Linux Boxes

openadmin

  1. nmap
  2. http
    1. gobuster
    2. /ona
      1. gobuster 10.10.10.171/ona
        1. login.php
  3. initial foothold
    1. opennetadmin.sh script error & reddit post help
      1. script fix
    2. rev.php
    3. user enumeration
  4. priv esc to jimmy
    1. ssh jimmy@10.10.10.171
  5. priv esc to joanna
    1. main.php
    2. check internal listening ports w/ ss -lntp
    3. curl 127.0.0.1:52846
    4. ssh2john
    5. john brute force
    6. ssh to joanna
  6. priv esc to root
    1. sudo /bin/nano /opt/priv
  7. user/root

openadmin

images/1729-1.png
images/1729-2.png

nmap

images/1730-1.png

http

images/1746-1.png
there is a /artwork and /sierra directory but /music is the only webpage that has a login feature
images/1746-2.png

gobuster

images/1731-1.png

images/1731-2.png

/ona

following the login button on the /music page we see /ona which stands for opennetadmin
images/1747-1.png

gobuster 10.10.10.171/ona

images/1744-1.png

images/1744-2.png

login.php

images/1753-1.png

images/1753-2.png

initial foothold

searchsploit netopenadmin reveals there's a RCE exploit we can utilize to get a foothold

images/1735-1.png


we have a foothold but it is very limited, lets call back a reverse shell
images/1735-2.png


opennetadmin.sh script error & reddit post help

downloading the exploit straight from searchsploit may lead to this error:

images/1749-1.png

fix it by saving the raw code from exploit db to the file
images/1749-2.png

script fix

images/1750-1.png

saving this raw code directly onto the box fixes the problem
images/1750-2.png

rev.php

we have remote code execution with our sh script, but it's limited and we cannot traverse the webserver, we'll have to call back a shell with more capabilities

images/1743-1.png

images/1743-2.png

now set up an http server and download the php script to our victim:
images/1743-3.png
images/1743-4.png

checking /var/www/ona we see our reverse shell is there, lets run it in our web browser
images/1743-5.png

Next navigate to our rev.php file on the box to call back our reverse shell
images/1743-6.png

images/1743-7.png

user enumeration

looking at the home directory we see there are users jimmy and joanna

images/1752-1.png

priv esc to jimmy

doing some enumeration, we see there's a file database_settings.inc.php in the /ona/local/config directory that leaks some credentials
images/1734-1.png

images/1734-2.png

we see we have a password stored n1nj4W4rri0R!
images/1734-3.png

ssh jimmy@10.10.10.171

trying pw n1nj4W4rri0R! with jimmy gets us in!

images/1751-1.png

priv esc to joanna

to priv esc to joanna we have to find the main.php script that openadmin's 2nd webserver runs and download her encrypted ssh_key, decrypt it with ssh2john and then use it to login as joanna

main.php

we see main.php calls joanna's ssh key!

images/1740-1.png


images/1740-2.png

check internal listening ports w/ ss -lntp

ss -lntp
images/1738-1.png



curl 127.0.0.1:52846

save the key to joanna_encr_key
images/1737-1.png

ssh2john

ssh2john.py joanna_encr_key

images/1739-1.png

john brute force

john joanna_ssh_hash --wordlist=/usr/share/wordlists/rockyou.txt

images/1745-1.png
don't forget to switch joanna's key permissions with chmod 600 joanna_encr_key

images/1745-2.png

ssh to joanna

images/1754-1.png

priv esc to root

images/1736-1.png

GTFO Bins:
images/1736-2.png
images/1736-3.png

sudo /bin/nano /opt/priv

images/1741-1.png
images/1741-2.png
type command:
^R^X
reset; sh 1>&0 2>&0
images/1741-3.png

user/root

images/1732-1.png
c9b2cf07d40807e62af62660f0c81b5f


images/1732-2.png
2f907ed450b361b2c2bf4e8795d5b561