In this article we are going to solve another challenge OpenAdmin from Hackthebox , it is an easy rated machine , I know this machine is very old and it is retired now but this was my first machine in hackthebox , So I just wanted to share my approach for my first hackthebox challenge , Hope you will like the walkthrough :)
As usual I started with nmap to find open ports and services running in the target machine using the command
nmap -sC -sV -Pn 10.10.10.171
I started enumerating the port 80 and found a simple Default Apache server page and then I tried directory bruteforce using the command
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 -t 50 http://10.10.10.171/FUZZ/
/music and /artwork doesn't seems to be useful for us , so we opened the directory /ona.
I start searching on the internet for open net admin 18.1.1 and found a python script on github , after running the script I got shell of user www-data
This looks really good :)
after this I start exploring different directories and found two username in /home as
After enumerating more , I found a password in /local/config/database_settings.inc.php
I tried this password for both the users and got in as user jimmy!
and after getting shell of user jimmy , first thing I did was to check /var/www/ directory and in one go I found internal directory with some interesting files.
if somehow we manage to run main.php then we can find the ssh private_key of user joanna , but it is running locally so we can't open it like http://10.10.10.171/main.php , after some more enumeration I found that port 52846 is open , so here we can think of Port forwarding and for that I used the command .
ssh -L 52846:127.0.0.1:52846 email@example.com
now I tried to open http://127.0.0.1:52846 and found a login panel.
I tried the password we found earlier but it didn't worked for user joanna and jimmy as well , so after more enumeration I found something interesting again in /var/www/internal/ directory.
After cracking the hash the password was Revealed.
and after successful login with the password and user jimmy , we can see id_rsa file of user joanna
now I checked for user privileges using the command sudo -l and found something very interesting
Now it's GTFOBins time :)
We are root now and this completes our challenge