Recon
Let us start with a port scan to identify the running services. I use personally use RustScan.
rustscan -a 10.10.10.171 -- -sC -sV
Or if you wish to use Nmap…
nmap -sC -sV 10.10.10.171
As we can see, port 22(ssh) and port 80(http) are open.
Enumeration: Port 80
On enumerating port 80, we see the default apache webpage(nothing interesting…).
But on doing a directory brute force…
python3 dirsearch.py -u http://10.10.10.171 -E -x 400,500 -r 1 -t 100 -w /usr/share/wordlists/dirb/common.txtwe see some interesting results…
We find 3 directories /music, /artwork, /sierra…
http://10.10.10.171/sierra …(nothing useful, same thing with /artwork)
But the login button in http://10.10.10.171/music leads us to a special directory…
As we can see, the alert tells us that we are using an outdated version of ona or OpenNetAdmin. Now we just need to search for exploits for this version.
SearchSploit gives us a good answer
searchsploit opennetadmin 18.1.1
You can use metasploit for it to be easy, but for the sake of the witeup I will use not use msf.
Exploitation
ExploitDB’s exploit didn’t work for me for some reason…
But luckily I found a python program for this in GitHub…
So I used this exploit and got a shell
python3 ona_rce.py exploit http://10.10.10.171/ona
This shell was not very interactive, so I decided to use NetCat instead.
After enumerating a little, I find a juicy file called database_settings.inc.php in /opt/ona/www/local/config
We find a few credentials, this doesnt help us with mysql
mysql -uona_sys -pwe find the creds for the OpenAdmin menu in the /ona directory
but those creds can be used to login as the user Jimmy
su jimmyor…
ssh jimmy@10.10.10.171
On more enumeration, we find the the directory /var/www/internal is only readable by Jimmy.
We see that it has 3 files, index.php, main.php and logout.php
index.php :
it looks like a login form and we also notice the hardcoded username and password hash(crackstation.net)…
jimmy:R******d
main.php:
we see that the php code shows us the output of Joanna’s ssh keys which we can use to login as her.
But which port is this site running on?
As the name suggests, it must be an internal service…
To find these services we can run…
ss -lntp
we find an this service running internally on port 52846
To access this we need to use ssh tunnelling
ssh -L [port]:localhost:[port] <username>@<ip>ssh -L 52846:localhost:localhost jimmy@10.10.10.171
Then on going to http://localhost:52846 …
we find this site and we already found the password before in the source code for index.php.
After logging in, we get the id_rsa file for Joanna
Now lets covert this into a hash file john can decrypt with the help of ssh2john.py file.
ssh2john.py id_rsa_that_you_copied_after_loginOnce the conversion is done, we can now find the password for the id_rsa file with JohnTheRipper
John --wordlist=/usr/share/wordlists/rockyou.txt id_rsaAfter letting it run we get the passphrase as b*********s.
And then we successfully login as Joanna
Let us find what commands Joanna is able to run as sudo
sudo -l
We find that the user can run nano(the text editor) and a file /opt/priv as root.
On examining/opt/priv, we find that it is an empty file.
But we can still open it with nano
sudo nano /opt/privWe can then follow the instructions on https://gtfobins.github.io/gtfobins/nano/#shell to escalate our privileges to root.
And there you have it…
We just rooted the OpenAdmin box.
The enumeration in this box was a pain for me, but I learnt a lot from it. Hope you enjoyed this writeup.
https://www.hackthebox.eu/home/users/profile/271362
(if you enjoyed, feel free to hit the respect button, please…).
