Home [Writeup] Hack The Box - Open Admin
Post
Cancel

[Writeup] Hack The Box - Open Admin

IMG

The way how I took user and root of this machine.

0x01: Looking

Access the address of this machine I only can see the default index page of Apache2, so I used dirb & nmap to scan and knows more about this machine.

IMG Dirb result

IMG Nmap result

Access /music I see the login function, and it redirect me to /ona

0x02: Access shell

IMG OpenNetAdmin

After googling, I found RCE vulnerability, you can download the payload here..

IMG

After cat /etc/passwd, I realize I may need to use the privilege escalation technique from www-data to 2 users jimmy and joanna before taking a root.

0x03: Access user 1

Searching in the main folder of ona, I found the password to login one of the users in the database.

1
$ cat local/config/database_settings.inc.php

IMG

Tried on both users jimmy & jonna I can logged-in with the username jimmy via ssh with its password.

0x04: Access user 2

Searching in the machine I found in /var/www there is a directory internal with jimmy permission.

After looking at the php source code, the workflow is index.php »> main.php and read the RSA key, but it can’t read because it does not have any permission.

Use command netstat -natpe I realized that the php source code is running at root because the user id is 0. Because of that, I just need to access /main.php and take the RSA private key.

1
$ curl 127.0.0.1:52846/main.php 

IMG RSA private key

But it is not the end yet, I still need to find the passphrase of this private key to access via ssh.

Use john and rockyou wordlist:

1
2
# python ssh2john.py joanna_pri_key > joanna_pri_key.hash
# john --wordlist=/root/Downloads/rockyou.txt --format=SSH joanna_pri_key.hash

And the passphrase is: bloodninjas

0x05: Access root

At /opt , we have a one file priv and it’s permission is 

1
352 -rw-r - r - 1 root root 0 Nov 22 23:49 priv

Beside that, I also used sudo -l and knew that nano can be used under root permission without password. It means that I can use GTFOBins to privilege escalation to root.

1
2
3
$ sudo nano priv
^R^X
reset; sh 1>&0 2>&0

IMG Got root

And tada, I got root! That is how I own the user and root of this machine. Hope you guys learned something new from this machine.

Cheers! 👍

P/S: Thank you GinaTU aka Tứ Diệp Thảo to help me edit this post

This post is licensed under CC BY 4.0 by the author.