HackTheBox OpenAdmin Writeup

Hackthebox OpenAdmin Writeup.

Featured image

Methodology:

Nmap Scan:

we will start with nmap scan for ports and it’s services. i found 2 ports opened in this machine » 80,22. This ports for » 80 for http service » 22 for SSH service.

nmap -sC -sV 10.10.10.171 -v -oN scan.txt
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:42
Completed NSE at 03:42, 0.00s elapsed
Initiating NSE at 03:42
Completed NSE at 03:42, 0.00s elapsed
Initiating NSE at 03:42
Completed NSE at 03:42, 0.00s elapsed
Initiating Ping Scan at 03:42
Scanning 10.10.10.171 [2 ports]
Completed Ping Scan at 03:42, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:42
Completed Parallel DNS resolution of 1 host. at 03:42, 13.00s elapsed
Initiating Connect Scan at 03:42
Scanning 10.10.10.171 [1000 ports]
Discovered open port 80/tcp on 10.10.10.171
Discovered open port 22/tcp on 10.10.10.171
Increasing send delay for 10.10.10.171 from 0 to 5 due to 37 out of 122 dropped probes since last increase.
Completed Connect Scan at 03:43, 23.25s elapsed (1000 total ports)
Initiating Service scan at 03:43
Scanning 2 services on 10.10.10.171
Completed Service scan at 03:43, 6.32s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.171.
Initiating NSE at 03:43
Completed NSE at 03:43, 8.07s elapsed
Initiating NSE at 03:43
Completed NSE at 03:43, 1.02s elapsed
Initiating NSE at 03:43
Completed NSE at 03:43, 0.00s elapsed
Nmap scan report for 10.10.10.171
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 03:43
Completed NSE at 03:43, 0.00s elapsed
Initiating NSE at 03:43
Completed NSE at 03:43, 0.00s elapsed
Initiating NSE at 03:43
Completed NSE at 03:43, 0.00s elapsed

Let’s Check The Web Page on Ports 80/443.

Nothing to do so we need to bruteforce the directories.

Directory Listing using Gobuster:

now we will use gobuster to bruteforce the directory in our server.
sudo gobuster dir -u http://10.10.10.171/ -w /usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.171/
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/04/23 03:58:22 Starting gobuster
===============================================================
/artwork (Status: 301)
/index.html (Status: 200)
Progress: 2073 / 4615 (44.92%)
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
Progress: 2374 / 4615 (51.44%)================================
/music (Status: 301)
/server-status (Status: 403)
/ona (Status: 301)

Let’s check the http://10.10.10.171/music

there is nothing in this page so let’s go to ona page.

Checking http://10.10.10.171/ona

so first i try login with admin:admin and it’s worked so there something interested in this page and let’s go to Download page.

Download Page:

and from here we know that this service is a OpenNetAdmin! so what is it? OpenNetAdmin is an opensource IP Address Management (IPAM) system. so let’s search for any exploits for OpenNetAdmin.

Exploitation.

when i searched for exploits for opennetadmin i found this exploit » https://www.exploit-db.com/exploits/47691. let’s download the exploit and run it .

Reverse Shell.

Escalate To the First User.

  1. first thing you will found that you don’t know where you should search for any credentials..
  2. so we will use the find command.
  3. find / -type d -user www-data

Hunt files with Find:

find - is a linux command to find anything like file or directory. The first argument / is the place to perform the search -type - It takes f or d resembling what we are searching » f - For files » d - For directories. -user - This tells in connection to which user. This command will search all the files that have permission for www-data under >(complete file system)

Credentials:

  1. when we used the find command we will find some interesting files.
  2. first let’s list the dirs in /opt/ona/www/

  1. then let’s list the dirs in config file beacause we know that the configuration files contain creds or any interesting things.

check the content of the config.inc.php file and you will found this line » $dbconffile = “{$base}/local/config/database_settings.inc.php”;

so let’s go to check this file.

MySql Credentials:

now we Found the mysql login user password: n1nj4W4rri0R ! » try this password with our users. we have in this machine 2 users and the root » jimmy » joanna » root. Let’s try the password with the 2 users . The password worked with Jimmy.

Joanna SSH key and Login with it:

The first thing i do i go to /var/www and i found dir with the name internal and i open it and found the main.php file and i will show you the content of the file and the error when open it with php.

and we found the ssh key for joanna » boom let’s decrypt it with ssh2john and john.

Login With Joanna

Privilege Escalation:

first i use sudo -l and i found »

we can run this command as root /bin/nano /opt/priv without password.

Nano Exploitation: