OpenAdmin is considered a pretty easy machine on HTB. For initial access you will have to exploit an RCE vulnerability and then will come the privesc part. Let’s dive in and start with a NMap scan.

Initial NMap scan

Accesing the website there is just the default apache2 page, so it’s time to do some directory fuzzing. This is the result:

Directory fuzzing

Accessing artwork there wasn’t anything interesting, but accessing the music directory and trying to login we’re redirected to OpenNetAdmin interface.

By doing a little googling I found out that the ONA version is vulnerable to RCE, so it grabbed the script and fired it up against the target.

Firing up the script

Ok, now that we have initial access, it’s time to do some recon. After some recon, i uploaded a reverse shell and executed it since i had limited access using the shell gained using the script.

There are 2 users in the home directory, but there was nothing interesting for us to leverage in order to change the user. Going back to the web application there was a folder named local which contained a config file.

Listing the local folder

By looking into the config file we can find a password which we can leverage to get access to one of the users. That user is jimmy.

Logging as jimmy

Time for more recon! By listing the connections we can see there is something listening on port 52846. I used curl and found out that that is a web app. The app is located in /var/www/internal.

By using curl i was able to retrieve the key for user joana.

User joanna key

Time to crack it. I first used ssh2john, and then used JohnTheRipper to crack the password.

Cracked password

After cracking it i logged in as user joanna.

Logging in as user joanna

The privilege escalation is very simple. By listing our sudo rights we notice we can use nano as root without password.

Sudo rights

To privesc we can take a look at GTFOBins, which contains nano privesc methods.


And, we are root!

Gaining root

Hope you learned something new with this walkthrough.