Recon:
On HTB recon starts with the above screen, the map lays out what you’re likely to be facing, in this case, a CVE based vulnerability and often the name gives a hint.
Next up, the usual series of NMap scans, in this case there isn’t much open, a summary is shown below:
Nothing special here, banner grabs showed the same with nothing new or custom.
Banners:
Continuing recon we move over to Dirbuster, initially just a directory scan using the common list; Dirbuster locates the /ona/ directory, so we go for a visit, whilst we do I leave Dirbuster running a file and dir scan on /ona/
Well, this is handy.
We have a publicly accessible page clearly showing it is running an out-of-date version of Open NetAdmin, let’s see if this version (18.1.1) has any vulnerabilities:
I really don’t like using Metasploit modules for exploitation; scanning, listeners, meterpreter…all good stuff, but I hate exploiting this way, that said I was feeling a little lazy on this particular morning, so I went with the MS module for the initial foothold, a sin I repay later with some manual tooling π
Whilst I was wrestling my conscience and losing, Dirbuster found the predicatble login page, whoop, it wasn’t hard to find given it was linked, so no bonus points for Dirbuster here.
So, we now have an vulnerability and a ready-baked module to help exploit it (it’s really easy to do manually, it just takes a few minutes longer).
I won’t go through the whole setup of the Metasploit module, it’s too easy as it is.
Here we have it, we now have a reverse TCP shell via meterpreter, we’re on as “www-data” the account running the Apache process hosting the ONA web site.
Now we have a foothold, we need to move to a user with real privileges, more enumeration coming.
Awesome, we have two user accounts to play with; jimmy and joanna. No passwords or hashes yet though, time to search around for config files, but first, let’s deal with the lack of TTY.
Looking around the current directory and subs, I found the below in a config file:
Databases are always a good place to have a poke around for credentials, so I went straight for the database_settings.inc.php
Very nice, we have a mysql account password, before we try to abuse that, let’s see if we have a case of password reuse, you’d be surprised how often this works!!
Sure enough, SSH as jimmy using the MySQL account password and we’re in.
At this point, we have a user but no flag, we need to own the joanna account, let’s see if MySQL can help:
Mysql –user ona_sys –password ona_default
Decrypting the admin hash was a pain, but also, not necessary, I continued with enumeration and found the web server to be running an internal web site as well as the external ONA.
Enumerating the internal web directory, I found a password hash in the logon form and a very interesting PHP function.
Running the hash against an online tool, yielded the below:
The really useful find is the PHP function that sits behind that login page:
This is brilliant, I’m not sure why you’d ever do this in the real world, but hey! we’ll take it. We have a function that will read out joanna’s SSH private key, but, the page is only accessible internally, normally, I’d tunnel it out, but we can get this one even easier, with a simple CURL
Now we’re cooking!
We have Joanna’s SSH private key, if we can decrypt it, we can use it to connect via SSH as Joanna without her actual password π
Turning back to the hint included in the PHP comments
We’re going to need a wordlist to run against the private key file, rather than fire the entire rockyou.txt at it, we can use the above hint to extract all words from rockyou that contain “ninja” – if needed, we can then run that list through john with –rules to generate complex variations.
cat /usr/share/wordlists/rockyou.txt | grep ninja >> ninjawords
Now we have some words, we’re going to need to brute force the encryption key on the SSH private key we stole. OpenSSL includes a function for decrypting certificates, let’s abuse that with the wordlist we have, for this, there are ready made scripts and tools, I adapted one I had from another box, you can also do this with a simple BASH loop.
Running this script against the wordlist pulled from rockyou resulted in the below:
Superb!! we can use that private key to logon as Joanna.
And we’re on, let’s get us a flag
Priv Esc
The privilege escalation is a little disappointing:
Joanna can sudo up Nano, so we can start Nano this way then simply open the root flag from /root/desktop/root.txt; I’m not to show this bit, you can use Nano, right π
sudo /bin/nano /opt/priv
Open the flag and you’re done.
Leave a comment