Hackthebox : openadmin writeup

CTF Hackthebox Writeups
1

recently, hackthebox started an event called take it easy, where it made a bunch of retired easy machine accessible to everyone, so here’s my write up for the first box I’ve rooted in the event

Reconnaissance

I first added the machine in my hosts file as openadmin.htb then ran a regular nmap scan to get the open ports

$ sudo nmap openadmin.htb -v -oN ports
# Nmap 7.91 scan initiated Fri Jul  9 02:07:40 2021 as: nmap -v -oN ports openadmin.htb
Increasing send delay for 10.10.10.171 from 0 to 5 due to 42 out of 140 dropped probes since last increase.
Increasing send delay for 10.10.10.171 from 5 to 10 due to 213 out of 709 dropped probes since last increase.
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.099s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Jul  9 02:08:00 2021 -- 1 IP address (1 host up) scanned in 20.27 seconds

then a detailed scan against the 2 found services

$ nmap -v -sC -sV -p 80,22 -oN detailed_scan openadmin.htb
# Nmap 7.91 scan initiated Fri Jul  9 02:11:41 2021 as: nmap -v -sC -sV -p 80,22 -oN detailed_scan openadmin.htb
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.100s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul  9 02:11:54 2021 -- 1 IP address (1 host up) scanned in 13.16 seconds

http enumeration

default appache page
default appache page1280×668 95.4 KB

the box was serving a default apache index with no robots.txt whatsoever, so I’ve run some bruteforces to find hidden files/directories and I end up with the following results

[18:31:22] 301 -  314B  - /music  ->  http://openadmin.htb/music/

[18:44:12] 200 -    4KB - /ona/login.php
[18:44:13] 200 -  127B  - /ona/logout.php
[18:44:15] 200 -   24KB - /ona/index.php
[18:45:57] 200 -    2B  - /ona/shell.php

[18:31:28] 301 -  316B  - /artwork  ->  http://openadmin.htb/artwork/
[18:53:42] 200 -    9KB - /artwork/contact.html
[18:53:46] 200 -   11KB - /artwork/about.html
[18:53:48] 200 -  931B  - /artwork/main.html
[18:53:49] 200 -   11KB - /artwork/blog.html
[18:53:52] 200 -   11KB - /artwork/services.html
[18:53:53] 200 -  410B  - /artwork/readme.txt

[19:00:10] 301 -  315B  - /sierra  ->  http://openadmin.htb/sierra/
[19:05:49] 200 -   42KB - /sierra/index.html
[19:05:51] 200 -   15KB - /sierra/contact.html
[19:06:07] 200 -   20KB - /sierra/blog.html
[19:06:08] 200 -   20KB - /sierra/about-us.html
[19:06:26] 200 -   22KB - /sierra/service.html
[19:06:31] 200 -   13KB - /sierra/portfolio.html
[19:07:46] 200 -    0B  - /sierra/contact_process.php

when you browse to /music/login.php you get directed to /ona which had the following page

insert ona.png
insert ona.png1280×665 134 KB

this page disclose a bunch of info, first the domain openadmin.htb which we’ve already guessed, a mysql service running on localhost with the user ona_sys, and that we’re running on version v18.1.1 which is not the latest version, and a download link which revealed that the website us running an IP address management system called OpenNetAdmin

the IP address management system
the IP address management system1280×661 108 KB

luckily for us this version had a vulnerability that led to remote code excution

openNetAdmin remote code excution
openNetAdmin remote code excution1280×663 82.3 KB

now I just used the exploit in this repo to get a reverse shell

getting a reverse shell
getting a reverse shell1275×715 66.6 KB

www-data

after getting in on the box I found some creds in /opt/ona/www/local/config/database_settings.inc.php

database password
database password988×554 15.3 KB

I’ve also found 2 users on the box, and the database password turned out to be re-used as jimmy’s

other users
other users1257×171 10.3 KB

jimmy

I’ve logged in trough ssh to get a nicer shell, then found an internal http server running on port 52846, hosted on /var/www/internal/

internal http server
internal http server1262×328 33.3 KB

basically index.php checks if the password is jimmy the the sha512 hash is equal to the hash shown in the picture, which is sha512 for the word “Revealed”

internal appache index.php
internal appache index.php1256×171 26.5 KB

if this checks out it redirects the user to main.php which shows joanna’s private ssh key

internal appache main.php
internal appache main.php1054×229 28 KB

I just called main.php directly with curl and got the key

joanna ssh private key
joanna ssh private key1259×653 121 KB

I cracked the ssh key with john and rockyou.txt, and logged in

cracking joanna ssh keys
cracking joanna ssh keys1248×372 53 KB

joanna

once I’m was in, I found that I can edit a file with sudo privileges

sudo -l
sudo -l1258×218 19.7 KB

I always have a custom /etc/passwd entry generated with mkpasswd -m sha-512 PASSWORD -s SALT for situations like this, all I have to do is to put it in there

I just pressed CTRL-L to load the content of /etc/passwd, put my entry as the user jeff and gave it a uid of 0, so I can have the same privileges as the root user, the file the file looked like this in the end

making a custom /etc/passwd entry
making a custom /etc/passwd entry1260×710 33.1 KB

then I just overwrote /etc/passwd with the new cotent and logged in as jeff :slight_smile:

logging in as jeff
logging in as jeff1258×135 6.39 KB

10 Likes
2

You should make a web server and post this on it as well to start building up a resume, then link it here. That’s what I’m currently doing.

5 Likes
3

Back at it again! Nice one :smiley: I’ve been also doing HTB lately as much as I used to, 2 years ago. Forgot how awesome and useful it is.

3 Likes
4

Nice writeup!

I have a question on the using the SSH key as Joanna. Was cracking the password necessary or could you have just logged in directly? Was the key password protected?

Looking forward to seeing more ^^

1 Like
5

image
image663×655 110 KB

It’s pretty self-explanatory (creating a word-list with the word ninja in it then cracking it)

3 Likes
6

I didn’t know this, thanks @c0z !

1 Like
7

I tried logging in directly at first but it kept asking the ssh key password

1 Like
8

Cool! Never knew the intricacy with that Proc-Type value.

Thanks.

9

i have just started, when do you think i should begin hack the box, i have so far been learning bash scripting :slight_smile:

10

Start now with tryhackme, they have a pre-security and a beginner path that should give you all the basics you need, you’ll figure it out from there, then move to hackthebox when you’re confident enough

11

thanks ! also when do you think it is a good time to learn python after bash, before hack the box or concurrently

12

you should learn it as soon as you can, it’ll help you in many fields, not just with hackthebox

1 Like
13

Nice write-up @jeff :heart:

1 Like
14

Thanks for the write-up @jeff :heart:

1 Like
15

This topic was automatically closed after 121 days. New replies are no longer allowed.