OpenAdmin | HackTheBox Writeup

Overview

OpenAdmin is an easy Linux-based machine in HackTheBox 

User Part

Start  with nmap scan found 2 open ports

Go to the Website , We Can see the Default apache webpage

Search for directories and files in the webpage and i got music directory

Go to the website,there are some menu option go throught the options

 

When i looked into login, it is more interesting, the version is not the latest version,
We can see the version is 18.1.1

So I searched for an exploit and I found exploit from exploitdb

Run the Exploit and we got the shell

Root Part

Go to /etc/passwd and we can see the users are jimmy and joanna

After Some enumeration in the web directory shell,i found an intresting file

in local/database_settings.inc.php , that file have database creadentials.

 

We found jimmy and joanna are the users from /etc/passwd ,
so I tried with jimmy and joanna, the password is correct for jimmy

After some enumeration in the web directory, i found a interesting files

Reading the main.php, we can see the file id_rsa of joanna is storing to a variable output and printing the output,
so we need to find where is it printing, for that we need to find the port where we can found it

While running netstat we can see a port 52846 is running in localhost

We found a main.php is calling joanna’s id_rsa of ssh, so i look for main.php in localhost and it print joanna’s id_rsa

For Cracking Password from the id_rsa file, i used ssh2john and john. After the password cracking, i got the password id “bloodninjas”

we got password and RSA file,so lets login to joanna

Now lets check for commands that we can run with sudo, and we got we can run nano as root

Open the nano with sudo command

Go to GTFObins we found nano can execute shell

So I tried to execute a shell in Nano,by opening nano then ctrl+R then ctrl+X
then can copy-paste the third line in there and hit enter, we got root shell

Now we can read the root.txt

Share on facebook
Share on twitter
Share on linkedin