OpenAdmin(10.10.10.171) Walkthrough

Hello Guys, This is the walkthrough of the recently retired HackTheBox Machine.

It’s an easy linux Box. So, Without wasting anymore time let’s start with the Writeup.

Image for post
Image for post

Starting with the nmap scan:

Image for post
Image for post

From the Nmap scan we can observe that there are 2 open ports, whatever we got to do these two ports are the entry points.

Alright, Port 80 means some web application is hosted, we will go through it and port 22 means SSH, to SSH into the given Machine.

Now, Let’s do basic Enumeration of the port 80, Like Directory brute forcing either using Dirbuster or Dirb or Gobuster whichever tool suits you.

Image for post
Image for post

From the Directory brute forcing we can see there are 2 directories discovered /artwork and /music.

Let’s have a look at web on the web browser as well.

Image for post
Image for post

This is how the /artwork directory looks like.

From google search you will get the login page for opennetadmin /ona/login.php

Image for post
Image for post

Accessing the /ona/login.php page we will get a login page as below:

Image for post
Image for post

But hey, Where are the credentials to login????

Anyway, we search more for open net admin exploits on the internet and we come across this one RCE exploit available on exploit-db

Image for post
Image for post

First we need to sed the exploit and boom we are into the machine.

Image for post
Image for post

Now we traverse to /home directory and ls to see which users are there:

Cool, we find two users jimmy and joanna.

Furthermore if we look into the juicy files we come across the below file database settings file, which gives us password for some user, we will try to SSH into either jimmy or joanna using that:

Image for post
Image for post

SSHing into jimmy using the above password:

Image for post
Image for post

Bingo, We’re in jimmy.

Finding some juicy info by traversing into directories we go to /var/www/internal

Image for post
Image for post

There are index.php, logout.php, main1.php, main.php.

Looking into main.php, the web server print’s user joanna’s RSA key (which we can use to SSH in as her).

Image for post
Image for post

But the thing is this is hosted internally in jimmy, now how are we going to access it?

Let’s try CURLing into it.

Image for post
Image for post

We get a 404, even though the file clearly exists. At this point I had the usual almost-done-but-stuck period. Eventually I noticed localhost Port 80 at the bottom of the output and tried to see if any other local ports were open using netstat:

Image for post
Image for post

I tried curl with localhost:3306, but that showed the same error. localhost:52846 did work though, and the RSA key pops up:

Image for post
Image for post

It’s not just an RSA key though, at the bottom we see ‘Don’t forget your “ninja” password’. Sure enough, copying the key into a file called joanna_rsa and running ssh -i joanna_rsa joanna@10.10.10.171 asks for a “passphrase for key” as well (note you have to limit the permissions on the SSH key, like: chmod 400 joanna_rsa).

But first we need to convert this RSA key into john understandable format using “ssh2john” script you will get it on the GITHUB.

Image for post
Image for post
Image for post
Image for post

Change the permissions:

Image for post
Image for post

Running the script as below:

Image for post
Image for post

Now, After running this script we will get the john formatted key “kay” which wwe can use with the “JohnTheRipper” tool to decrypt the key to get the password.

You will the key like below:

Image for post
Image for post

Using “JohnTheRipper” tool as below to decrypt the key “kay” and extract the password as beow:

Image for post
Image for post

Now, Let’s SSH into Joanna using the above RSA key and the password.

Image for post
Image for post
Image for post
Image for post

Now from here we can capture the user flag.

Image for post
Image for post

Now, for Root Flag, we need to do Privilege escalation:

Image for post
Image for post

Now as shown above the user joanna can run /bin/nano in /opt/priv directory without any password with root privileges.

If you search for privilege escalation using nano you will get this very beautifully explained info on gtfobins.github.io/gtfobins/nano

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Security researcher, Blogger, Bug Bounty hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store