InfoSec LAB

OpenAdmin_Internal

Created: 3 min read

Internal

I was going through the system after authenticated as the jimmy user.

jimmy@openadmin:/var/www$ ll
total 16K
4.0K drwxrwx---  2 jimmy    internal 4.0K Nov 23  2019 internal
4.0K drwxr-xr-x  4 root     root     4.0K Nov 22  2019 .
4.0K drwxr-xr-x  6 www-data www-data 4.0K Nov 22  2019 html
   0 lrwxrwxrwx  1 www-data www-data   12 Nov 21  2019 ona -> /opt/ona/www
4.0K drwxr-xr-x 14 root     root     4.0K Nov 21  2019 ..

Then I found another web directory at /var/www/internal

jimmy@openadmin:/var/www$ ll internal
total 20
drwxrwx--- 2 jimmy internal 4096 Nov 23  2019 ./
drwxr-xr-x 4 root  root     4096 Nov 22  2019 ../
-rwxrwxr-x 1 jimmy internal 3229 Nov 22  2019 index.php*
-rwxrwxr-x 1 jimmy internal  185 Nov 23  2019 logout.php*
-rwxrwxr-x 1 jimmy internal  339 Nov 23  2019 main.php*

There are only 3 files within this directory I will check them all

index.php

jimmy@openadmin:/var/www/internal$ cat index.php
<?php
[...]
      <h2>Enter Username and Password</h2>
      <div class = "container form-signin">
        <h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2>
          <?php
            $msg = '';
 
            if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
              if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
                  $_SESSION['username'] = 'jimmy';
                  header("Location: /main.php");
              } else {
                  $msg = 'Wrong username or password.';
              }
            }
         ?>
      </div> <!-- /container -->
 
      <div class = "container">
 
         <form class = "form-signin" role = "form"
            action = "<?php echo htmlspecialchars($_SERVER['PHP_SELF']);
            ?>" method = "post">
            <h4 class = "form-signin-heading"><?php echo $msg; ?></h4>
            <input type = "text" class = "form-control"
               name = "username"
               required autofocus></br>
            <input type = "password" class = "form-control"
               name = "password" required>
            <button class = "btn btn-lg btn-primary btn-block" type = "submit"
               name = "login">Login</button>
         </form>
 
      </div>
 
   </body>
</html>

/var/www/internal/index.php is the login page apparently, and it has a password hash for the jimmy user in the SHA512 format 00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1

crackstation.net

i was able to easily crack the sha512 password hash online The cracked password isRevealed

logout.php

jimmy@openadmin:/var/www/internal$ cat logout.php
<?php
   session_start();
   unset($_SESSION["username"]);
   unset($_SESSION["password"]);
   
   echo 'You have cleaned session';
   header('Refresh: 2; URL = index.php');
?>

/var/www/internal/index.php just features logout

main.php

jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_session['username'])) { header("location: /index.php"); }; 
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>

/var/www/internal/main.php prints out the SSH private key for the joanna user if /var/www/internal/index.php is loaded successfully with authentication.

This is clearly a lateral movement vector to the joanna user

Internal Configuration

I am not able to reach /internal/index.php from my Kali browser

This could be an internal web server as the name suggests If it is the case I can only access this internally.

I will confirm it

jimmy@openadmin:/var/www$ ll /etc/apache2/sites-enabled/
total 8
drwxr-xr-x 2 root root 4096 Nov 22  2019 ./
drwxr-xr-x 8 root root 4096 Nov 21  2019 ../
lrwxrwxrwx 1 root root   32 Nov 22  2019 internal.conf -> ../sites-available/internal.conf
lrwxrwxrwx 1 root root   33 Nov 22  2019 openadmin.conf -> ../sites-available/openadmin.conf

As expected there is a configuration file for internal at /etc/apache2/sites-enabled/internal.conf

jimmy@openadmin:/var/www$ cat /etc/apache2/sites-enabled/internal.conf 
Listen 127.0.0.1:52846
 
<VirtualHost 127.0.0.1:52846>
    ServerName internal.openadmin.htb
    DocumentRoot /var/www/internal
 
<IfModule mpm_itk_module>
AssignUserID joanna joanna
</IfModule>
 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
 
</VirtualHost>

The webserver is

  • named internal.openadmin.htb
  • listening on localhost:52846
  • located at /var/www/internal

So it IS an internal web server. I remember seeing localhost:52846 listening back when I was enumerating the network.

Interactive Graph View

Backlinks