Open Admin
P.S. This is my first writeup ever that I wrote back in June 2020 and uploading it almost after 5 to 6 months
So, this is my first time on any HackTheBox machine. I filtered only the easy machines on HTB and out of those I randomly selected OpenAdmin. I don't know what amount of time others took to break into this machine but for me it took almost an entire day. It took a lot of enumeration for me, maybe this was my first time that's why. My main source of all the hints was Reddit.
Here, I will also try to put down the links that I referred while attacking the machine. So, let's begin!!!
Reconnaissance
First things first, the base step of all the attacks: RECON! Without giving a thought I ran 4 scans simultaneously: nmap, nikto, nessus and dirb. Following are the outputs from all those 4 scans:
Reconnaissance Result Analysis
Now, looking at the nmap scan the first thing that I felt to be exploitable was SSH open on port 22. Few more things to be observed were Apache was running on port 80 and from the header, the version that it detected was 2.4.29 on Ubuntu.
Another filtered port that I saw was 5930 but no services were detected over that port.
Moving to Nikto scan, there was only one that caught my sight and it was : + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
This confirmed the detection from nmap that the Apache running on this machine was exploitable.
I visited both the directories detected in dirb i.e. /artwork and /music and visited all sub-directories in them. In the directory /muisc I found a login page. So, I thought maybe I can even try SQL injection over there. One thing odd about this login page was that even though the link to login page was on /music homepage, the page was in a totally different directory /ona.
Coming to the Nessus scan, I did not find anything of that help over there. All that I found over there was related to INFO and nothing else.
Enumeration & Exploitation
Both enumeration & exploitation would have been two different steps but here enumeration was required at each and every step of exploitation (maybe this is my first time that's why). So, my first target was port 22 where I saw SSH running. I tried to search exploits for OpenSSH 7.6p1 on Google and other platforms but didn't find anything useful.
The next thing that I had in my mind from recon was the login page and so I went there and tried to do basic SQL injection by entering â OR â1' = â1 in both username and password. But to my bad luck, this also didnât work. Along with this I even tried other basic username and passwords like admin:admin, admin:password and others. But none of these also worked.
At this point, I was totally stuck and was not able to figure out my approach to get the access as in my recon I just determined two ways i.e. SQL injection and OpenSSH exploit. I even tried to get direct SSH access by using the command: tester@kali:/ $ ssh 10.10.10.171. But as expected, that also didn't work out. After about spending an hour or so figuring out what is to be done, I decided to google some hints for this box. Not to my surprise, Reddit proved to be a useful platform. I got a hint to go for the software on which the login page was based.
I went back to the login page and saw that it was based on OpenNetAdmin v18.1.1 (not to mention the name of the box OpenAdmin also relates to the same). Immediately I ran a google search to find any exploit for that and found a Remote Code Execution exploit on github.
I cloned the repository and tried to run it. It may sound dumb but it took multiple attempts for me to execute this exploit as well. The exploit had two options
to check whether the target is exploitable and
exploit the target. I have mentioned all the attempts that I made:
There was a huge drawback to this as I was able to run only certain commands like cat, grep, ls. Even the cd did not work, after executing the command I still remained in the same /opt/ona/www directory. I explored all the directories and also all the files in this directory. After exploring, I found two user credentials:
Manager:mysecretbindpassword(From the fileconfig/auth_ldap.config.php)ona_sys:n1nj4W4rri0R!(From the filelocal/config/database_settings.inc.php)
From the account details ona_sys, I thought using these credentials on the login page would lead me to admin access but none of the user details worked on the login page. Once again, I was stuck and almost felt like a dead end. Again spent an hour or so to figure out something by going through all the files in the very directory. Then I again headed back to Reddit to figure out what next steps should be taken. I found out that there were a few users about whom I needed to find details. And the best way to find details about users on a Linux system is to see the passwd file using the command:
In this file I saw two users, jimmy and joanna. I tried to access the shadow file in order to access the hashes of the user's password. But the access to that file was denied. Now, what I had were 2 user account credentials and two other usernames whose password I didn't know. I assumed the next step was to access these users and then maybe I could do privilege escalation from their account. But the issue here was how to access their account as neither did I know their passwords nor their password hashes which I could break. This was again a disappointing phase for me and I read a comment on Reddit that âUser's reuse their password over multiple accountsâ. This was a hint to use the passwords that I already had. So, I tried SSH to jimmy's account using the password âmysecretbindpasswordâ but it didn't work, I then tried the password ân1nj4W4rri0R!â and got the access as jimmy@opeadmin:~$. To gain access via SSH, I used the command:
Here, I thought I got the user access on the box and could also claim it on HTB but there was no user.txt file from where I could get the flag. So, I determined that the user flag must be associated with joanna's account. I tried to get into joanna's account from jimmy's account but the access was denied. Even the command sudo -l didn't work. So, the next task was to get access to joanna's account and for that I needed the password to her account. I explored files that were accessible to jimmy. Because this was all around php I thought of visiting /var/www/ over there I found a folder named internal. In there, I saw a file named main.php. It appeared to more like a php script and so I decided to curl that file. For that, I needed to find out the port on which it was listening. And so I ran the command:
Now that I had the RSA key, the aim was to decrypt the key and use it to access joanna's account. So, I used ssh2john.py to first convert the RSA Private Key to a hash form in which JohnTheRipper could decrypt. For this, I first copied only the RSA private key and pasted it in a new file. Then I tried to ssh2john that file but it didn't succeed. I was a bit confused tried a few more time but didn't work. Then I copied the key from the very line where it was written -----BEGIN RSA PRIVATE KEY----- till the line -----END RSA PRIVATE KEY-----. Then I again tried ssh2john.py and this time it worked. I used the command:
My new key was stored in a new file that I named âkeyâ. The next task was to decrypt this key using JohnTheRipper. And the output was:
So, I got the key to joanna's account as well. The immediate next thing that I had to do was to SSH into joanna's account. I tried to do the same and enter the new password that I got but even after trying multiple times each time the permission got denied. I headed back to Reddit just to find that over there I was not supposed to enter the password but to pass the RSA key directly while logging in, so I tried the same but it didn't work this time as well and I ended up with:
From the above details provided, I thought that maybe the permissions to the key file were too open and that's why SSH was not accepting that file. So, I decided to change the permissions setting for that file:
This removed the read permission for the group and others and then I tried to run the SSH command again. This time it worked and asked for the passphrase to which I entered the key that I decrypted i.e. bloodninjas. And I got access to joanna's account as well. As soon as I got the access, the first thing that came to my mind was to submit the user hash that was stored on 'Desktop'. I did that and now only one thing was remaining which was root access. I did sudo -l to figure out all the permission joanna had and there I was surprised to see that joanna had sudo level access to /bin/nano and /opt/priv. I researched a bit about gaining root-level access by using nano and found a very useful website called GTFOBins.
So, I ran the nano command pointing towards priv file with sudo and ran the commands as mentions on the website given above:
And there it was âroot.txtâ!!!!! It almost took me an entire day along with hints from Reddit to break the machine (even though it was an easy one). But I am happy as this was my 1st HTB machine!!!!!
Some Key Points to Take Away
Check for the services that are running i.e OpenNetAdmin in this case and search their exploits
Check all the files present in the present directory.
Try to access passwd and shadow files and gain user details from there.
Search for /var/www in case there is so web application hosted.
Convert RSA key to hashes and then decrypt using john.
Run the command sudo -l whenever you have access to any user to determine commands that can be run as sudo and use GTFOBins for those commands.
Last updated
Was this helpful?