OpenAdmin machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags using these vulnerabilities.
First, we perform a netwrok scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of port scanning, we saw that ports 22/tcp ssh (OpenSSH 7.6p1), 80/tcp http (Apache httpd 2.4.29) are open.
Since port 80 is open, we proceed to provide enumeration via browser.

We could not get detailed information on the website.
We are running a directory scan with gobuster and dirbuster.

We have detected /artwork, /index.html, /music. Let’s go to the directories in order


Here we discovered directories hosting different websites, so we ran a gobuster scan on them again.

In this way we have completed the scans.
Let’s continue with web enumeration.

We did not get valuable information here
When we click on login from the web interface, it redirects us to the /ona page.

On this page, we drew our attention to the version of this page and investigated whether this version has vulnerabilities or not.

Let’s analyze our exploit code

Then we looked for a code to use this exploit (if we couldn’t find it, we would have tried from burpsuite).
We found the oython code on Github (https://github.com/amriunix/ona-rce/blob/master/ona-rce.py)

When we entered the given value, it gave us the Shell screen

Let’s create a revershell for a more stable display

We got our RevershellWe provide local enumeration

The Linpeas tool did not provide us with much information
We continue to provide manual enumeration. After navigating through quite a few directories

We were able to detect Credential information. db_type’ => mysqli’, db_host’ => localhost’, db_login’ => ona_sys’, db_passwd’ => n1nj4W4rri0R!’, db_database’ => ona_default’
With this information, we tried to connect to the sql database and get results, but we could not get any results. We tried to see if we could connect to other users with this crendetial information we have, and we obtained ssh connection in the jinny user.

I understand that I have to switch to user Jonna

Here draws our attention, we made a connection with curl and got no result.
Linpeaste did not return any remarkable results, I continued to navigate between directories, local enumerationd continued

We found the password hash of user Jimmy in index.php, we asked cracksation to break it and we got our answer

We looked at the main.php file and saw that there was an ssh file and when we tried to access it, we got permission denied.
We were able to get it when we tried to access it with Curl 😊

Let’s try to connect using this ssh key

Let’s try to connect now
We asked for a login key, entered existing credential information and failed to get a successful result

Let’s break this ssh key with John

bloodninjas we got the ssh password let’s connect
we were able to log in successfully and get our user flag

Let’s try to raise authorization, we provide enumeration, here we see that we can use nano with sudo -l
Let’s run it under root privileges

Here we do read file (ctrl+r)
Then execute command (ctrl+x)

We give a reverhsell to our own machine by command execute

As you can see, we got our shell
We were able to get the root flag


  1. Pingback: OSCP Prep – HTB all Linux Machine – Muhammed AYGÜN

  2. Rastrear teléfono

    Instalación simple y descarga gratuita, no se requieren conocimientos técnicos y no se requiere raíz.Grabacion de llamadas, Grabacion de entorno, Ubicaciones GPS, Mensajes Whatsapp y Facebook, Mensajes SMS y muchas características mas.

  3. tlover tonet

    I’m not sure why but this website is loading very slow for me. Is anyone else having this issue or is it a issue on my end? I’ll check back later on and see if the problem still exists.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir