OpenAdmin

15860626364

Comments

  • I just rooted the box by literally reading a file called p****.s**e

    There's no way this is how you're meant to root the box right? Everyone here was mentioning GTFObins. I assume the program we're meant to be using for priv esc is a specific text editor program. I'm guessing some a**hole just left the root flag lying around? or am I wrong?

  • edited April 10

    So to respond to my own question above: no that's not how you're meant to get root. Can people please be a little more conscientious and not leave flags lying around please!

    Anyway, this was my favourite box I've done so far, and I struggled the most with root.

    As someone else said, there are plenty of hints here to get you through this box, but I'll leave some of my own, just in case it's the little nudge needed, even if only worded differently.

    Initial foothold: I couldn't for the life of me work this one out due to the directory you need to find via dirb/gobuster being in any of the wordlists I used. I'm not really sure what hint to give here because of that, but either way, once you find that page/directory, then you're going to want to find an exploit for that. You'll see alot of people throughout this thread had difficulty getting it to work. In my opinion the easiest fix is to change the file format via vim: open the exploit in vim and press :set ff=unix. Then all you need to do is point the exploit to openadmin/o**/l***n.php

    User 1: This took me hours... I actually found what I needed in only a matter of minutes. When you find it, you'll see a username in the same file, but it's not actually for that user. Think alot more obvious but in a stupid way and you'll get it. A hint is to utilise find to list all PHP files in the directory you land in and grep for a different variation of spelling for a sensitive keyword.

    User 2: Enumerate what network services are running on the machine and figure out a way to interact with that service without using a webpage. Specify the resource at the far end of the command you run, not somewhere in the middle.

    Root: The BEST hint I saw here (sorry, I forgot on what page it was, so I can't credit) was that you're not looking at two separate commands, they're one command, e.g. /bin/**** /opt/****

  • Quite a nice box to work with.

    If you need any hint feel free to pm me ^^

  • Got root, this was fun!
    pm if you need anything

  • I enjoyed this box a lot, there are several layers to get the user flag and some great red herrings thrown in for added fun!

    I think the hints thus far have covered things well. I will say that User 1 seems 'interested' in User 2 ...

    Happy to help if you need a nudge.

    Hack The Box

  • After a long "hackthebox" break this was a very funny box.
    The way to root is the easy part. A big thanks to @OddRabbit

  • edited April 11

    I'm really lost with getting john to crack the goodies.

    I have used the python script to convert it into a hash, but when I run john it does a bunch of stuff and then says :

    Warning: invalid UTF-8 seen reading XXX.txt
    Using default input encoding: UTF-8
    Loaded 1 password hash (*** [RSA/DSA/EC/OPENSSH (*** p*****e k**s) 32/64])
    Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
    Cost 2 (iteration count) is 1 for all loaded hashes
    Will run 2 OpenMP threads
    Note: This format may emit false positives, so it will keep trying even after
    finding a possible candidate.
    Press 'q' or Ctrl-C to abort, almost any other key for status
    0g 0:00:00:00 DONE (2020-04-12 00:12) 0g/s 177300p/s 177300c/s 177300C/s 1701d..sss
    Session completed

    It just dies on me... So I'm not sure what I am doing wrong? Googling the issues on brings up guides showing me what I have already tried. Can anyone help me?

  • @Knoss said:

    It just dies on me... So I'm not sure what I am doing wrong? Googling the issues on brings up guides showing me what I have already tried. Can anyone help me?

    It's hard to suggest anything else without knowing more.

    Sometimes John produces a result like this when it has cracked the password. That's why --show exists. (john --show filename for example).

    It's possible you've used a wrong wordlist. It's possible that you've hashed it incorrectly.

    Looking at the message, if it isn't storing the password, my first guess would be the conversion didn't work.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • i got shell as www-data any hint after that?

  • @salute101 said:

    i got shell as www-data any hint after that?

    Yes. Short answer - enumerate.

    Slightly longer answer: https://forum.hackthebox.eu/discussion/comment/68751/#Comment_68751

    Longer answer: read back through the posts here.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited April 13

    Fun and learned a few new tricks. All said and done I got through something like 8 creds. No all were necessary. They just came about during enumerating anything I could. So maybe a rabbit hole here or there. As it should be. A paved path with guard rails is not as much fun.

    If you are learning do not try and rush...slow down and go over everything. You may end up learning something for a future box.

    Ultimately, I learned more about patience. First time on HTB. VIP sub limited the frustrations. Spent 2 days connecting only to find the box broke or something not as intended. VIP and ~4hrs on keyboard is a good way to spend quarantine time.

  • edited April 15

    Hi, need some help on user.

    I got initial foothold with a www-data shell, and managed to get DB credentials.
    But i'm unable to connect to it via m**** command line.

    Can anyone hint on where to go from here on pm ?

    Hack The Box

  • edited April 15

    Por fin obtuve la raíz de esta caja, me tomo 6 horas todo el proceso, se que pudo salir mas rápido pero tome caminos que no correspondían.

    usuario1: Revisar las webs, clic por todos lados, encontraras en google la forma de vulnerar lo que encuentres.
    usuario2: No hay nada mas que solo revisar (cat te puede ayudar) y solo eso. No olvides los archivos de siempre. El administrador del servidor usa malas prácticas.
    usuario3: nuevamente enumerar y revisa nuevamente las rutas donde te moviste antes. Estas seguro que solo es el puerto 80? . Curl es tu amigo.
    root: Un clásico como primera revisión. GT*****s.

    Es mi primer aporte, si contiene spoiler por favor eliminarlo. Gracias, si desean un empujón envíenme un MP.

  • Got root. :smiley: My first active box, and man did I learn a lot. :) So difficult for a n00b.

  • @obi0ne said:

    Hi, need some help on user.

    I got initial foothold with a www-data shell, and managed to get DB credentials.
    But i'm unable to connect to it via m**** command line.

    Can anyone hint on where to go from here on pm ?

    If you'd read back through some of the other times this has been asked you'd have got the answer faster - but the short response is consider password reuse - especially when the service you think the creds are far doesn't appear to be running.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Good box!
    For the User: enumerate, enumerate and google he will be your ally in that part.
    For Root: Don't think too loud, a simple enumeration in linux, to privesc will give you many primes and google will again be your friend.

  • Rooted!
    My first box. I was struggling a bit mostly due to lack of experience in using the tools but google is your friend. Pretty easy box for beginners.

  • edited April 16

    Hello!

    Anyone provide some help on this? I feel pretty lost and I'm pretty new to this. I found the page and I've been through this before with the same app version but my previous msf isn't working, no session. I thought that the .sh file might be the way to go instead. But when try any commands nothing happens, like I'm not connected to the target or something. Any DMs would be appreciated :smile:

    I had a typo in the command and I just realized it after posting this. Time to take a break I think :tired_face:

  • got user... This was fun :)

    Now on way for root. awaiting to decode hash from DB hope this will payoff...

    Hack The Box

  • @obi0ne said:

    got user... This was fun :)

    Now on way for root. awaiting to decode hash from DB hope this will payoff...

    There shouldn't be a need to decode any hashes between getting User and getting Root on this box.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited April 16

    S o I was able to crack the pri key that was located in m**n.P. nothing is working from there though, I guess I am not sure where that is supposed to be used. Any pointers would be nice.

    Welp I feel dumb, but learned alot!

  • Type your comment> @TazWake said:
    > @obi0ne said:
    >
    > (Quote)
    > There shouldn't be a need to decode any hashes between getting User and getting Root on this box.

    10x, got the hint..
    rooted :smile:

    Hack The Box

  • got a meterpreter shell going, but couldnt get user yet, any help appreciated!

    Hack The Box

  • @RookizNcream said:

    got a meterpreter shell going, but couldnt get user yet, any help appreciated!

    Some discussions which may give you the hints you are after: https://forum.hackthebox.eu/discussion/comment/69702/#Comment_69702

    https://forum.hackthebox.eu/discussion/comment/69121/#Comment_69121

    https://forum.hackthebox.eu/discussion/comment/68751/#Comment_68751

    All from this page alone.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • I have gotten a low privileged shell, but i cant seem to figure out how to get any further, nudges?

  • @IFredrix said:

    I have gotten a low privileged shell, but i cant seem to figure out how to get any further, nudges?

    Most basic nudge, read the post immediately before yours. https://forum.hackthebox.eu/discussion/comment/69931/#Comment_69931

    Slightly more helpful - read the previous posts about using that shell to enumerate for further data.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • hi guys this is my first machine on hack the box and now i am stuck on first user plz give me a hint to go on second user.

  • Pretty fun box!
    PM me for a nudge.

  • woo... My first box!!!
    [email protected]:/home/j****a# id
    uid=0(root) gid=0(root) groups=0(root)
    That took me way longer than it sould have, because the box wasn't accepting my ssh connection, after a good nights sleep, this was fixed and the rest was easy. Really cool box,thank you to the creator

  • @amasusoldier said:

    hi guys this is my first machine on hack the box and now i am stuck on first user plz give me a hint to go on second user.

    Read the post immediately before the one you made.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

Sign In to comment.