This is my first technical blog on my experience exploiting the retired box OpenAdmin in Hack The Box. Open Admin is a Linux machine with the IP address 10.10.10.171 and is a Linux machine.
The first step is to perform the reconnaissance using nmap scan that can be used in analyzing the open ports that are present and can be exploited, the services, and the versions that they are running on.
From the scan, it is clear that there are two ports that are open and are port 22 and port 80.
We know that port 80 is the HTTP port and when try opening the same, we find the Apache2 Ubuntu page.
Since we did not find something useful from the page, we try exploring the source code of the page.
We will then find the endpoints for exploration using gobuster.
Here upon running gobuster, we find some interesting directories like artwork, music, and so on.
Then we try exploring the directories. First is the artwork and upon exploration, we don’t find any data there.
Here, we find some blog pages and we try finding clues over here.
Then we navigate over to the services page to find if there are some users who may be available.
Then we check for the next directory “music” to find details.
Here we find the login page and try with the default credentials. I tried using the username and password to be admin and try logging in.
And what, we were successful in logging as guest. Then we find tabs that give details on the DNS Domains that helps in finding them out. Upon checking, we find the DNS domain name is openadmin.htb.
Then we check for the version of the open net admin from the ONA menu. The version is figured out as v18.1.1.
Now we are done with reconnaissance and now is the time for the exploitation of this particular version. We would accomplish this by downloading the exploit code and then initially check for the URL vulnerability which would be easy when exploiting.
Once after the check, we find that the remote host is vulnerable and hence we proceed to exploit the same.
The python exploitation script successfully connects the process. Using the command, we will successfully exploit this URL. and yes, commands are executing successfully.
We are now connected to a remote host and our current user is www-data. Now using Netcat listener, we will take the reverse shell from the host to further enumerate this Linux box.
Now we will enumerate the machine from the current working directory and we would probably start from the local directory.
We here find an interesting PHP file which upon opening we find the database username and password.
So here we got some credentials for the database.
Now let’s check the number of users present in the home directory of this machine. Here we got there are two users present in the machine and that is “Jimmy” and “Joanna”.
In the process of recon, we have done the port scanning using Nmap scan as we know ssh port 22 is open.
Now we connect through ssh port for the user Jimmy with the password which we found in the database_settings.inc.php file.
We are now connected to user Jimmy and for further enumeration, we will first go to the “var” directory, it’s always good to enumerate the var directory. Doing enumeration, we got one directory called /var/www/internal.
Upon the navigation into the directory, we find an internal directory and it contains the main.php file that is explored.
This PHP code tells us to find the ssh key for the other user Joanna.
Here ports 52846 and 3306 are open and in the listen to state, by using the curl command we will check that which above mention localhost port the main.php is getting executed.
Here we successfully retrieve the ssh key using the 52846 port now save this key in your system.
We got Joanna’s ssh private key. Using this private ssh key we will switch the user jimmy to Joanna. first, we need to convert the private key into a hash using ssh2john.py, and hash we can crack by using john the ripper tool.
The passphrase for Joanna is now obtained and hence we try exploiting the other user Joanna using the passphrase that we have recently found.
Now we have successfully gained access to the other user Joanna.
Upon finding files, we find user.txt
Hurray!!… We have found the hash for the user!!!
Now we do privilege escalation to gain access to the root.
Here we got that we can access /bin/nano as root without a password.
Let’s do a quick google search on the nano privilege escalation. we can take the shell from GTFObins. we can open the /opt/priv file using the nano to escalate to the user to root.
We could escape our shell to root in the nano file. so let’s run the same command as mentioned in the script itself.
After the above execution, we are finally escalated to the root and upon directory navigation, we finally find the hash for the machine!!
Machine Compromised!!
