HTB - OpenAdmin without MetaSploit
The importance to also patch your “applications”, and not just your services.
Again, this is an HTB box, so recon is mainly active, and I feel like active recon == enum.
Still, we can check :
- Name of the box : OpenAdmin ;
- OS “type”, : Linux :
- Hints given on HTB website, information section :
As always, we start with an nmap scan :
We find 2 services : ssh and Apache, both on standard ports. I like to check
searchsploit for every service + version I find, in order to see if there any big vulnerability. In general, SSH isn’t something that I"ll try to attack right away. It is more of a “last chance” path, with brute force.
In our case, we found a web server running Apache, but th version doesn’t seem vulnerable. So, let’s fire
And dirbuster like so :
Dirbuster, will find an interesting dir “ona”, browsing to this resource we discovered it is running OpenNetAdmin version 18.1.1 which is outdated and probably vulnerable…
Indeed, after a quick search, we discover that it is vulnerable to Remote Code Execution (RCE), one of the most dangerous vuln we could find. Awesome!
Getting initial shell
The vuln in question can be found here : https://www.exploit-db.com/exploits/47691 it is a simple Python script that will grant you a shell access on the remote machine.
Unfortunately, this shell only runs as
www-data, the default
Apache user and with
/sbin/nologin shell. Still, we can still look around. I usually check what files I have access to :
Let’s check who was access to sudo :
I also like to check what users are on the system and see if I can access some files inside their home’s folders :
And of course in our case, explore the web root folders.
Doing so, we discover two users :
jimmy and an interesting set of credentials inside
It happens that the password from this file is actually jimmy’s account SSH password. We now have a real bash shell, in a real terminal, with bash completion, hurray!
Once again, we check for common stuff, like what files do we own, and sudo rights :
So, no sudo rights for us, however, we discover a new website that only runs on localhost. This website is very important, as we can see that, once logged as Jimmy, it will send us the SSH private key of Joanna.
I decided to create an SSH tunnel :
And to modify the login page in order to get rid of authentication :
We can now browse to 127.0.0.1:52846 and log in with
And bingo! We got Joanna’s key with an extra tip :
Don’t forget your “ninja” password
Of course, Joanna-s key is encrypted… We save it as id_joanna and hash it :
Now that we have the hashed version, time to crask it :
We finally, have joanna’s ssh key password, we can now connect to the server as her!
As usual, we do all our basic checks. Doing so, we will notice :
- We have access to user.txt flag ;
- We have access to
sudo /bin/nano /opt/privwithout password.
Accessing root password which is always located in
/root/root.txt is a simple matter of running
nano as root (with
sudo) and entering command mode with
cat the flag file).
We now got
As we have just seen, one can obtain root access to a machine via “third party” application while the rest of the system is up to date. So, make sure to keep everything updated!