Official Omni Discussion

1246710

Comments

  • @gs4l said:

    Rooted!! By the way, how did everyone came to the conclusion to use the S******T script here? Someone gave me a hint to use that script.

    I found the foothold tough as I was unaware about the script and was not able to get much info from the box initially. After that, it is easy.

    Finding the exploit wasn't too bad. Some of the information from the initial enumeration of the box, and entered into google, gave me what I needed.

  • edited August 24

    Is "NT_STATUS_IO_TIMEOUT" part of the box or is my network messed up?
    Edit: Yes.

  • PM for help

  • Stuck at foothold the hole day.. I found only the Ac**n Device. There is a ascript but i think it is the wrong one. Is that the right path? pn please

  • Type your comment> @Timdb said:

    Stuck at foothold the hole day.. I found only the Ac**n Device. There is a ascript but i think it is the wrong one. Is that the right path? pn please

    If it's the perl script then it's the wrong script. You have part of the answer but there is more clues in this forum. PM if you need a nudge.

  • Rooted, had problems with getting a reverse shell, same command same syntax did work at a later moment? Weird. :)
  • Type your comment> @Arty0m said:

    Am i right in thinking the script is used to upload a shell? The documentation is limited and the command doesn't seem to work when uploading.

    i'm trying the same thing but can't understand how to upload it

  • I think that is not an easy machine...
    If anyone need help, PM and show me what you got so far.

  • Not able to find anything for the initial foothold. Been stuck looking at the open ports for ages. Any hints please ?

    n3wb1e

  • edited August 24

    WOOOOOOO, Finally rooted...forgot to try to login to the web portal...smh

    thanks @l0phkey

  • edited August 24

    Type your comment> @PinguBlasfemo said:

    i'm trying the same thing but can't understand how to upload it

    Took me AGES to figure it out, you don't upload using the upload command but there's another command that will let you run commands in CMD. Then figure out to upload a shell that way.

  • Rooted! Feel free to pm if you need a tip

    Hack The Box

  • I thought this was harder than an easy box. I had access to a couple of files, so I figured I was done there and needed to figure out the flag from there. Not sure if I was supposed to be able to cat them or not. Didn't realize I needed to do something else until I spent a lot of time trying to coerce a proper flag from what I had.

    Hack The Box

  • Rooted in 3 hours after 2 days trying to knock the ports 😂✌. Thx @egre55, amazing box.

  • I would say this box is still on the easier side when it comes down to it. That being said, it took me a while to figure out what needed to be done, even after getting a foothold. I needed a nudge but definitely learned something new about creds. A really thorough enum once on target is also required.

    limelight

  • Managed to pwn the box, big thanks to @6h4ack & @rholas and shout out to @egre55.

    Overall I think it should be rated between easy and a medium box.
    Initial foothold:
    Usual reconnaissance stuff and google is your best friend.

    User and root:
    Again, Windows enum is important and if you know how to filter then it will save your time :)

  • Rooted but how can I get admin hash now, mimi dosent work. :<

  • edited August 25

    I'm at a loss. I couldn't decrypt the flags or i**-a****.xml. I'm guessing because I'm not the right user (I'm currently o**i). Tried looking around and the only interesting thing I've found in hours is a file in cr******als folder in user s***em. But mimi doesn't work and I have no idea what I'm supposed to do now. Am I overthinking everything or not thinking at all?

    AviusX

  • Thought I was doing well on this machine but boy does it get hard with the poweshell stuff at the end.

    Lots of people seem to be stuck on the foothold so here's a nudge:

    If nmap can't identify what the machine is then think about what other scans you can use. The ports may not be the way in.

  • *Spoiler Removed*

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Spoiler Removed

  • I'm generally weaker on Windows boxes but that got a bit crazy at the end! I learned a lot from this so thanks @egre55 for the great box!

    Initial Foothold:

    nmap might help, but the real question to ask is why is this listed as other rather than Win/Linux?
    Try connecting to some of the services, really read not what they want, but why.
    From here, google is your friend, any high profile exploits for this tech?

    Post Exploitation:

    Doing enum like this will take forever. Can we get something a bit more interactive?
    Perhaps a certain binary that likes milk will help?
    Once you're on the right path, finding obscure things becomes a lot easier!

    User/Root

    Once you've got here you have all the people you need to read them! Just keep pivoting!

    Happy to nudge in PM's for the next few hours if required.

  • @AviusX said:
    I'm at a loss. I couldn't decrypt the flags or i**-a****.xml. I'm guessing because I'm not the right user (I'm currently o**i). Tried looking around and the only interesting thing I've found in hours is a file in cr******als folder in user s***em. But mimi doesn't work and I have no idea what I'm supposed to do now. Am I overthinking everything or not thinking at all?

    If you can make a flag in your local machine and decrypt it, then you can find your way to decrypt i**-a****.xml. Good luck, you can do it 🤞.

  • edited August 25
    *Spoiler Removed*
    I didn't think it was a spoiler. :neutral:

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Type your comment> @EstamelGG said:

    Rooted but how can I get admin hash now, mimi dosent work. :<

    same, i cant get hash :/ i didnt get hash on win box before


    Hack The Box

    You can pm me on discord sh4d0wless#6154

  • Finally Rooted. To be honest, harder than expected but great box.
    I was stuck at the end too, search an alternative to whoami and you will realize maybe you didn't root the machine as you thought.

  • Rooted yesterday. I liked this box a lot. Fresh platform to me, learned a lot in the process. Initial steps make the first part easy, but, I would maybe call the rest of it easy to light-medium because there is a little slightly non-standard powershell involved.

    Initial foothold: Shouldn't have to even explain this one once you see it. Do you see 3 ports you don't recognize? Google.
    User: Std places to hide things
    Flags: Back to the beginning, and research how to make strings secure in PS. This is user dependent!

  • I have found Remi's friend and have found the command to get the %userprofile%. However I cannot seem to "write" to any directory such as temp, etc. Any clues as to how to enumerate a directory I can write too ?

    n3wb1e

  • Stuck several hours on repeating upload reverse shell executable and run.
    No luck.

  • @n3wb1en3w9999 said:
    I have found Remi's friend and have found the command to get the %userprofile%. However I cannot seem to "write" to any directory such as temp, etc. Any clues as to how to enumerate a directory I can write too ?

    Lol, you have the new friend ;) Now you should have the power to create your folder with the right command and drop your cat.

    Fr0Ggi3sOnTour

Sign In to comment.