OpenAdmin #25

Nmap Result: 
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
dirsearch: 
 
/music/ 
/ona/
openadmin.htb
Version: 18.1.1
​
Tried this exploit: 
GitHub - d4t4s3c/OpenNetAdmin18.1.1RCE: OpenNetAdmin 18.1.1 - Exploit - Remote Code Execution (RCE)
GitHub
 
​
Got a shell with www-data! 
ona_sys
n1nj4W4rri0R!
​
jimmy joanna were found during the enum.
got in as jimmy. 
interesting.
​
Pass
00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
Revealed 
/etc/apache can be seen.
​
Port number 52846 
​
Port forward it to the 52846. 
ssh [email protected] -L 4545:localhost:52846
Now visit http://127.0.0.1:4545  (NEW) SO COOL!!!
Logging with the creds, I got Joanna's SSH key! 
Cracked it with john. 
 
bloodninjas
ssh -i id_rsa.bak [email protected]
Finally in Joanna!
/bin/nano /opt/priv
 
Now we are root.
Finding creds was the hardest part on this box! 
Hack the box Write-ups
Jarvis #24 SQL Injection (UNION) & abusing systemctl with wrong permission.
Last modified 1yr ago