OpenAdmin Writeup — REBORNSEC

Made by RebornSec ®

Enumeration phase :

As usual let’s start off with a Nmap scan :

As we can see http port is open. Let’s check it on the browser :

Well nothing interesting only default Apache2 html page. Using Dirbuster with medium directory list i got these 3 main results:




Digging into /artwork return nothing usefull, i went into /music and theLogin section redirect you to the /ona/ portal of Open Net Admin that provides a database to track the network attributes such as DNS names, IP addresses, Subnets, MAC addresses.

To check more visit :

With some search i found that the version v18.1.1 that released in Jan 3, 2018 is vulnerable :

Using the exploit we are in as www-data :

Looking into the internal files i found some credentials in mysal db settings belong to “jimmy” :


also in /var/www/internal i found some sort of sha512 belong to jimmy


after decrypt it we got the following credential :


I ssh in as jimmy and it’s look like the user that we look for is joanna :

I found a way to Tunnel the port to the localhost via ssh and check the localhost :

Login page found ! Getting in using the second found password :

and Boom we got joanna ssh key :

Next step is to decrypt it :


ssh in as joanna and we got user :

Root phase :

I tried to escalate and maintain access to root.txt with elevated privileges :

/bin/nano /opt/priv

sudo cat /root/root.txt

And VOILA we goot root.txt . We are now hackers haha :)

Cyber Security Specialist