Official Omni Discussion

167891012»

Comments

  • edited December 2020

    I managed to decrypt the root flag. But I cannot decrypt the user flag.

    Edit: nvm, got it.

  • Type your comment> @FQuen said:

    I managed to decrypt the root flag. But I cannot decrypt the user flag.

    Edit: nvm, got it.

    Nice!

  • My connection to the box is extremely unstable. It seems that I only have a ~20 second window to execute commands before it becomes unreachable again. I've gotten a reverse shell up but can't do much with it since the connection dies shortly afterward. Has anyone else experienced this?

  • Type your comment> @mapetik said:

    My connection to the box is extremely unstable. It seems that I only have a ~20 second window to execute commands before it becomes unreachable again. I've gotten a reverse shell up but can't do much with it since the connection dies shortly afterward. Has anyone else experienced this?

    Yep. Dealing with this right now. Any hints as to what may be causing that, such as payload? Thanks. (first post)

    Hack The Box

  • edited December 2020

    @mapetik said:
    My connection to the box is extremely unstable. It seems that I only have a ~20 second window to execute commands before it becomes unreachable again. I've gotten a reverse shell up but can't do much with it since the connection dies shortly afterward. Has anyone else experienced this?

    Rooted, that was amusing but unbelievably tedious. Easy = a very relative term though I understand the rationale.

    @mapetik are you using msf or n** to catch your shell? The latter is far more stable.

    Hack The Box

  • @TreeTheBassist said:

    @mapetik are you using msf or n** to catch your shell? The latter is far more stable.

    n**. I'll have to give msf a try later. It has been unbelievably tedious for me as well. I had ping running in another tab to let me know when I could actually continue.

  • edited December 2020

    Got root, finally.

    Most difficult part for me was the initial foothold, the arguments were very finicky and the feedback from a certain command execution environment inconsistent, even when running the same command twice.

    My tip for those args: instead of copy/pasting long strings that you find only, try the simplest commands that you know, see how they work and then build on top of them.

  • Finally rooted this box
    foothold : initial part is not too easy as always google is your friend ....google everything
    user: here you need some more recon to get the user not out of the box
    root:easy
    if you stuck with modules let me know on twitter https://twitter.com/Saims0n
    :wink:

  • Hey guys, noob here and i just cant move ahead of nmap scan on this. Dont know what to do. Pls drop a small hint to give me some direction

  • @tej4pa said:

    Hey guys, noob here and i just cant move ahead of nmap scan on this. Dont know what to do. Pls drop a small hint to give me some direction

    Read your nmap output or visit the page. That tells you a term to look up. Look it up and find the tool you need to get a foothold.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @tej4pa said:

    Hey guys, noob here and i just cant move ahead of nmap scan on this. Dont know what to do. Pls drop a small hint to give me some direction

    nmap has more to offer than just simple port enumeration.. try the included scripts to gather more info on found ports.. and then google is your friend!

    Omni got some nasty defaults settings

    Hack The Box

  • is the credential file uses a .x** extension?.

  • Well, I guess i shouldn't have chosen this machine to start my HTB journey, but after struggling with it for 3 days and using a couple of hints from this forum for the machine enumeration part, i actually managed to root it and i am so proud of that!

    I pretty much managed to get all parts on my own, except for the machine enum part and i can tell for sure i would have never gotten that part on my own in a million years!

    I am very much a beginner at this, and all the enum i know is from my VHL training and online checklists i got from random googling, and none of that helped me here, unless i missed something.

    If someone could please DM me any resources / references to help me get better at the enum part for future reference, or that explain how you guys knew what you should look for that would be fantastic!!!

    Thanks a lot for all the help! you guys are awesome! :)

  • @hefnyy said:

    Well, I guess i shouldn't have chosen this machine to start my HTB journey, but after struggling with it for 3 days and using a couple of hints from this forum for the machine enumeration part, i actually managed to root it and i am so proud of that!

    Nice work! Welcome to HTB and I really hope you enjoy it here.

    If someone could please DM me any resources / references to help me get better at the enum part for future reference, or that explain how you guys knew what you should look for that would be fantastic!!!

    There isn't really a simple answer for that. Enumeration is sort of a term people use to mean "trying stuff and seeing what turns up".

    There general methodologies - used by tools like Linenum / WinPEAS etc - but I am not a huge fan of these and you'll discover they work on about 10% of HTB boxes. In real-world pentests they are often so noisy you'd struggle to justify using them.

    At a very, very, basic level Enumeration for privesc is down to simply thinking of things to look at and then trying it. For example, I've seen lots of situations where sysadmins have left privileged credentials in web.config and unattended.xml files to support automation. Checking to see if any exist is a good enumeration step but - off the top of my head - I've never seen this work on an HTB box. However, the general principle off "Look for credentials in files related to automation" is fairly useful.

    Really - all enumeration is about looking at things and deciding if you can use them. I try to avoid noisy things like cd /; grep -ir password * because (for me) it becomes to hard to use the output. But more targeted things like searches for specific files is useful.

    Also, a lot of enumeration is down to drawing conclusions - for example finding a service is suspended and also discovering your account has the privileges to modify that service gives you an idea how to exploit it.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Machine Pwned. Enjoy!
    Root \o and User \o

  • Struggling to get a shell. Can anyone nudge me little

  • @mrWh17e said:

    Struggling to get a shell. Can anyone nudge me little

    If you've used the right tool, that gives you a way to upload something else you can use to get a very effective shell.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Just a reminder - Omni retires tomorrow.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Anyone manage to use Python3 rather than Python2 lately?

  • edited January 8

    ok

  • Type your comment> @BinaryShadow said:

    Hi, I'm already stuck with the flag files, someone can give me a hint how to decode the Sxxxxm.Sxxxxxxy.Sxxxxxxxxg. I've been trying for hours with Pxxxr Sxxxl with no results.

    You need to be logged into the account of the owner of the password hash Administrator, and from there you use the powershell terminal to decode. pull me to DM

  • @mrWh17e said:

    yeah! That's where the issue is I am not able to upload

    Rather than rely on the built in upload, treat it as a remote code execution and use tools on the machine to upload.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @emilyj27 said:

    Anyone manage to use Python3 rather than Python2 lately?

    yeah ! I did the exploit using python3

  • edited January 9

    First Windows box done - had a big unintended nudge for the passwords :neutral: - still, learnt a lot about p********l

  • Currently having issues with a Error Code.

    "'b'The system cannot execute the specified program.\r\n''>" is what I am getting when trying to run the **.exe and ***4.exe using the program once the .exe is uploaded.

    Anyone else had this issue?

    CrackerMan

  • @CrackerMan said:

    Currently having issues with a Error Code.

    "'b'The system cannot execute the specified program.\r\n''>" is what I am getting when trying to run the **.exe and ***4.exe using the program once the .exe is uploaded.

    Anyone else had this issue?

    It depends how you are trying to execute them.

    I'd try LaunchCommandWithOutput and call cmd then issue the commands you want to run as arguments.

    The good news is that this box is retired now so if you get stuck you can read a write up.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @CrackerMan said:

    Currently having issues with a Error Code.

    "'b'The system cannot execute the specified program.\r\n''>" is what I am getting when trying to run the **.exe and ***4.exe using the program once the .exe is uploaded.

    Anyone else had this issue?

    It depends how you are trying to execute them.

    I'd try LaunchCommandWithOutput and call cmd then issue the commands you want to run as arguments.

    The good news is that this box is retired now so if you get stuck you can read a write up.

    Thanks Taz, you seem to be really an active part of this forum and are helping me loads. I am trying to keep it to online research etc (no walkthroughs) but I think you can only do so much as a begginer.

    CrackerMan

  • @CrackerMan said:

    Thanks Taz, you seem to be really an active part of this forum and are helping me loads.

    I am glad to help.

    I am trying to keep it to online research etc (no walkthroughs) but I think you can only do so much as a begginer.

    Cool - I wouldn't worry too much about using a walkthrough, as long as you try to understand what it is doing, it's pretty much the same as doing online research.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

Sign In to comment.