Hack the Box OpenAdmin Writeup – 10.10.10.171

Hack the Box OpenAdmin Writeup - 10.10.10.171

Hello, welcome to our Hack the Box write up series. Today we are doing OpenAdmin (10.10.10.171), is an easy Linux box.

HackTheBox’s first machine of 2020 seems to be a new year’s gift from HTB to gain some points and ranks all their users. This machine is very simple and straight-forward.

Let us start.

NMAP Port Scan

As usual, let us add the machine’s IP to etc/hosts as openadmin.htb for easier access. The next step is to run start the namp scan.

The namp scan result shows, SSH on port 22, TCP port 80 which normally runs an HTTP service are open. A quick visit to port 80 shows the Apache2 website’s default welcome page.

The box is not disclosed anything interesting so far apart from a webpage and SSH. We might need to find directories for better enumeration. To see directories we need to run Dirbiuster, Let us set Dirbuster’s medium wordlist and start the scan.

let the Dirbuster run in the background and let us start enumerating the subdirectories it showed in the initial results. I started to concentrate on two directories, ONA and Music. I opened the http://openadmin.htb/ona which took me a webpage. This is the OpenNetAdmin control panel. The OpenNetAdmin is an opensource IP Address Management (IPAM) system.

A warning on the homepage shows the version of the app is 18.1.1. A quick look at vulnerabilities of version 18.1.1 on Google, shows the current version is vulnerable to RCE (remote code execution). So, at this point, we understood that this box is a victim of recently discovered exploit.

The ExploitDB listed two exploits, a Metasploit module, and a bash script.

I just download the script to my OpenAdmin working directory and run the script. The script gave me a shell as www-data immediately.

Since the user www-data is a low privileged user, we will not be able to perform any major tasks. So, we need to escalate his privilege to the next big user.

First, we need to find the users in the box. let us use cat /etc/passwd to see if we can perform the cat command to list the users.

So we found a number of users in this box, but I’m not sure which one I should start to above to get the privilege. let us start to enumerate the box searching for hints.

After a while, I found a PHP file called “database_settings.inc.php” inside the directory; /opt/ona/www/local/config/. The file has MySQL database credentials.

So far, we are not sure about which user we could use these credentials, so I listed the current local users of the box and I found jimmy and joanna.

Privilege Escalation

As the SSH was running, I tried ssh the box as jimmy, luckily it worked.

However, after a while, It has been realized this user doesn’t have a User flag, so let us proceed to enumerate more. The user’s www folder has a special folder called “internal” which contained,

The file “main.php” is our key to get the private key from user Joanna and login as Joanna. To get the private key, we need to run a cURL command. Upon proceeding to run cURL as local, We are blocked by an error “404 Not Found” with 127.0.0.1 running in the port 80. This made me realized that I need to find the port number which will give me access to the private key.

To find open ports within the system, I run “netstat -tulpn” command. The netstat listed a few open and listening ports:

I proceed with one by one, the second port 52846 returned the private key of user Joanna.

The SSH key has a password phrase for login, I copied the key to my Kali machine and used John to crack the password using rockyou.txt. John cracked the password as “bloodninjas“. I immediately SSH the box- as Joanna and got the user.txt.

Getting Into the Root

There are two ways you can get the root access on this machine using the privileges of our user Joanna. The first one is very simple by opening the nano as root and reding the root.txt file. The second one is getting the shell as root by adding yourself as the root user by editing the etc/passwd file, and then switch the user as your own user name.

Procedure 1: getting the root flag from nano:

The sudo -l command revealed that the user Joanna is able to run bin/nano /opt/priv as root without password. When you see the user can run nano as root, it is the simplest thing to exploit. Just 3 commands and the box is yours.

Run:

Does the Sudo confirm if you really need to run the file as root? obviously say “yes”.

Now, that you have nano running as root. Press CTR+ R (Read File) root/root.txt

And CTR+O (Write file) to read the root.txt.

HackTheBox OpenAdmin Root.txt

Procedure 2: Adding yourself as a root user

Press CTRL+O to read the file etc/passwd

CTRL+O to read etc/passwd file

Now the nano displays the contents of etc/passwd file, create a user in your name and assign a password and save using CTRL+O (Write file). Then exit the nano, go back to the terminal.

Reading etc/passwd file
Adding youeself as Root user

That’s it. Thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
6 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Xletaletakal
Xletaletakal
5 months ago

when i connect to ssh say the password is wrong ! so how you get the connection 😀

Xletaletakal
Xletaletakal
5 months ago

when i connect to first time with user [jimmy] and password [n1nj4W4rri0R!] using my ssh on kali [ssh jimmy@ openadmin . htb ] it say permission denied , so i don’t know why that happen after i type the password even i rest the machine more than once !!

ch3ckm473
ch3ckm473
5 months ago

Hello,

I just left you some respect on HTB. I appreciate you posting your methods. I try to find at least 2 or 3 write-ups to compare how I approached the problem compared to others. Interesting enough I always find something and learn something new. I just wanted to say thanks and BTW you can use nano to run commands. you can do a cntrl-r and then a control-x … this approach was helpful for me when taking down openadmin.

Cheers,

Ch3ckm473

Aric Wilisch
Aric Wilisch
1 month ago

Was a good write up. I couldn’t get john to work but the rest was good. Only thing I did differently was instead of adding an account for me, I just modified /etc/sudoers to say
joanna (ALL) NOPASSWD: ALL.

No additional users to raise suspicion, might preserve my presence in the system for a bit longer.

Sorry, that action is blocked.
%d bloggers like this: