This HTB Machine active with OS Linux and easy level.
First, we need to scan this host with nmap, and find what the services are open.
The nmap result show to us, this host have two open ports for port 22 and 80.
Second we need to list the directory of http service on port 80 with dirbuster tools.
Using dirbuster, we can see list of directory available on web server. From the result, whis web server consists with music directory, and ona directory.
Next, we try to explore the music directory.
After explore the music pages, we find Login page that direct us to the ona directory, as we can see on dirbuster, ona allready exist on this list of directory and this is oage is OpenNetAdmin web pages.
Next step, with searchsploit, we will try to find for ONA vulnerability.
From searchspolit we found RCE for Open Net Admin vulnerability. Create a new directory and copy the RCE script from exploitdb directory to new directory and rename with onaexploit.sh
Execute this script to Opennetadmin page on http://10.10.10.170/ona. But i got this error when execute this script.
After googling, this error because this script has windows line endings, and this make linux confusing to execute the script. We ned to remove the windows line endings with SED script likes below, and execute the script.
After execute the script, we are connected to the machine shell, use pwd and whoami command to get the information of the current directory and user.
Now we are connect to the machine as www-data and on /opt/ona/www directory. We need to upload webshell to reverse the shell. This script allready installed with Kali Linux. Copy the script to the OpenNetAdmin directory, and rename with anythings you want.
Open the bb.php script, and edit the IP with your vpn IP, also with the port number for reverse connections.
Now, we need HTTP server for delivered the script to the machine. On Kali Linux, we can used SimpleHttp for this action. On the targeted machine, we used wget command to download the bb.php file.
From the OpenAdmin url, access the bb.php script, and listening with netcat on port 4444 to get the reversed shell from the machines.
Now, we get the shell, but we need to spawn the shell first. From the url https://www.metahackers.pro/spawing-tty-shells/ , we can used the script to spawning TTY shell.
blackboot03.art.blog 
Leave a comment