Introduction
OpenAdmin is rated as a Easy Linux box. It was released on 04 Jan 2020 and has been created by @dmw0ng
This box required us to perform the following tasks:
- Enumerate a web server to find vulnerable web application
- Exploit Web app to get initial foothold
- Credential reuse attack
- Download users SSH private key and crack
- Exploit misconfigured nano permission
Initial reconnaissance
Let’s do first a full nmap port scan using the following command:
Two ports are open:
- SSH on 22
- Apache 2.4.29 on 80
Browsing to openadmin.htb
It just shows default apache landing page, lets enumerate this port further with gobuster to find addtional directories and files.
Gobuster found music directory,which display a new webpage,
Which is running OpenNetAdmin - v18.1.1
A quick searchsploit shows this version of OpenNetAdmin is vulnerable and there are public exploits available.
Initial foothold
I quickly grabbed the exploit available from exploit database. Had weird issues running the code, due to spacing i belive (DOS-style CRLF line endings), so i converted the script using dostounix tool. The exploit is a very simple command injection vulnerability.
Running the exploit give us a shell as www-data
After some browsing around, I got the database settings file which contained a password.
Credential reuse
Now lets grab the users from the system, we might be able to use the found credentials with other users
$ cat /etc/passwd | awk -F : '{print $1}'
root
jimmy
mysql
joanna
After trying the password on jimmy’s account, I was able to login to the box as Jimmy, this is a classic case of password reuse!
And now we have a shell a jimmy user. I was excepting to get user.txt flag from here, but no we need to enumerate further more to get anywhere.
jimmy@openadmin:/var/www$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Nov 22 18:15 .
drwxr-xr-x 14 root root 4096 Nov 21 14:08 ..
drwxr-xr-x 6 www-data www-data 4096 Nov 22 15:59 html
drwxrwx--- 2 jimmy internal 4096 Nov 23 17:43 internal
lrwxrwxrwx 1 www-data www-data 12 Nov 21 16:07 ona -> /opt/ona/www
After further enumeration, found an interesting directory under /var/wwww which belongs to jimmy user.And a php file which reads joana’s RSA private keys.
We can see that if we executed main.php it will read joanna private key.Since port 80 is serving other files, their must be virtualhost configured for this.
From the configuration we know port is not accessible from outside , we need to run it within the local server, to grab joanna’s RSA Private keys.
Lets check other local listening ports
We can see a service running on port 52846, so i used curl to download the content of main.php
And here we got an encrypted RSA private key, to make this usefull we need to crack the key.
Cracking SSH Keys
Cracking RSA key with John
That was fast, the password for the key is bloodninjas. Now Let’s ssh into user joanna,before that remember to change permissions of the rsa key.
We have got the user.txt
Privillege Escalation
Standard enumeration was enough to find the way to root.
sudo -l command shows that user Joanna can run /bin/nano /opt/priv as the root user without entering a password.
Reading root.txt is pretty straight forward, this technique is already well document in GTFOBins
sudo /bin/nano /opt/priv. Then we type
OpenAdmin is rooted!