HackTheBox Writeup — OpenAdmin

Hack the Box is an online platform where you can practice your penetration testing skills. This is my write-up for the HackTheBox machine ‘OpenAdmin’, which runs a Linux OS and is one of the ‘Easy’ rated machines.

1. OpenAdmin Info Card.

1. Summary

Exploiting a remote command injection vulnerability in OpenNetAdmin 18.1.1 gives us an initial foothold on the box as www-data and lets us read ONA’s database configuration file, which contains Jimmy’s password and we get a shell as Jimmy via SSH. We then reverse engineer some PHP code and interact with an internal web service using curl to output Joanna’s RSA private key. After cracking the associated SSH key passphrase we login as Joanna and grab the user flag. Finally, we exploit Joanna’s sudo privileges on the Nano text editor to get a root shell.

2. Enumeration and Initial Foothold (www-data)

I began my enumeration by running a standard Nmap port scan enabling safe scripts (-sC) and service detection (-sV). The Nmap scan results shows two ports open, SSH on port 22 and HTTP on port 80.

2. Nmap Port Scan Results.

Inspecting port 80 lead me to the default Apache web page, so I ran Dirbuster to see if there were any hidden directories or files. A couple of directories were identified but the most interesting was a file named ‘ona’.

3. Dirbuster Scan.

Visiting this in the browser presents the web application OpenNetAdmin (ONA), which is a web application to aid in Network and IP address management.

4. ONA Web Application.

I then searched ExploitDB for any publicly available exploits against ONA 18.1.1, to which I found a very recent shell script that would allow me to obtain remote code execution (command injection) on the box as www-data.

5. Initial Foothold Shell (www-data).

3. User Shell — Jimmy

After attempting some commands and trying to upgrade to a fully interactive shell, I realised that I was only permitted to run very basic functions, I was not even able to change directory. Through the use of only ‘ls’ and ‘cat’ I was able to identify a settings file for the ONA database, which I then outputted the contents of and found a database password.

6. Utilising ‘ls’ to identify files in a restricted shell.

7. Identifying a password in database_settings.inc.php

After playing around with SQL and getting nowhere, I assumed that this password may have been reused by another user, so I identified other users on the box by outputting the /etc/passwd file and found three users: Root, Jimmy and Joanna. I tried logging into Jimmy’s account via SSH using the password above and gained access.

8. User Shell (Jimmy)

However, there was no user.txt file for Jimmy, meaning I had to escalate further to Joanna.

4 User Shell — Joanna

Carrying out further enumeration led me to the /var/www/internal directory which contained three PHP files: index.php, main.php and logout.php. This indicated to me that there might be an internal web application running, which was confirmed by running apache2ctl -S or ss -lntp.

9. Finding an Internal Web Application Running.

Looking at main.php, we see that if we are able to create a valid session as with the index.php file and then make a request for main.php, Joanna’s private RSA key will be outputted to the terminal.

10. Privilege Escalation Vector to Joanna — Main.php

Inspecting the index.php file, we can see that it performs a login check based on Jimmy’s credentials and if successful, creates a valid session for jimmy to be able to access the main.php file. This login check compares the provided password with its associated password hash, part of which is shown below. Once cracking this hash we find that password is: Revealed.

11. Internal Web App Login Function and Jimmy’s Password Hash — Index.php

Now we have the credentials to create a session, we can either use ‘curl’ to interact with the web app from our current shell or use SSH port forwarding. I stuck with curl and firstly logged in as jimmy via the /internal/index.php file, after which I called main.php directly to retrieve Joanna’s RSA private key.

12. Logging in as Jimmy.

13. Retrieving Joanna’s RSA private key.

Copying this key back to our local Kali machine, I converted it to a format JohnTheRipper could understand using ssh2john and used the rockyou.txt wordlist to crack the RSA private key’s passphrase, which turned out to be: bloodninjas.

14. Converting and Cracking Joanna’s RSA private key passphrase.

Now we can log in as Joanna via SSH using her RSA private key and grab user.txt

15. User Shell as Joanna.

16. User.txt

5. Root.

Upon logging in as Joanna, I ran a Linux enumeration script and noticed that Joanna has sudo privileges on ‘Nano’ when operating on the ‘/opt/priv’ file.

17. Joanna’s Sudo Privileges.

Being able to run any text editor with sudo privileges presents a risk as many of these can be abused to elevate privileges through command execution. I proceeded to GTFOBins and found that whilst within nano, if the following commands are run with sudo privileges we can escape Nano and escalate to a root shell.

sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0

The above is then replicated on the /opt/priv file as Joanna and we get a shell as root.

18. Sudo Nano Exploit.

Finally, we spawn a fully interactive TTY shell using python3 and grab root.txt

19. Root Shell and Root.txt

Conclusion

This was the second box I managed to root on HackTheBox and I personally think its a brilliant box for anybody just getting started on the platform. It places a good emphasis on enumeration both remotely and locally, it requires you to understand and exploit some basic PHP code and covers the exploitation of unnecessary sudo privileges, all of which will be really useful going forward on the platform.

• HackTheBox Profile: https://www.hackthebox.eu/profile/232696

Keep an eye out for my future write-ups!