top of page

OpenAdmin HacktheBox Walkthrough

In this article we are going to solve another challenge OpenAdmin from Hackthebox , it is an easy rated machine , I know this machine is very old and it is retired now but this was my first machine in hackthebox , So I just wanted to share my approach for my first hackthebox challenge , Hope you will like the walkthrough :)


walkthrough


As usual I started with nmap to find open ports and services running in the target machine using the command


nmap -sC -sV -Pn 10.10.10.171

I started enumerating the port 80 and found a simple Default Apache server page and then I tried directory bruteforce using the command


 wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 -t 50 http://10.10.10.171/FUZZ/

/music and /artwork doesn't seems to be useful for us , so we opened the directory /ona.


I start searching on the internet for open net admin 18.1.1 and found a python script on github , after running the script I got shell of user www-data

This looks really good :)

after this I start exploring different directories and found two username in /home as

  1. joanna

  2. jimmy

After enumerating more , I found a password in /local/config/database_settings.inc.php

I tried this password for both the users and got in as user jimmy!

and after getting shell of user jimmy , first thing I did was to check /var/www/ directory and in one go I found internal directory with some interesting files.

if somehow we manage to run main.php then we can find the ssh private_key of user joanna , but it is running locally so we can't open it like http://10.10.10.171/main.php , after some more enumeration I found that port 52846 is open , so here we can think of Port forwarding and for that I used the command .


ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171

now I tried to open http://127.0.0.1:52846 and found a login panel.



I tried the password we found earlier but it didn't worked for user joanna and jimmy as well , so after more enumeration I found something interesting again in /var/www/internal/ directory.


After cracking the hash the password was Revealed.

and after successful login with the password and user jimmy , we can see id_rsa file of user joanna

now I used these keys to login into joanna but it asked for the passphrase and using ssh2john.py and john I cracked the password easily and it was #Try_Harder.


now I checked for user privileges using the command sudo -l and found something very interesting

Now it's GTFOBins time :)

We are root now and this completes our challenge


#CTF