Hack The Box -OpenAdmin Writeup
About
OpenAdmin is a easy, simple and straightforward box. this machine recommended for newbies. So, let’s begin our journey
NMAP
look, There is only ssh(22) and an apache webserver(80), now let’s cek port 80
WEBSITE
its only default page, to further enumerate the website we can check with gobuster
Gobuster
ok, after scanning we can check our directory one by one,
after i check , i found interested directory
WEBPAGE-MUSIC
Now click LOGIN will redirect to http://10.10.10.171/ona/
This not normal login page, this website using OpenNetAdmin(v18.1.1) not the latest version
RCE -Remote Code Execution
now we finding RCE with searchsploit
Now we can exploit
now look it’s simple shell
hahah i got the password but not root
now i’m logged in as Jimmy
Reconnaissance & Enumeration(Local)
While browsing through the /var/www i found /var/www/internal and we can check it
this file will read the id_rsa file from Joanna. now we can request file and see if I can obtain the key file.
look, by just making a curl request to an internal site, I can get Joanna’s RSA key. Now all I need to do is try to solve it using ssh2john
Now, we create a file called joanna.key and add the RSA private key into it.
now i get the password,let’s try to login
Privilege escalation
ok now I’ve got the user flag
okay now Joanna is allowed to use nano with Sudo, now most text editors have the possibility to run shell code, nano is no exception. in GTFOBins, good suggestions are available to execute the CTRL-R, CTRL-X sequences and then give a reset command; sh 1> & 0 2> & 0
use the command as sudo /bin/nano /opt/priv, Then type <CTRL>+R in order to read a file.
after press <CTRL>+R, We insert the file root.txt
and press <CTRL> +X, TO SAVE
Look we got the flags
THANK YOU READING!!!! :)
