hackthebox openadmin walkthrough

hackthebox openadmin writeup / walkthrough

Starting with nmap

Two ports are open. One is for web ie 80 and another is for SSH ie 22

Lets see what we have in port 80

Apache default page is what we get here. Nothing interesting. We can however run dir buster here. I found few other directory. You can run dirb as following

Lets see the other subdirectory I found ie /music and /ona

Nothing interesting here too. Lets find another directory

This looks interesting. We are already logged in as a Guest user. I found an unverified exploit in exploitdb for ona (OpenNetAdmin)

As of writing this post, msfconsole did not included this exploit hence we need to import it manually. So before you open msfconsole do the following steps.

  • Download exploit sh file
  • Create a folder as following
  • Start msfconsole

Now we can use this script

By default it will use linux/x86/meterpreter/reverse_tcp, change it to x64

We have two user here except root.

Lets find out what we can do here. Here, we are www-data user. The first thing that comes in my mind is that ona application will require the database, database has login credentials. If I can get the credentials for database then I may use it somewhere else. I searched and found the files and path for the database connection.

The username here is ona_sys which is not Linux user. As we already find out there are only three Linux users here. Lets try to login to SSH using this password. Developers use same password in many places . This should be avoided.

We found that above pass is valid for jimmy

The basic enumeration revealed the following discovery

Jimmy is a member of internal group. On searching /var/www/internal has group ownership as internal.

In main.php file we can see that if executed it will read another user joanna private key.

Since /var/www/internal is in web directory, there must be virtualhost configured for it.

The port is not accessible from outside , we need to run it within the server.

Save the private key and change mode to 500

We need the pass, unfortunately we do not have the password for this private key. Checking the index.php, we have a hash value. Cracking it online

The password is Revealed but it didn’t work.

So lets try to find the password using john.

The ssh key password if bloodninjas

Login as joanna

First thing first, check what we can run as root

Cool, I think we got what we need. If you are not sure what you can do with the command that you can run as root then you can always use gtfobins

Open nano as root

press ctrl+R and give the name of file to read . In our case /root/root.txt
2f907ed450b361b2c2bf4e8795d5b561

We got the root hash as well. Going further we can read shadow file

That’s all for now.

Leave a Reply

Your email address will not be published. Required fields are marked *