdmin-Root-Flag

Finally, we got our root.flag (2f907ed450b361b2c2bf4e8795d5b561) and fully compromised the machine.

So that’s how I cracked OpenAdmin from Hack the Box. I hope you guys have got some useful information out of this write-up.

This is my third writeup and would like to write more in the future. All comments/feedback are welcome.

Thanks for reading! Prost! 🍺

If you have any questions: Feel free to contact me.

Twitter Profile: https://twitter.com/Sh1v4_R4jU

HTB Profile: https://www.hackthebox.eu/home/users/profile/167190

HTB-Badge
Htb
Ctf Writeup

--

--

Siva Rajendran

Written by Siva Rajendran

8 Followers

Cyber-Security Researcher , Pen-Tester.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams