Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - OpenAdmin
|htbmachinesretired|

Summary

OpenAdmin,a Linux box created by HackTheBox user dmw0ng, was an overall easy difficulty box.Initial Enumeration shows that only port 22 and port 80 to be opened.On Web we see that OpenNetAdmin, searching the exploit we see an shell-script on exploitdb,using that we get a shell as www-data. Enumerating we find a credentials for database checking if we have a password reuse on ssh we try with both usernames and we get a hit as jimmy and enumerating we find an internal service which was cating the id_rsa for joanna and port-forwarding and getting the password,Cracking the passphrase we get user. Root was pretty simple using nano

Initial Foothold

Lets start with nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Nmap 7.80 scan initiated Sat Jan  4 14:37:09 2020 as: nmap -sC -sV -oN nmap/openadmin 10.10.10.171
Nmap scan report for 10.10.10.171
Host is up (0.14s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan  4 14:39:57 2020 -- 1 IP address (1 host up) scanned in 168.05 seconds

Enumeration shows us that only port 22 and port 80 open.

Lets start with the web.

running gobuster we see /music and opening that we see a login link.

Opening the login we see it open /ona which is a

looking on search-sploit we get see a exploit for that. but running it we see that is not working. analyzing that we see that have a epoch time. modifying that we see it work now.

User

Enumerating we find a db creds

and trying that password on ssh for password reuse we see it working for user jimmy

Enumerating jimmy we see in Apache config that there is a internal site on port 52846

also looking in the main.php in /var/www/internal

editing main.php and removing the session check we can curl or port-forward and get the id_rsa

using

1
ssh -L 8000:127.0.0.1:52846 jimmy@10.10.10.171

port-forwarding to that using jimmy creds we can access this page and visiting the main.php we get the id_rsa key for joanna

using that credentials we can ssh as joanna and have user.

and grab user.txt as c9b2cf07d40807e62af62660f0c81b5f

Privilege Escalation

Running sudo -l on the box we see that we can run /bin/nano /opt/priv without password.

looking gtfobins nano we can use that to get a shell as root.

and grab root.txt as 2f907ed450b361b2c2bf4e8795d5b561

and we have pwned OpenAdmin 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/openadmin/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
cvelinuxwriteupretiredhacktheboxeasygtfobinsOpenNetAdminpassword-reusenano