Hack The Box — OpenAdmin

Here we come back again with one of HackTheBox machines ‘OpenAdmin’ which seems like all categories CTF, real life, etc so let’s take a look at it’s info

As you can see it depends on CVE so let’s get started…

Nmap scan

As usual, we start our scan with nmap to get more info about our target

nmap -A -T4 -oG openadmin.gnmap

We have only 2 open ports http and ssh so I understand that I’ll get an entry point like leaked credentials or any custom exploitation from the http:80 and then used it to login to the box using ssh:22 so let’s start enumerating the website

HTTP Enumerate

If we access and openadmin.htb we will get the default page of the server

So we need to brute-force the directories by using dirsearch or gobuster or dirbuster

I’ve 3 directories is available so let’s check the first one

I searched for any CMS or any admin panel to try to find exploit for it but unfortunately there’s nothing found so let’s check /music

Good we have another directory with login page, let’s check it

It redirects us to this URL so what’s ona which have version v18.1.1? Let’s check its source code

That’s good ona means opennetadmin

Generating a shell

Let’s search for exploit related to this CMS

We have one here with the same version and this exploit is also available at metasploit so let’s check it

We have only one, let’s use it and edit its options

I’ve tried the payload x86 but unfortunately it doesn’t work, so I changed it and as you can see it works now, let’s open a shell and get interactive one

Now we’re www-data and I’m not sure that I’ve permission to read the user.txt flag, let’s try

As I expected, permission denied so let’s search for any misconfiguration or anything else which manage us to login as one of these users

After few time of searching for any important files, I’ve found this file in opt/www/local/config which contain database.

I tried to use it to login as joanna but it failed but succeeded with Jimmy

And now we’re in the server as jimmy let’s try to read user.txt

Hmm !! Nothing here !! Okay

I’ve tried to check the network stauts to know if there’s anything there by netstat -tunlp

We have the localhost listening on 2 ports so keep it now and try to find any interesting files again

Here we have interesting file in /var/www/internal which seems that it return back /home/joanna/.ssh/id_rsa from joanna directory if it accessed by a link

I’ll try to access it through the localhost with the open ports which it listens on them and see what will happen

Very good, we have the encrypted RSA for joanna


Let’s try to decrypt it by using openssl and note that we have a password → ninja

openssl rsa -in encrypted_file -out decrypted_file but unfortunately it faces a problem which I can’t understand how to solve it, so I tried to crack it using john the wripper

python ssh2john enc_key > rsa.hash → to generate john hash

john rsa.hash --wordlist=rockyou.txt

And we have the results now bloodninjas as the password

I’ve tried to login with ninja and bloodninjas as password, but it failed, so I’ll try to login using the key itself

And finally we can read the user.txt


I’ve copied linenum.sh from my local machine to the /tmp directory

And after running it, I found that the joanna can execute command as root

So the command is nano so I googled for how to get shell from nano and found this resource

which tells you will type nano → ctrl-R + ctrl-X → reset; sh 1>&0 2>&0 and you will be the root

And it works :)

Congrats ❤

Stay in touch

LinkedIn | GitHub | Twitter

Offensive Security Enthusiast