OpenAdmin(10.10.10.171) Walkthrough

Hello Guys, This is the walkthrough of the recently retired HackTheBox Machine.

It’s an easy linux Box. So, Without wasting anymore time let’s start with the Writeup.

Starting with the nmap scan:

From the Nmap scan we can observe that there are 2 open ports, whatever we got to do these two ports are the entry points.

Alright, Port 80 means some web application is hosted, we will go through it and port 22 means SSH, to SSH into the given Machine.

Now, Let’s do basic Enumeration of the port 80, Like Directory brute forcing either using Dirbuster or Dirb or Gobuster whichever tool suits you.

From the Directory brute forcing we can see there are 2 directories discovered /artwork and /music.

Let’s have a look at web on the web browser as well.

This is how the /artwork directory looks like.

From google search you will get the login page for opennetadmin /ona/login.php

Accessing the /ona/login.php page we will get a login page as below:

But hey, Where are the credentials to login????

Anyway, we search more for open net admin exploits on the internet and we come across this one RCE exploit available on exploit-db

First we need to sed the exploit and boom we are into the machine.

Now we traverse to /home directory and ls to see which users are there:

Cool, we find two users jimmy and joanna.

Furthermore if we look into the juicy files we come across the below file database settings file, which gives us password for some user, we will try to SSH into either jimmy or joanna using that:

SSHing into jimmy using the above password:

Bingo, We’re in jimmy.

Finding some juicy info by traversing into directories we go to /var/www/internal

There are index.php, logout.php, main1.php, main.php.

Looking into main.php, the web server print’s user joanna’s RSA key (which we can use to SSH in as her).

But the thing is this is hosted internally in jimmy, now how are we going to access it?

Let’s try CURLing into it.

We get a 404, even though the file clearly exists. At this point I had the usual almost-done-but-stuck period. Eventually I noticed localhost Port 80 at the bottom of the output and tried to see if any other local ports were open using netstat:

I tried curl with localhost:3306, but that showed the same error. localhost:52846 did work though, and the RSA key pops up:

It’s not just an RSA key though, at the bottom we see ‘Don’t forget your “ninja” password’. Sure enough, copying the key into a file called joanna_rsa and running ssh -i joanna_rsa joanna@10.10.10.171 asks for a “passphrase for key” as well (note you have to limit the permissions on the SSH key, like: chmod 400 joanna_rsa).

But first we need to convert this RSA key into john understandable format using “ssh2john” script you will get it on the GITHUB.

Change the permissions:

Running the script as below:

Now, After running this script we will get the john formatted key “kay” which wwe can use with the “JohnTheRipper” tool to decrypt the key to get the password.

You will the key like below:

Using “JohnTheRipper” tool as below to decrypt the key “kay” and extract the password as beow:

Now, Let’s SSH into Joanna using the above RSA key and the password.

Now from here we can capture the user flag.

Now, for Root Flag, we need to do Privilege escalation:

Now as shown above the user joanna can run /bin/nano in /opt/priv directory without any password with root privileges.

If you search for privilege escalation using nano you will get this very beautifully explained info on gtfobins.github.io/gtfobins/nano