OpenAdmin HacktheBox Walkthrough

In this article we are going to solve another challenge OpenAdmin from Hackthebox , it is an easy rated machine , I know this machine is very old and it is retired now but this was my first machine in hackthebox , So I just wanted to share my approach for my first hackthebox challenge , Hope you will like the walkthrough :)


walkthrough


As usual I started with nmap to find open ports and services running in the target machine using the command


nmap -sC -sV -Pn 10.10.10.171

I started enumerating the port 80 and found a simple Default Apache server page and then I tried directory bruteforce using the command


 wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 -t 50 http://10.10.10.171/FUZZ/

/music and /artwork doesn't seems to be useful for us , so we opened the directory /ona.


I start searching on the internet for open net admin 18.1.1 and found a python script on github , after running the script I got shell of user www-data

This looks really good :)

after this I start exploring different directories and found two username in /home as

  1. joanna

  2. jimmy

After enumerating more , I found a password in /local/config/database_settings.inc.php

I tried this password for both the users and got in as user jimmy!

and after getting shell of user jimmy , first thing I did was to check /var/www/ directory and in one go I found internal directory with some interesting files.

if somehow we manage to run main.php then we can find the ssh private_key of user joanna , but it is running locally so we can't open it like http://10.10.10.171/main.php , after some more enumeration I found that port 52846 is open , so here we can think of Port forwarding and for that I used the command .


ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171

now I tried to open http://127.0.0.1:52846 and found a login panel.



I tried the password we found earlier but it didn't worked for user joanna and jimmy as well , so after more enumeration I found something interesting again in /var/www/internal/ directory.


After cracking the hash the password was Revealed.

and after successful login with the password and user jimmy , we can see id_rsa file of user joanna

now I used these keys to login into joanna but it asked for the passphrase and using ssh2john.py and john I cracked the password easily and it was #Try_Harder.


now I checked for user privileges using the command sudo -l and found something very interesting

Now it's GTFOBins time :)

We are root now and this completes our challenge


#CTF #Hackthebox #Cyber_Security #Ethical_Hacking #Happy_Hacking :)

Recent Posts

See All

Website change notice

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.