Let’s start with nmap, all ports. I’ve been caught too many times by scanning only the top 1000 ports and missing something. I’d rather do it once, save the output and work from there.
sudo nmap -sV -sC -p- 10.10.10.171
We have SSH on port 20, and an Apache Web Server on port 80. SSH is rarely the initial attack vector so let’s concentrate on Port 80.
Booting up Firefox, we have the default Apache landing page. Version is Apache is 2.4.29
Not really major going on. Start GoBuster.
We get some results immediately.
We hunt around the website;
And the login page take us to the following;
We are on version 18.1.1 of…something? Clicking the download button takes us to https://opennetadmin.com – Seems to be some sort of open-source software.Let’s check for any exploits.
Let’s make a copy of the last one.
I find it best to have a quick read of the exploit and just try to run it without any paramters to make sure its not got errors or packages that I am missing. This was does have appear to have some formatting error;
Re-download the exploit from exploit-db, save it to a new file and make it executable. This app is located in the /ona/ subfolder so we need to ensure we include that;
Seems like the exploit worked and we are on the box. It’s a really crappy shell though;
Research into OpenNetAdmin, where are credentials stored? Seems to be located in database_settings.inc.php
I couldn’t move directories or do much at all. And I simply couldn’t get a decent shell back using the netcat binary which is on the box.
I check the webapp directories for config files, hoping to get some credentials;
locate ona |grep config
database_settings.inc.php looks good enough. Let’s grep this file for “pass” and report back two lines above and below that entry, if any
grep -C2 pass /opt/ona/www/local/config/database_settings.inc.phpWe manage to lift the password n1nj4W4rri0R!
Let’s check what users are on this box. Maybe a user likes to reuse credentials and we can log on as a user.
cat /etc/passwd |grep bashWe have 3 users all together. Jimmy, Joanna and root.
Let’s create two files, one for users and one for passwords. We will run CrackMapExec to password spray across SSH.
That password will help us for the user account jimmy, so let’s log in using ssh.
Some basic enumeration on this new user.
There are some local ports. 3306 (which is MySQL) and 52846 which I don’t yet know.
We can’t run anything as sudo. Let’s take a look at files owned by the internal group and keep poking around
Use the cat command on all 3.
index.php reveals a user hash.
Let’s try to crack it using Crackstation. We got it.
It says the password is for Jimmy, but lets try to switch to root and log into with this password. It doesn’t work
We have some other places we can try to use these credentials. Remember we have MySQL running locally. Let’s try to use it there.
I can’t get to MySQL as Jimmy. I even tried the user of root, using the n1nj4W4rri0R! password we already uncovered.
We have another port to enumerate, port 52846. I try to grab the banner with netcat, but nothing is returned. It works for port 3306 however. Not sure why it didn’t work.
I will forward the port to my local kali instance and run nmap over it.
ssh jimmy@10.10.10.171 -L 8000:127.0.0.1:52846
Now I can run nmap over this.
Looks like it is a Apache web server. Let’s visit it in our browser.
Lets try our credentials jimmy / Revealed.
Appears to be a SSH private key. Let’s copy it to a file.
Let’s crack the password for this SSH file. We first need to convert it to a file readable by John, and then feed John a wordlist to crack it.
sudo python /usr/share/john/ssh2john.py key.ssh
sudo john --wordlist=/usr/share/wordlists/rockyou.txt
We recovered a password of bloodninjas
I tried to switch to root again, but it doesn’t work
Let’s try to switch to joanna.
ssh -i key.ssh joanna@10.10.10.171
And we are on the box as joanna. Let’s grab the user.txt flag
Re run linpeas which is still in our temp directory.
We notice this. We can get the same results with sudo -l
Running Nano as sudo is definitely interesting. Let’s head to gtfo bins to see if we can escape this and get a shell or read files
Lets open nano and then hit Ctrl R and then Ctrl X
Input the following command to execute, just spam enter a few times. We get the shell and the root.txt flag!
Box done!
