Hack The Box - OpenAdmin - Write-up

Welcome to my blog!

OpenAdmin has just retired on Hack The Box. In this post, I will make a write-up about the way I solved this machine. It's an easy box and very helpful for beginners when starting to root the Linux boxes. The name OpenAdmin refers to OpenNetAdmin, which is an IP Address Management (IPAM) system.
I solved this box while I preparing for OSCP (the first attempt).

Port enumeration

As always, I use nmap to scan all port of OpenAdmin.
nmap -Pn -n -v -sV -sC -p- --open -oN openadmin.nmap
To quickly demonstrate, I use my nmap's output file from the previous scan.

There are only 2 port opening. The SSH service seems to not have any severe vulnerabilities because its version is 7.6p1. So, let's take a closer look at the web interface on port 80.

Initial shell

The website always shows the Apache's default page even when I added "openadmin.htb" to my /etc/hosts. So, I decide to use dirbuster to brute force the URL's path.

Besides some useless paths, there is an interesting one: "/ona/". Open it on the browser, it reveals that the website is using OpenNetAdmin, a tool to manage IP network. It also shows that its OpenNetAdmin's version is 18.1.1.

When I search "opennetadmin" on Google, it's ironic that the second result is an ExploitDB link contains the exploit of an RCE in OpenNetAdmin 18.1.1. Using this exploit, I have an initial shell (actually it's a web shell) on the server.

Own user

Listing the directory /home, I see 2 users: jimmy and joanna. Perhaps we must jump to jimmy and then joanna to get the user flag.
The current directory is not inside /var/www. Hmm, I check the Apache config file for the domain openadmin.htb.

As you see, jimmy is the server admin. There is not much information here.
It's funny that I don't need a reverse shell here because after checking some files and folders in the current directory (especially those config folders), I come up to local/config/database_settings.inc.php. Inside this file, I find database credentials.

Then I try them in the OpenNetAdmin login form but no luck. I remember that jimmy is the server admin and maybe he reused his password across many accounts, especially the SSH service. So, I ssh to the account jimmy with the password above and what a relief, it's successful.

My guess was true that jimmy doesn't have the user flag and we must jump to joanna. Return to /etc/apache2/sites-available/, I find another virtual host on port 52846 and a weird config.

The directive AssignUserID allows Apache to run the virtual host under separate uid and gid, in this case, it's joanna. Furthermore, we have write privilege inside the directory /var/www/internal so I can execute any command as joanna.

I write a PHP script to make a reverse shell back to my machine and execute it by curl. Unfortunately, I cannot make a TTY.

I then grab joanna's private key and use it to SSH to the server. However, it's protected by a passphrase.

I use john to crack the passphrase and then SSH by joanna's private key.

Own root

It's fairly easy now, just run sudo -l and see.

We can run nano with sudo and do you know nano on GTFOBins?

If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!