Hackthebox : openadmin writeup

recently, hackthebox started an event called take it easy, where it made a bunch of retired easy machine accessible to everyone, so here’s my write up for the first box I’ve rooted in the event

Reconnaissance

I first added the machine in my hosts file as openadmin.htb then ran a regular nmap scan to get the open ports

$ sudo nmap openadmin.htb -v -oN ports
# Nmap 7.91 scan initiated Fri Jul  9 02:07:40 2021 as: nmap -v -oN ports openadmin.htb
Increasing send delay for 10.10.10.171 from 0 to 5 due to 42 out of 140 dropped probes since last increase.
Increasing send delay for 10.10.10.171 from 5 to 10 due to 213 out of 709 dropped probes since last increase.
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.099s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Jul  9 02:08:00 2021 -- 1 IP address (1 host up) scanned in 20.27 seconds

then a detailed scan against the 2 found services

$ nmap -v -sC -sV -p 80,22 -oN detailed_scan openadmin.htb
# Nmap 7.91 scan initiated Fri Jul  9 02:11:41 2021 as: nmap -v -sC -sV -p 80,22 -oN detailed_scan openadmin.htb
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.100s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul  9 02:11:54 2021 -- 1 IP address (1 host up) scanned in 13.16 seconds

http enumeration

the box was serving a default apache index with no robots.txt whatsoever, so I’ve run some bruteforces to find hidden files/directories and I end up with the following results

[18:31:22] 301 -  314B  - /music  ->  http://openadmin.htb/music/

[18:44:12] 200 -    4KB - /ona/login.php
[18:44:13] 200 -  127B  - /ona/logout.php
[18:44:15] 200 -   24KB - /ona/index.php
[18:45:57] 200 -    2B  - /ona/shell.php

[18:31:28] 301 -  316B  - /artwork  ->  http://openadmin.htb/artwork/
[18:53:42] 200 -    9KB - /artwork/contact.html
[18:53:46] 200 -   11KB - /artwork/about.html
[18:53:48] 200 -  931B  - /artwork/main.html
[18:53:49] 200 -   11KB - /artwork/blog.html
[18:53:52] 200 -   11KB - /artwork/services.html
[18:53:53] 200 -  410B  - /artwork/readme.txt

[19:00:10] 301 -  315B  - /sierra  ->  http://openadmin.htb/sierra/
[19:05:49] 200 -   42KB - /sierra/index.html
[19:05:51] 200 -   15KB - /sierra/contact.html
[19:06:07] 200 -   20KB - /sierra/blog.html
[19:06:08] 200 -   20KB - /sierra/about-us.html
[19:06:26] 200 -   22KB - /sierra/service.html
[19:06:31] 200 -   13KB - /sierra/portfolio.html
[19:07:46] 200 -    0B  - /sierra/contact_process.php

when you browse to /music/login.php you get directed to /ona which had the following page

this page disclose a bunch of info, first the domain openadmin.htb which we’ve already guessed, a mysql service running on localhost with the user ona_sys, and that we’re running on version v18.1.1 which is not the latest version, and a download link which revealed that the website us running an IP address management system called OpenNetAdmin

luckily for us this version had a vulnerability that led to remote code excution

now I just used the exploit in this repo to get a reverse shell

www-data

after getting in on the box I found some creds in /opt/ona/www/local/config/database_settings.inc.php

I’ve also found 2 users on the box, and the database password turned out to be re-used as jimmy’s

jimmy

I’ve logged in trough ssh to get a nicer shell, then found an internal http server running on port 52846, hosted on /var/www/internal/

basically index.php checks if the password is jimmy the the sha512 hash is equal to the hash shown in the picture, which is sha512 for the word “Revealed”

if this checks out it redirects the user to main.php which shows joanna’s private ssh key

I just called main.php directly with curl and got the key

I cracked the ssh key with john and rockyou.txt, and logged in

joanna

once I’m was in, I found that I can edit a file with sudo privileges

I always have a custom /etc/passwd entry generated with mkpasswd -m sha-512 PASSWORD -s SALT for situations like this, all I have to do is to put it in there

I just pressed CTRL-L to load the content of /etc/passwd, put my entry as the user jeff and gave it a uid of 0, so I can have the same privileges as the root user, the file the file looked like this in the end

then I just overwrote /etc/passwd with the new cotent and logged in as jeff :slight_smile:

8 Likes

You should make a web server and post this on it as well to start building up a resume, then link it here. That’s what I’m currently doing.

4 Likes

Back at it again! Nice one :smiley: I’ve been also doing HTB lately as much as I used to, 2 years ago. Forgot how awesome and useful it is.

3 Likes

Nice writeup!

I have a question on the using the SSH key as Joanna. Was cracking the password necessary or could you have just logged in directly? Was the key password protected?

Looking forward to seeing more ^^

1 Like

It’s pretty self-explanatory (creating a word-list with the word ninja in it then cracking it)

3 Likes

I didn’t know this, thanks @c0z !

1 Like

I tried logging in directly at first but it kept asking the ssh key password

1 Like

Cool! Never knew the intricacy with that Proc-Type value.

Thanks.

i have just started, when do you think i should begin hack the box, i have so far been learning bash scripting :slight_smile:

Start now with tryhackme, they have a pre-security and a beginner path that should give you all the basics you need, you’ll figure it out from there, then move to hackthebox when you’re confident enough

thanks ! also when do you think it is a good time to learn python after bash, before hack the box or concurrently

you should learn it as soon as you can, it’ll help you in many fields, not just with hackthebox

1 Like

Nice write-up @jeff :heart:

1 Like

Thanks for the write-up @jeff :heart:

1 Like