OpenAdmin is an easy Linux machine that involves an exploit on an IP Address Management (IPAM) system, looking for credentials, cracking private key and privilege escalation through NANO text editor!
Initial Reconnaissance
I’ll start the write-up with an Nmap script and version scan on the machine.
The results gave two open ports:
- Port 22 — OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
- Port 80 — Apache httpd 2.4.29
The homepage contains an Apache default page which I can’t do anything much around here.
So I started looking for available directories on the machine by using gobuster a tool used for brute-forcing directories, files, etc.
I went first to the music directory and it only contains a generic page about music and services that they offered.
On the navbar, I clicked the login button and I thought I was going to be redirected on a login page but instead I was redirected to /ona directory.
Upon checking the whole site I figured out that I was redirected to an IPAM (IP Address Management system). An IPAM is used for managing the assignment and use of IP addresses by directly pulling data from router configurations and connected machines.
Initial Foothold
A quick google search led me to an RCE exploit on OpenNetAdmin and all I had to do was modify the url variable and the exploit works!
So the way script works is just that it only send the data through curl and removes unnecessary output from the results.
There are times that the exploit won’t work, you just have to try running the script again.
So the exploit lets me execute some commands but it won’t let me leave the current directory.
Here is where I used grep to look for specific strings like passwords, but doing this shows me a lot of garbage results.
Then I went to OpenNetAdmin documentation page which is available on Github. The directories section describes what is contained in various directories.
On /opt/ona/www/local directory (directory where you install plugins and other local updates to ONA) there is a config folder where it contains the database settings/configuration for OpenNetAdmin and it contains a credential that I used as a password for these potential users:
- jimmy
- joanna
Privilege Escalation
I was able to login as jimmy using the password that I got from the database config file.
The /var/www/internal directory contains a PHP file that will print the joanna user’s private key.
Using cURL to print the output variable gave me a 404 error and that’s because the “internal” application might not be running on port 80.
I used netstat to show the available open ports and was able to enumerate the following services running on the machine:
- Port 3306 — which is the default port of MySQL
- Port 53 — DNS port
- Port 52846 — where the internal application is running
Executing cURL again but with a different port prints the user’s private key.
Before using the private key to login as joanna user, I had to crack it first and get its passphrase. Before cracking ssh keys, the format has to be change first using ssh2john then save its output and crack it using John The Ripper
The passphrase for the private key is bloodninja
Privilege Escalation (Root)
PrivEsc to root is easy, NANO text editor can be run by joanna as root without password.
So by reading and executing commands through nano, I was able to get the root user.
However since this shell isn’t good, I ran sudo su command to get a better shell.
You can also create another another root user to by adding another entry on
/etc/passwdbut my way is much more easier I guess.
References
[1] https://www.exploit-db.com/exploits/47691
