Hack the box Openadmin Writeup

5
(2)

Introduction

This is a easy Linux machine from Hack the box which involves website directory enumeration and then exploiting ONA v 18.1.1 .

Then it involves Switching 2 user followed by privilege escalation through sudo permissions on nano binary

Steps involved

1-Port Scan
2-Exploitiong ONA version 18.1.1
3-Switching to Jimmy user
4-Getting joanna id_rsa key
5-Decypting the key phrase of id_rsa
6-Privilage escalation through sudo permission via /nano
7-Getting Root.txt

Commands involved

1-nmap -sC -sV -v -oV 10.10.10.171
2-bash shell.sh http://10.10.10.171/ona/
3-netstat -ano
4-curl http://localhost:52846/main.php
5-/usr/share/john/ssh2john.py id_rsa >>hash
6-john --wordlist=/root/Desktop/rockyou.txt hash
7-ssh -i id_rsa [email protected]
8-sudo -l
9-sudo /bin/nano /opt/priv

Port Scan

Nmap 7.70 scan initiated Fri May 1 04:23:54 2020 as: nmap -sC -sV -v -oV 10.10.10.171
Increasing send delay for 10.10.10.171 from 0 to 5 due to 177 out of 588 dropped probes since last increase.
Nmap scan report for 10.10.10.171
Host is up (0.50s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Fri May 1 04:24:57 2020 -- 1 IP address (1 host up) scanned in 63.29 seconds

The first thing I always do is visiting the website.

So let’s do this.

Hack the box Openadmin Writeup

Nothing seams to be there .
So Let’s run our directory enumeration tool .

Hack the box Openadmin Writeup

So i found /one

So let’s visit it .

Hack the box Openadmin Writeup

Exploitiong ONA version 18.1.1

It says that it is the older version.Hence we can search exploit against it .

On little googling i got the exploit so let’s run the exploit now.

Hack the box Openadmin Writeup

Switching to Jimmy user

Once i got the shell as www data i enumerated in it and found a database_settings_inc.php file which contained the creds .

Hack the box Openadmin Writeup

On reading the passwd file it is clear that there are two users jimmy and joannna.So the cred can be of one of them.So i checked and it worked for jimmy.

Hack the box Openadmin Writeup

So let’s login into jimmy user.

After login i realize that the user flag is not in jimmy user .
So now i need to switch another user i.e to joanna.

Hack the box Openadmin Writeup

Getting joanna id_rsa key

On enumeration i found a main.php which reads the id_rsa for joanna when this main.php is downloaded.

So i tried to curl it with local host but it didn’t worked.

Hack the box Openadmin Writeup

So i ran netstat -ano to see the ports on local host and the tried with each of them .The one which worked was on port 52846

Hack the box Openadmin Writeup

So now when i curl it i got the id_rsa for joanna.

Hack the box Openadmin Writeup

Decypting the key phrase of id_rsa

But it is in encrypted format .

So i used john to decrypt it.

First i needed to convert it into hash .

So i used a program ssh2john for this purpose.

locate ssh2john 
/usr/share/john/ssh2john.py id_rsa >>hash

Then i cracked that hash by john and got the password.

john --wordlist=/root/Desktop/rockyou.txt hash

Hack the box Openadmin Writeup

So let’s login

Connection closed by 10.10.10.171 port 22
[email protected]:~/Desktop/htb/openadmin# chmod 400 id_rsa
[email protected]:~/Desktop/htb/openadmin# ssh -i id_rsa [email protected]
Hack the box Openadmin Writeup

So now we can read the user.txt

Hack the box Openadmin Writeup

Privilege escalation through sudo permission via /nano

Now we have to do privilege escalation .

Let’s check the sudo permission first.

Hack the box Openadmin Writeup

The best way to exploits these binaries is given on the GTFobins website

Hack the box Openadmin WriteupHack the box Openadmin Writeup

And using this we can directly get root access .

And can get the root flag

Hack the box Openadmin Writeup
Hack the box Openadmin Writeup

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Comment

X
wpChatIcon
0 Shares
Tweet
Share
Share
Pin