OpenAdmin
#Windows #Enumeration #Web-Exploitation
Last updated
#Windows #Enumeration #Web-Exploitation
Last updated
OpenAdmin is an easy-rated Windows machine from HackTheBox created by del_KZx497Ju. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.214.71.
This machine is straightforward once you find the Admin login page. It features an outdated OpenNetAdmin CMS. From here, you can move to enter the machine as a low privileged user, then jump to a second user by using its credentials located at a local application, then escalate by a sudo misconfiguration with nano.
Before doing anything, always start using ping to see if this is working
Right now the best option is to explore the website content.
Browser: http://10.129.214.71
Definitively is just an Ubuntu Default Page, nothing special, unless you press CTRL+U
At this moment, we don’t have any important information, our best option is to search for resources. So we are going to use Wfuzz in colorized format (-c) with 200 threats (-t 200) using a dictionary (-w), while hiding the response status 404 (--hc=404), add try at FUZZ
Ok, there are three payloads that make sense, let’s try with “artwork”, then “music”, and “sierra”
Browser: http://10.129.214.71/artwork/
Browser: http://10.129.214.71/music
Let’s search if “OpenNetAdmin” have vulnerabilities at the database.
Look, there is a bash script for the version 18.1.1, this means that we can use that exploit. Copy and paste the code from https://www.exploit-db.com/exploits/47691 to a file called exploit.sh, and at URL, paste the target ONA URL and run the script.
And now, to improve our terminal, we need to create an html file and oblige the target to read it. Open two terminals, TermA and TermB.
Read the file from 10.10.14.76 with bash
Now our best option is to do an tty treatment.
Now we need to hunt for their passwords to login
We have a password, so now we can test that with every user
Ok, now we are going to check the configuration.
There is something in that port, let’s try a curl to prove is exist, if this exist, by using that location we will be able to execute commands as the user “Joanna” and execute main.php
Is nice to know that, but previously we see that in main.php, we can call the RSA Private Key of the user Joanna, is an easier way.
Paste the content in a file in your local machine and open a Terminal.
But hey, it does not works, this is because the id_rsa is encrypted, you can see that in the second row {Proc-Type: 4, ENCRYPTED}, first we need to download the tool https://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.py, and decrypt the id_rsa.
As you can see, we can execute the command nano to the file /opt/priv without passwords. This means that we can execute commands inside that file without requiring a password
It works, this is a nice chance to give admin permission as root to the /bin/bash file for every user.
