Official Omni Discussion

145679

Comments

  • @trab3nd0 said:

    If system is not the objective, its access and privileges would be. But don't get me wrong, the rest was good fun.

    Don't misunderstand - I am not defending the box here.

    The reality in a windows environment having SYSTEM isn't always sufficient for a full compromise (as shown here). It would, on the whole, be a good pentest recommendation that all sensitive information is protected in a related manner (access linked to user account) because it does mean getting SYSTEM is not sufficient to get access to the data.

    (and yes, there are lots of other techniques you can use - this is certainly not the only box which uses this type of protection of sensitive data)

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • I enjoyed the box, even though it was frustrating. Frustrating and obscure doesn't always mean bad, it depends what you are here for. Everyone will have their preferences.

    In my case, I think you learn more from boxes like these specifically because they break the cycle and push you to think in ways you might not have before. When you get used to doing something a certain way, you tend to stop thinking through your actions as actively. Assumptions waste so much time and boxes like these remind you to keep them in check.

    I'm saying that considering that I was stuck to the point that I couldn't advance without nudges from @TazWake. What I missed was a discipline/attention to detail step that will be useful in the near future. The way I was doing that step was sloppy, and this box (and TazWake) exposed the cracks.

    That makes for a good box in my book. My 2 cents anyway.

  • Type your comment> @TazWake said:

    @Tu4r3g said:

    I'm still stuck with hexdump, could you give some tips how did you manage it to get to work?
    It shows me that hexdump is installed but still get that error.
    Thks

    A possible cause for this is running pip3 then python2 or vice versa. What this means is that if pip defaults to (say) pip3 when you run it, it installs things for python3. Then if you try to run a script with python2 the module isn't available but pip thinks it is.

    You might be able to get round this with explicit version numbers.

    You could try pip3 install --upgrade --force-reinstall <package> and pip2 install --upgrade --force-reinstall <package>

    (or whatever works to get both versions of pip running on your system)

    Thanks for the tips and help, however I was far away to think that this curious box will lead me in an epic troubleshooting journey through Kali Linux versions, Python versions, and so on... As resume with Kali 2020.3 I simply cannot put the script running even using pyenv to manage Python versions, it will give an error for each line. However I try with older Kali versions and the script runs smoothly.
    Like someone says in this same forum if this is the first box for newcomers (which is the case), because it's categorize as "easy", it scares a lot, and put me thinking that maybe I need to dedicate to do something else. :-)
    Thanks for all you guys for all the precious tips and hints through all this forum discussion, which I think they are a must to go through this box.

  • Kind of frustrating machine, but learn new things always is good :) i don't think this machine is "easy" since there is a particular way to get access to it as well as get root.

  • rooted, although I feel I cheated a bit
    had to look some stuff up because I didn't want to waste hours enumerating

    <

    h1>

  • The short file you find definately seems to be an oversight. Theres a really obvious path to user -> root that gets kinda ruined by that little file...

  • Finally managed to root after three days of suffering.
    Some hints...

    Foothold:

    You need to know your target. Firefox tells you, on the higher port. Just look closer. Then, a quick google search can give you a tool for shell. No need for guess work as some other comments say.

    User/Root:

    I managed to get every user shell without password, including administrator (started some service, and added my own keys). But, wasn't enough to decrypt the files for flags. Finally, got a nudge from someone that I needed to find a file to get some creds. And the portal is needed here. Decryption only works if logged-in with password I guess! Didn't know that, and wasted 2 days. User/Root flags need exact same steps, just a different set of THOSE.

    PM for any nudges.

  • This was a really weird box. The initial foothold is the "hardest" part, when you get the reverse shell you just need to find the right file (remember, ls -force shows more than just ls), and everything else is pretty much straightforward.

    Hack The Box

  • So... besides the hints here how does everyone know this is an IoT box?

    LMAY75
    Always happy to help, DM me if you need anything!

  • edited September 21

    Jesus christ this exploit code is shit. Have to retrofit everything to python 3

    LMAY75
    Always happy to help, DM me if you need anything!

  • Rooted. Would be lying if I said I enjoyed that. It's certainly an easy box, but I would not recommend anyone who is new do this.

    LMAY75
    Always happy to help, DM me if you need anything!

  • I will give it credit for being more stable than most windows boxes

    LMAY75
    Always happy to help, DM me if you need anything!

  • @LMAY75 said:
    > So... besides the hints here how does everyone know this is an IoT box?

    Google that Nmap term and you will be there. Simply Google everything you came to see.

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • edited September 22

    Manage to get root.
    Had to go back a bit to get user but got there in the end.

  • Type your comment

  • I am sure no one is working this box any longer - but if you are, I am losing my wits reading all the docs on importing, exporting, pscreds, and so on. I have seen hints that you don't actually need to change users, that there is a certain hidden file and its not i**-blahblah.xml, enum enum enum, I have enumed manually, looking through lots and lots of folders, I have used Get-ChildItem and still gotten nowhere.. I am sure that I have read the answer and just don't understand it, but at the this point I am going in circles. the shell was not that hard, so what am I not looking at? If anyone is still giving hints, please hit me up

  • @Reddsec said:

    I am sure no one is working this box any longer

    The box is only a month old, I bet lots of people are still working on it.

    • but if you are, I am losing my wits reading all the docs on importing, exporting, pscreds, and so on.

    Ok - at the risk of sounding like I am joking, if it is driving you insane, it is probably the wrong path.

    I have seen hints that you don't actually need to change users,

    Based on how I approached this box, this hint is drastically incorrect.

    that there is a certain hidden file and its not i**-blahblah.xml, enum enum enum, I have enumed manually, looking through lots and lots of folders, I have used Get-ChildItem and still gotten nowhere..

    The bad news is this is still the best advice anyone can give on the forum without it being a spoiler. You may need to make a more specific question as a direct message.

    I am sure that I have read the answer and just don't understand it, but at the this point I am going in circles. the shell was not that hard, so what am I not looking at? If anyone is still giving hints, please hit me up

    The shell not being difficult is a bit misleading. It depends how you got it and which account you have it as. There are probably at least three shells you will need to get.

    If you've got the shell via the initial exploit, you are in the wrong user account and you absolutely need to find something which lets you go in via the site. If this is the bit you are missing, I strongly recommend you look at possible automation or "job"-related files.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @TazWake - Thank you, I will keep looking, I have 2 shells, one as system, and one that you get using a --as_logg** flag. I am looking for that third I believe..

  • @Reddsec said:

    @TazWake - Thank you, I will keep looking, I have 2 shells, one as system, and one that you get using a --as_logg** flag. I am looking for that third I believe..

    Possibly a fourth but it really does depend on your workflow here and I need to be careful to avoid spoilers.

    The main tip I can give is that if you want to read a file "locked" to BobbyTables, you would need to have a shell as BobbyTables.

    If you got your shell via the http interface you are on the right track.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • This is a great box IMO. What I really liked about it was multiple times you have to combine enumeration output from tool or command, use the information with another resource at your disposal. The encrypted flag is perhaps the best. It is not enough to get system shell. You have to extract loot and dig deeper. Thank you @egre55. BTW I could not remember if I had properly respected you and was quite surprised to see you can "disrespect" someone you previously respected! Crazy man.

  • @TazWake Again Thank you.
    After throwing my initial fit above, I received a bit of help.
    Foothold- Once you find what your looking for, just get the syntax right.
    User/root - I made a mistake in enumeration, I was looking for files, but not the right ones. Kicking myself, googling windows privesc enumeration would have revealed a few thing for sure. Afterthat, understand the object you are trying to read. root wasn't really any different than user.

  • Spoiler Removed

    Hack The Box

    CEH | OSCP

  • the only reason I got the creds it's because I CDed everywhere after hours. I really suck at win enum, I don't know where to look for anything and I have to google every powershell thing I'm trying to do. I guess 'use the force' is the most important tip I can leave here, the rest was done by google and again, CDing around like a mad man.

  • edited October 5

    Can upload nc but got 'not recognized' error when trying to execute it. is this my nc or what?

  • @gasfad01 said:

    Can upload nc but got 'not recognized' error when trying to execute it. is this my nc or what?

    It depends on how you uploaded it and what is generating the "not recognized" message.

    For example, if you are using powershell, "not recognized" normally means you've used a command alias it doesn't know. Other tools will have different meanings.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • For those stuck with kali 2020.3 that do not have pip2 installed, you can install it with it with the script below, then add the binary to your path:
    https://bootstrap.pypa.io/get-pip.py

    Hack The Box

  • Hi i found an exploit for this box, anyone can assist?

  • rooted, fun box.
    feel free to write me if you need help

    he110w0r1d

  • has anyone got a working version of the script that will work with python3 pls?

  • Type your comment> @tyronew said:

    has anyone got a working version of the script that will work with python3 pls?

    you can try this
    2to3-2.7 -w yourpython2script.py

Sign In to comment.