HackTheBox - Openadmin write up
recently, hackthebox started an event called take it easy, where it made a bunch of retired easy machine accessible to everyone, so here’s my write up for the first box I’ve rooted in the event
Reconnaissance
I first added the machine in my hosts file as openadmin.htb then ran a regular nmap scan to get the open ports
1
2
3
4
5
6
7
8
9
10
11
12
13
$ sudo nmap openadmin.htb -v -oN ports
# Nmap 7.91 scan initiated Fri Jul 9 02:07:40 2021 as: nmap -v -oN ports openadmin.htb
Increasing send delay for 10.10.10.171 from 0 to 5 due to 42 out of 140 dropped probes since last increase.
Increasing send delay for 10.10.10.171 from 5 to 10 due to 213 out of 709 dropped probes since last increase.
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.099s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Jul 9 02:08:00 2021 -- 1 IP address (1 host up) scanned in 20.27 seconds
then a detailed scan against the 2 found services
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -v -sC -sV -p 80,22 -oN detailed_scan openadmin.htb
# Nmap 7.91 scan initiated Fri Jul 9 02:11:41 2021 as: nmap -v -sC -sV -p 80,22 -oN detailed_scan openadmin.htb
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.100s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 9 02:11:54 2021 -- 1 IP address (1 host up) scanned in 13.16 seconds
http enumeration
the box was serving a default apache index with no robots.txt whatsoever, so I’ve run some bruteforces to find hidden files/directories and I end up with the following results
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[18:31:22] 301 - 314B - /music -> http://openadmin.htb/music/
[18:44:12] 200 - 4KB - /ona/login.php
[18:44:13] 200 - 127B - /ona/logout.php
[18:44:15] 200 - 24KB - /ona/index.php
[18:45:57] 200 - 2B - /ona/shell.php
[18:31:28] 301 - 316B - /artwork -> http://openadmin.htb/artwork/
[18:53:42] 200 - 9KB - /artwork/contact.html
[18:53:46] 200 - 11KB - /artwork/about.html
[18:53:48] 200 - 931B - /artwork/main.html
[18:53:49] 200 - 11KB - /artwork/blog.html
[18:53:52] 200 - 11KB - /artwork/services.html
[18:53:53] 200 - 410B - /artwork/readme.txt
[19:00:10] 301 - 315B - /sierra -> http://openadmin.htb/sierra/
[19:05:49] 200 - 42KB - /sierra/index.html
[19:05:51] 200 - 15KB - /sierra/contact.html
[19:06:07] 200 - 20KB - /sierra/blog.html
[19:06:08] 200 - 20KB - /sierra/about-us.html
[19:06:26] 200 - 22KB - /sierra/service.html
[19:06:31] 200 - 13KB - /sierra/portfolio.html
[19:07:46] 200 - 0B - /sierra/contact_process.php
when you browse to /music/login.php you get directed to /ona which had the following page
this page disclose a bunch of info, first the domain openadmin.htb which we’ve already guessed, a mysql service running on localhost with the user ona_sys, and that we’re running on version v18.1.1 which is not the latest version, and a download link which revealed that the website us running an IP address management system called OpenNetAdmin
luckily for us this version had a vulnerability that led to remote code excution
now I just used the exploit in this repo to get a reverse shell
www-data
after getting in on the box I found some creds in /opt/ona/www/local/config/database_settings.inc.php
I’ve also found 2 users on the box, and the database password turned out to be re-used as jimmy’s
jimmy
I’ve logged in trough ssh to get a nicer shell, then found an internal http server running on port 52846, hosted on /var/www/internal/
basically index.php checks if the password is jimmy the the sha512 hash is equal to the hash shown in the picture, which is sha512 for the word “Revealed”
if this checks out it redirects the user to main.php which shows joanna’s private ssh key
I just called main.php directly with curl and got the key
I cracked the ssh key with john and rockyou.txt, and logged in
joanna
once I’m was in, I found that I can edit a file with sudo privileges
I always have a custom /etc/passwd entry generated with mkpasswd -m sha-512 PASSWORD -s SALT for situations like this, all I have to do is to put it in there
I just pressed CTRL-L to load the content of /etc/passwd, put my entry as the user jeff and gave it a uid of 0, so I can have the same privileges as the root user, the file the file looked like this in the end
then I just overwrote /etc/passwd with the new cotent and logged in as jeff :)
