OpenAdmin is rated as a Easy Linux box. It was released on 04 Jan 2020 and has been created by @dmw0ng

This box required us to perform the following tasks:

  • Enumerate a web server to find vulnerable web application
  • Exploit Web app to get initial foothold
  • Credential reuse attack
  • Download users SSH private key and crack
  • Exploit misconfigured nano permission

Initial reconnaissance

Let’s do first a full nmap port scan using the following command:


Two ports are open:

  • SSH on 22
  • Apache 2.4.29 on 80

Browsing to openadmin.htb


It just shows default apache landing page, lets enumerate this port further with gobuster to find addtional directories and files.


Gobuster found music directory,which display a new webpage, source-01

Which is running OpenNetAdmin - v18.1.1

A quick searchsploit shows this version of OpenNetAdmin is vulnerable and there are public exploits available.


Initial foothold

I quickly grabbed the exploit available from exploit database. Had weird issues running the code, due to spacing i belive (DOS-style CRLF line endings), so i converted the script using dostounix tool. The exploit is a very simple command injection vulnerability.


Running the exploit give us a shell as www-data


After some browsing around, I got the database settings file which contained a password.


Credential reuse

Now lets grab the users from the system, we might be able to use the found credentials with other users

$ cat /etc/passwd | awk -F : '{print $1}'

After trying the password on jimmy’s account, I was able to login to the box as Jimmy, this is a classic case of password reuse!


And now we have a shell a jimmy user. I was excepting to get user.txt flag from here, but no we need to enumerate further more to get anywhere.

jimmy@openadmin:/var/www$ ls -la
total 16
drwxr-xr-x  4 root     root     4096 Nov 22 18:15 .
drwxr-xr-x 14 root     root     4096 Nov 21 14:08 ..
drwxr-xr-x  6 www-data www-data 4096 Nov 22 15:59 html
drwxrwx---  2 jimmy    internal 4096 Nov 23 17:43 internal
lrwxrwxrwx  1 www-data www-data   12 Nov 21 16:07 ona -> /opt/ona/www

After further enumeration, found an interesting directory under /var/wwww which belongs to jimmy user.And a php file which reads joana’s RSA private keys.


We can see that if we executed main.php it will read joanna private key.Since port 80 is serving other files, their must be virtualhost configured for this.


From the configuration we know port is not accessible from outside , we need to run it within the local server, to grab joanna’s RSA Private keys.

Lets check other local listening ports


We can see a service running on port 52846, so i used curl to download the content of main.php

And here we got an encrypted RSA private key, to make this usefull we need to crack the key.

Cracking SSH Keys

Cracking RSA key with John


That was fast, the password for the key is bloodninjas. Now Let’s ssh into user joanna,before that remember to change permissions of the rsa key.


We have got the user.txt

Privillege Escalation

Standard enumeration was enough to find the way to root. sudo -l command shows that user Joanna can run /bin/nano /opt/priv as the root user without entering a password. source-01

Reading root.txt is pretty straight forward, this technique is already well document in GTFOBins

sudo /bin/nano /opt/priv. Then we type +R /root/root.txt in order to read root.txt file.

OpenAdmin is rooted!