Today I will be going over OpenAdmin which is recently retired machine on HackTheBox.
As usual, we first run nmap scan and get http on port 80 and ssh on port 22.
Let’s first visit to TCP port 80 which normally runs a HTTP service. It is Apache2 website’s default welcome page.
We check the source code but nothing seems interesting.
We scan the host with gobuster and enumerate.
We get some interesting directories. Let’s visit to them one by one.
We visit to the page. After spend some time here, we see that there is not disclosed anything interesting so far.
We move to another directory which is called music.
Let’s try to login.
After clicking the login button, we are in as guest user. It is time to find some useful stuff.
We add the machine’s IP to etc/hosts as openadmin.htb
The version of OpenNetAdmin is v18.1.1. Let’s check searchsploit. There may be an exploit code that we can use for.
And we find an exploit which is for 18.1.1 version of OpenNetAdmin.
We set the configuration to run exploit properly.
And we run the exploit.
Cool! We got a shell as www-data.
www-data is a low privileged user on the box. That means we will not be able to perform any major tasks. So, we need to escalate his privilege to a big user.
We create a http server in python to upload a linux enumeration script called LinEnum.sh
We download the script on the target machine by using wget command.
Let’s first give the execute permission to the script.
And run the script.
The localhost that are running on port 3306 and 52846 are unusual. We note this and continue for now.
The script did not give us something useful that we can use for privilege escalation. So, let’s start to enumerate the box searching for hints manually.
We find a PHP file called “database_settings.inc.php” inside the directory; /opt/ona/www/local/config/. The file has MySQL database credentials.
Let’s use cat /etc/passwd in order to list the users.
There is jimmy and joanna. We try ssh the box as jimmy and luckily it worked.
Holy… User jimmy does not have user flag, so we proceed to enumerate more.
We found an interesting directory called internal. Inside of it, there is a file called main.php which is key to get the private key from user Joanna and login as Joanna.
We run the curl command in order to get the private key. Upon proceeding to run curl as public, we get an error called “404 Not Found” with 10.10.10.171 running in the port 80.
This time, we run the curl command as local and we get the same error with 127.0.0.1 running in the port 80.
So, what are supposed to do now?
We realize that we have noted there is a localhost that is running in the port 3306 and 52846.
Let’s use curl command again for the localhost that is running on the port 3306.
Nope. Did not work. Again.
How about port 52846?
And thankfully, we got the private key which is encrypted.
We create a file and paste the key.
The tool John, that will crack the RSA private key, cannot directly crack the key, first, we need to change the format, which can be done using a john utility called “ssh2john”.
We converted the key to a crackable hash and then entered it into a text file named output. So, let’s use John the Ripper to crack the hash.
Great! We have successfully cracked the passphrase as bloodninjas.
Now, we create a file called rsa and add the RSA private key into it.
We set appropriate permission on the SSH key file.
Finally we successfully got the user.txt file.
It is time to capture the file root.txt.
The sudo -l command reveals that the user Joanna can run /bin/nano /opt/priv as root without password.
Firstly, we use the command as sudo /bin/nano /opt/priv. Then we type <CTRL>+R in order to read a file.
We insert the file that we want to read. We read file root.txt in this situation 🙂
Voila! We successfully got file root.txt.
Thank you for your time. See you soon.