OpenAdmin machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags using these vulnerabilities.
First, we perform a netwrok scan with nmap to recognize the target machine.
Classic Scan
Full port scan
As a result of port scanning, we saw that ports 22/tcp ssh (OpenSSH 7.6p1), 80/tcp http (Apache httpd 2.4.29) are open.
Since port 80 is open, we proceed to provide enumeration via browser.
We could not get detailed information on the website.
We are running a directory scan with gobuster and dirbuster.
We have detected /artwork, /index.html, /music. Let’s go to the directories in order
/artwork
/music
Here we discovered directories hosting different websites, so we ran a gobuster scan on them again.
In this way we have completed the scans.
Let’s continue with web enumeration.
/music
We did not get valuable information here
When we click on login from the web interface, it redirects us to the /ona page.
On this page, we drew our attention to the version of this page and investigated whether this version has vulnerabilities or not.
Let’s analyze our exploit code
Then we looked for a code to use this exploit (if we couldn’t find it, we would have tried from burpsuite).
We found the oython code on Github (https://github.com/amriunix/ona-rce/blob/master/ona-rce.py)
When we entered the given value, it gave us the Shell screen
Let’s create a revershell for a more stable display
We got our RevershellWe provide local enumeration
The Linpeas tool did not provide us with much information
We continue to provide manual enumeration. After navigating through quite a few directories
We were able to detect Credential information. db_type’ => mysqli’, db_host’ => localhost’, db_login’ => ona_sys’, db_passwd’ => n1nj4W4rri0R!’, db_database’ => ona_default’
With this information, we tried to connect to the sql database and get results, but we could not get any results. We tried to see if we could connect to other users with this crendetial information we have, and we obtained ssh connection in the jinny user.
I understand that I have to switch to user Jonna
Here 127.0.0.0.1:52846 draws our attention, we made a connection with curl and got no result.
Linpeaste did not return any remarkable results, I continued to navigate between directories, local enumerationd continued
We found the password hash of user Jimmy in index.php, we asked cracksation to break it and we got our answer
We looked at the main.php file and saw that there was an ssh file and when we tried to access it, we got permission denied.
We were able to get it when we tried to access it with Curl 😊
Let’s try to connect using this ssh key
Let’s try to connect now
We asked for a login key, entered existing credential information and failed to get a successful result
Let’s break this ssh key with John
bloodninjas we got the ssh password let’s connect
we were able to log in successfully and get our user flag
Let’s try to raise authorization, we provide enumeration, here we see that we can use nano with sudo -l
Let’s run it under root privileges
Here we do read file (ctrl+r)
Then execute command (ctrl+x)
We give a reverhsell to our own machine by command execute
As you can see, we got our shell
We were able to get the root flag
