OpenAdmin Writeup — REBORNSEC

Made by RebornSec ®

Enumeration phase :

As usual let’s start off with a Nmap scan :

As we can see http port is open. Let’s check it on the browser :

Well nothing interesting only default Apache2 html page. Using Dirbuster with medium directory list i got these 3 main results:

http://openadmin.htb/artwork/

http://openadmin.htb/music/

http://openadmin.htb/ona/

Digging into /artwork return nothing usefull, i went into /music and theLogin section redirect you to the /ona/ portal of Open Net Admin that provides a database to track the network attributes such as DNS names, IP addresses, Subnets, MAC addresses.

To check more visit : https://opennetadmin.com/

With some search i found that the version v18.1.1 that released in Jan 3, 2018 is vulnerable :

Using the exploit we are in as www-data :

Looking into the internal files i found some credentials in mysal db settings belong to “jimmy” :

jimmy:n1nj4W4rri0R!

also in /var/www/internal i found some sort of sha512 belong to jimmy

“00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1”

after decrypt it we got the following credential :

jimmy:Revealed

I ssh in as jimmy and it’s look like the user that we look for is joanna :

I found a way to Tunnel the port to the localhost via ssh and check the localhost :

Login page found ! Getting in using the second found password :

and Boom we got joanna ssh key :

Next step is to decrypt it :

joanna:bloodninjas

ssh in as joanna and we got user :

Root phase :

I tried to escalate and maintain access to root.txt with elevated privileges :

/bin/nano /opt/priv

sudo cat /root/root.txt

And VOILA we goot root.txt . We are now hackers haha :)

Cyber Security Specialist