Hack The Box – OpenAdmin Box Writeup By Nikhil Sahoo

Introduction

Hello everyone, I hope everyone is doing well and is safe and is utilizing this time in a meaningful way 🙂

So, back with a new blog. Today we will go through the walkthrough of the Hack the Box machine OpenAdmin which retired very recently. It was an easy rated Linux box. So without further ado let’s begin…

Recon

We’ll start with our recon by doing a Nmap scan.

nmap -sC -sV 10.10.10.171

Port 80 is open, let’s check that first.

 

Nothing Interesting, so we are going to run directory bruteforcing over it.

 

Ok, we got 2 directories. Let’s browse through them …

 

Went through the complete page along with the page source, nothing interesting again. let’s jump over to the other one.

 

 

Now if we click on login, it is going to redirect us to another page.

Looks interesting, if we hover over the download button it will show a URL to the “opennetadmin” site which is basically an IP address management system to manage a particular network.

 

Initial Foothold

Let’s look for opennetadmin exploits over the internet. After searching a bit we can find an RCE vulnerability. We can search and use exploits over searchsploit as well but I preferred to go with this particular GitHub repo:

https://github.com/amriunix/ona-rce

So let’s run our Exploit.

python3 exploit.py exploit http://10.10.10.171/ona

We’re in !!!

On further browsing over different directories, we will be coming across a file named “database_settings.inc.php” inside the /opt/ona/www/local/config/ directory.

 

So we got DB user, password, and name. We do have ssh open as well. Let’s try to login using this particular password. We need to check first all the users in the box. This could be done by simply visiting the /home directory. We’ll be getting two users: Jimmy, Joanna. Let’s try with Jimmy first.

 

User: Jimmy

It worked 🙂

Again after further browsing, we will come across a file “main.php” inside the /var/www/internal.

 

This would basically output the SSH private key of user Joanna when we execute this particular php file but we need to find the correct URL for this. Since this was found under the internal directory, it might be a part of some internal accessible URL. Let’s try to run netstat to check for all listening ports: netstat -tlunp

 

Port 52846 looks interesting, let’s try to call that PHP over this port using curl.

curl http://127.0.0.1:52846/main.php

 

And we should be getting the private ssh key of Joanna user. Let’s copy it over to our local machine.

 

User: Joanna

We can try cracking it using John but first, we need to convert it into a format which John would understand. This could be achieved using SSH2John.

ssh2john sshkey > newssh

Once it is done, we can run it over John using our favourite wordlist rockyou.txt.

john –wordlist=/path to wordlist/ newssh

Cracked!! So the passphrase is “bloodninjas“.

Let’s try to login as Joanna using it’s private key.

ssh -i sshkey joanna@10.10.10.171

 

We’re in!!! If in case it asks for the password rather than the passphrase of the key, then there must be some permission issue with the key. Usually, the private key should be of the permission 400 or 600.

Now let’s run sudo -l to check what all commands can Joanna run with sudo.

 

So we can run nano over “priv” file present in the opt directory.

 

Privilege Escalation

Let’s straight away go to GTFO bins and try to check for shell escaping methods for nano.

As per the above commands once we’re inside nano (sudo nano /opt/priv) we need to press ctrl + R then ctrl + X and then execute the following command:

reset; sh 1>&0 2>&0

 

Press Enter and we should be getting the root shell.

 

So we got our root flag 🙂 … That explains it all.

So that’s for now. See you next time.

Till then Stay Safe, Stay Home

Happy Hacking !!!

 

You can have a look at my previous article on Hack The Box: Mango Walkthrough. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *