OpenAdmin | HTB | OSCP | Box 4
Part of TJ Null OSCP-like Box Series
Enumeration
NMAP
┌──(root💀kali)-[/home/kali/htb/openadmin]
└─# nmap -A -sV -sC -O -p- 10.10.10.171
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-15 02:23 EDT
Nmap scan report for 10.10.10.171
Host is up (0.089s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=10/15%OT=22%CT=1%CU=41591%PV=Y%DS=2%DC=T%G=Y%TM=61691E
OS:CD%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 94.17 ms 10.10.14.1
2 94.49 ms 10.10.10.171
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.98 secondsNMAP Script
┌──(root💀kali)-[/home/kali/htb/openadmin]
└─# nmap --script vuln -p 22,80 10.10.10.171
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-15 02:32 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.171
Host is up (0.091s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)Port 80
It is just a home page of apache.
For the Apache httpd 2.4.29 , I wasn’t able to find any exploit.
As there is port 80, so, let’s start directory enumeration
I found the following directories.
┌──(root💀kali)-[/home/kali/htb/openadmin]
└─# feroxbuster --url http://10.10.10.171 --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o 80.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.171
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💾 Output File │ 80.txt
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301 9l 28w 312c http://10.10.10.171/music
301 9l 28w 316c http://10.10.10.171/music/css
301 9l 28w 315c http://10.10.10.171/music/js
301 9l 28w 314c http://10.10.10.171/artwork
301 9l 28w 318c http://10.10.10.171/artwork/css
301 9l 28w 317c http://10.10.10.171/artwork/js
301 9l 28w 321c http://10.10.10.171/artwork/images
301 9l 28w 320c http://10.10.10.171/artwork/fonts
301 9l 28w 319c http://10.10.10.171/music/Source
301 9l 28w 313c http://10.10.10.171/sierra
301 9l 28w 317c http://10.10.10.171/sierra/img
301 9l 28w 322c http://10.10.10.171/sierra/img/blog
301 9l 28w 325c http://10.10.10.171/sierra/img/comment
301 9l 28w 330c http://10.10.10.171/sierra/img/testimonials
301 9l 28w 322c http://10.10.10.171/sierra/img/icon
301 9l 28w 322c http://10.10.10.171/sierra/img/team
301 9l 28w 328c http://10.10.10.171/artwork/css/bootstrap
301 9l 28w 317c http://10.10.10.171/sierra/css
[####################] - 17m 4190355/4190355 0s found:18 errors:3315011I visited every site, but /music is the one that has interesting stuff.
If you click the login.
Using the exploit in this repository.
Shell as www-data
Reverse Shell
Let’s get reverse shell.
After enumerating, I found the following file:
/opt/ona/www/local/config/database_settings.inc.php
Whenever I get a password, I try it with every user as the re-using password is a very common thing.
And this password worked with Jimmy.
Shell as Jimmy
As Jimmy, the most interesting directory
From the following command:
netstat -ano
Now, we know MySQL is running but there is another weird port 52846 listening locally.
I also found an apache server.
It is possibility that internal (could mean internally available site) and there is index.php and main.php and there is apache server (that’s also in PHP). In addition to that there is a port 52846 listening locally.
Let’s use curl if we can access otherwise we ll make a tunnel
Here is the key!
I copied the key and saved it in my kali. The key is encrypted.
Let’s decrypt the key using the JOHN the Ripper.
Shell as Joanna
I can use it now and ssh into the box as Joanna
User.txt
Privilege Escalation
There is a privilege Escalation technique regarding nano
sudo /bin/nano /opt/priv
ctrl + r
ctrl + x
reset; bash 1>&0 2>&0I can’t show ctrl + r and ctrl + x ( as they have no effect on screen really). But I can show the last command
Press enter
Type clear
Root.txt
