OpenAdmin

@carc84 said:

After 4 days, I managed to ssh to second user with key, but I can’t seem to find a way to obtain root. I’ve tried with GTFO using the right command at the right place, but it keeps asking for user2 password. Any ideas on what could I be doing wrong? It’s my first machine and it’s been fun so far :smiley:

Re-read what the file tells you. If you need to, look at how entries in that file are constructed.

@Merlin01000101 said:

So, if someone could point me in the right direction that would be great. I’ll then examine why I couldn’t get there in my own and update my process. I only need info on this ‘dolly step’ though. I’ll try and make it from there on my own.

It is hard on free boxes.

If you are running a RCE exploit and need to get the first user account, look at the files and folders you can access in detail. Try to ignore the millions of shells people have uploaded. Timestamps might help, but even this gets modified people who dont know better.

If you need to get the second user account. More enumeration. Look at what the user is part of and what it shares with other users. Then look into that.

@yahmasta said:

I have used Li****m.*h to enumerate and haven’t found any interesting file.

What user account are you running it as? It should have identified a common way linux allows users to do things as a super user.

Thanks TazWake.

I’m stuck on foothold to the first user. I am able to read files and after searching for finer queries I did a general ‘ls -laR’ and ended up reading everything I had rights to, but I still didn’t spot any clues.

I’ve been reading so much and for so long my eyes are actually burning and I have a headache ■■■■

I’ll run another ls -laR in the morning and have another read of everything. I know I must be missing something very obvious.

Edit - So it looks like I had a few problems. Number one, the foothold shell sucks. Better to upgrade that puppy before searching through the file system. Number two, I wasn’t searching for all possible strings that might lead to gold. Number three, I was far too tired to notice the former two points!

So lessons learned. Get better tools, search better, sleep better… I found what I was looking for this morning.

@Merlin01000101 said:

I’ll run another ls -laR in the morning and have another read of everything. I know I must be missing something very obvious.

Probably, but with this box it is always possible that someone has decided to move or change the files for “fun.”

A recursive search might overwhelm you with data which increases the chances you will miss something.

Start with ls -la and see what there is. Look at anything you wouldn’t normally expect to find in the folder you are in (again, try to ignore the webshells based on timestamps)

Rooted! Nice machine to learn about. Here are some hints, i’ll try to say something the other users haven’t said. (if many spoilers please censor me).

Initial shell: Easy as ■■■■, just do you basics on nmap and google the exploit, read it and adapt it to your needs. Can’t clearly understand it ? Use the ippsec technique and make your kali machine a proxy to redirect the requests to openadmin, then you’ll capture the payload and you’ll see why it doesn’t work, then fix it or do it your own way.

User1: Most difficult part to me, not because of the limited shell. I’m just bad at enumeration, read files and files in the directory you’re in until you find some useful creds (they may be not in the exact dir you land but keep looking deep).

User2: Look for any other ports running on the machine, also look in other www folders, read those files and find a way to trigger that useful .p*p file.

Root: Easy as ■■■■ too. Check what that user can execute as super user, then Get The ■■■■ Out of here.

Edited: seems like there are differences between VIP and Free machines.

Its crackable.

Got root :slight_smile:
Easy machine, but I have a lot of fun, love it. Thanks @dmw0ng for this machine!

Could someone give me a little help on the foothold? The exploit I found doesn’t seem to work and i am not sure exactly how to modify it to work. Any help is greatly appreciated.

@PercyJackson35 said:

Could someone give me a little help on the foothold? The exploit I found doesn’t seem to work and i am not sure exactly how to modify it to work. Any help is greatly appreciated.

It should work. If it isn’t working for you look at what error messages it is generating.

If it isn’t generating any error messages, make sure you have supplied the correct target.

Big thanks to @TazWake for the pointers.

Finally finished it, was not so intuitive.

User 1 - enumeration is key. Take your time.
User 2 - easier than it seems. There are a lot of hints in the machine, common sense is required. I was having serious issues due to the machine I was using and when I switched to the free one, it was solved.
Root - a very clear method.

Thanks @dmw0ng for the machine and @TazWake @kkaz for their mental support :slight_smile:

r00t! fun little box.

Are the user.txt files not supposed to be there for some users? I just got user ssh access and can’t find the user.txt for some reason… New here so I apologize if I missed something.

I’m stuck in the i******l , also john didn’t help me.
Can someone give me hint?

Type your comment> @TazWake said:

@yahmasta said:

I have used Li****m.*h to enumerate and haven’t found any interesting file.

What user account are you running it as? It should have identified a common way linux allows users to do things as a super user.

I am stuck in www-data.

If anyone needs help shoot a dm. Thanks for the nice box, really enjoyed it!

I got jo ssh, from s- I am using nn as su* but its asking for j****a’s password, do I need to look for password or I am doing something wrong ?

Edit: ROOTED

Rooted!
DM me for any help :slight_smile: