OpenAdmin is considered a pretty easy machine on HTB. For initial access you will have to exploit an RCE vulnerability and then will come the privesc part. Let’s dive in and start with a NMap scan.

Accesing the website there is just the default apache2 page, so it’s time to do some directory fuzzing. This is the result:

Accessing artwork there wasn’t anything interesting, but accessing the music directory and trying to login we’re redirected to OpenNetAdmin interface.
By doing a little googling I found out that the ONA version is vulnerable to RCE, so it grabbed the script and fired it up against the target.

Ok, now that we have initial access, it’s time to do some recon. After some recon, i uploaded a reverse shell and executed it since i had limited access using the shell gained using the script.
There are 2 users in the home directory, but there was nothing interesting for us to leverage in order to change the user. Going back to the web application there was a folder named local
which contained a config file.

By looking into the config file we can find a password which we can leverage to get access to one of the users. That user is jimmy
.

Time for more recon! By listing the connections we can see there is something listening on port 52846. I used curl and found out that that is a web app. The app is located in /var/www/internal
.
By using curl i was able to retrieve the key for user joana.

Time to crack it. I first used ssh2john, and then used JohnTheRipper to crack the password.

After cracking it i logged in as user joanna
.

The privilege escalation is very simple. By listing our sudo rights we notice we can use nano as root without password.

To privesc we can take a look at GTFOBins, which contains nano privesc methods.

And, we are root!

Hope you learned something new with this walkthrough.