top of page

OpenAdmin HacktheBox Walkthrough

In this article we are going to solve another challenge OpenAdmin from Hackthebox , it is an easy rated machine , I know this machine is very old and it is retired now but this was my first machine in hackthebox , So I just wanted to share my approach for my first hackthebox challenge , Hope you will like the walkthrough :)


As usual I started with nmap to find open ports and services running in the target machine using the command

nmap -sC -sV -Pn

I started enumerating the port 80 and found a simple Default Apache server page and then I tried directory bruteforce using the command

 wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 -t 50

/music and /artwork doesn't seems to be useful for us , so we opened the directory /ona.

I start searching on the internet for open net admin 18.1.1 and found a python script on github , after running the script I got shell of user www-data

This looks really good :)

after this I start exploring different directories and found two username in /home as

  1. joanna

  2. jimmy

After enumerating more , I found a password in /local/config/

I tried this password for both the users and got in as user jimmy!

and after getting shell of user jimmy , first thing I did was to check /var/www/ directory and in one go I found internal directory with some interesting files.

if somehow we manage to run main.php then we can find the ssh private_key of user joanna , but it is running locally so we can't open it like , after some more enumeration I found that port 52846 is open , so here we can think of Port forwarding and for that I used the command .

ssh -L 52846: jimmy@

now I tried to open and found a login panel.

I tried the password we found earlier but it didn't worked for user joanna and jimmy as well , so after more enumeration I found something interesting again in /var/www/internal/ directory.

After cracking the hash the password was Revealed.

and after successful login with the password and user jimmy , we can see id_rsa file of user joanna

now I used these keys to login into joanna but it asked for the passphrase and using and john I cracked the password easily and it was #Try_Harder.

now I checked for user privileges using the command sudo -l and found something very interesting

Now it's GTFOBins time :)

We are root now and this completes our challenge