OpenAdmin

Hey Anyone willing to give me a nudge on the script/exploit? Can’t seem to get it to work. Happy to rep. :slight_smile:

EDITED: Just managed to manually inject commands… YESSSSSS…!!! :slight_smile:

got user2 creds but couldn’t find a way in. any hints ?

NIce Box.

PM if you need help…)

Rooted…!! The second user was a bit of a chase but once I got what I needed I was golden.

Man ROOT flag was like 2 mins…!!! :slight_smile:

Nice box… Good warmup. :slight_smile:

im stuck maybe on the last steep, i have shell with w… then i got ssh with j… so next?? some tips? thanks in advanced

Hey thanks a lot for the box, it’s really logical and I learned a bit (yes I’m a noob).

user: I cracked a very easy thing, but fell into a trap for a while trying to crack something much harder which was not necessary. Knowing how things are configured on boxes like this helped.

root: I used almost exactly the same trick as for one of the user steps and got root quickly.

as always good enumeration is super duper important.

Hello. Any possible nudge on the initial foothold on this machine? Everyone saying it is pretty straightforward, but I have found myself stuck here. Any PM would be strongly appreciated!
Update: Thanks madhack for the hint. I should have double checked using another tool to enumerate.

First box rooted :smiley:

Any help on a foothold? I’m not finding the initial entry point :frowning:

Rooted!
Thats a cool box that teaches you how important enumeration is and good searching methods and practices for the next boxes. (config files are a must, i learned that here)
The most difficult part is going for user. From www-data to user 1 and then to user 2 and getting the initial shell (if you use the wrong .sh it will give syntax errors and its not easy to solve that, at least for me).
Root is pretty forward if you do enumeration well after getting user 2.
Thanks to @clubby789 and to @blink3r for helping me out getting the inicial shell and reach user1.
If you need any hints feel free to pm me.
And remember: The most difficult part in this machine is the beginning. Dont give up.

Is this box dropping connection for anyone else like every couple of minutes?

Rooted, if anyone is looking for a nudge feel free to pm.

Tips (most of which have been covered, redact as necessary):

Initial: standard enumeration will suffice; identify the vulnerable service; no MSF necessary, nor code bending.

User 1: ls and cat are truly all that you need. Start locally, you don’t have to dig too deep. It’s not uncommon to find credentials stored in plaintext, so what kind of key searches would help you obtain these? Once found, use another service you found in your initial recon.

User 2: Same approach, but cast the net wider. What processes are running? What ports? What directory? File enumeration is significantly easier than User 1. The credentials for User 2 may not be as easy as plaintext, however rest assured there are tutorials (IppSec) that walk you through the process of obtaining the password. While the service for User 2 is the same as User 1, there’s a small detail some may need to troubleshoot if they’re getting an invalid login. Trust your gut, the password is correct. Solution isn’t hard.

Root: Many have covered this already. How do you find what you can run as root? What do you see? Can what you see do more than just RW? How?

DM for tips.

Edited

Type your comment> @TazWake said:

@sha1ofthedead said:

Hi all, I’ve gotten user2 and am struggling on privesc to root. I keep being prompted for a password when trying to run a s*** command, am I trying something incorrectly?

If anyone could DM me a hint it would be greatly appreciated

Chances are your syntax is incorrect. You need to use exact string as shown in the -l response. It isn’t multiple commands its a string you need to use.

This.
WTF, man, this is troll!!!

rooted.
root@openadmin:/root# id
uid=0(root) gid=0(root) groups=0(root)

it was very easy box
from initialize foothold to user 1 took me almost 1 hour ( the box is so slow !! )
from user 1 to user 2 took me 2 hours ( problem on my local machine with my friend johnny )

from user2 to root took me 20 sec.

init foothold: Enumerate and google will help you.
from init foothold to user 1 : Enumerate once again you will find what you need
user 1 to user 2 : Enumerate again you will find something interesting something should listen to that right :wink: ?

root: don’t even think normal linux prev esc

GFTObins not working for me after getting user 2. Any hints would be apreciated. Probably doing something wrong.

I have managed to get details for J***y and have remote access but cannot find anywhere else to go after this. I have completed enumeration but I’m not sure where to go next. Could anyone please drop a hint? Thanks.

@dh0ck said:

This.
WTF, man, this is troll!!!

In what way?

@amoros94 said:

GFTObins not working for me after getting user 2. Any hints would be apreciated. Probably doing something wrong.

Chances are, you aren’t entering the string correctly.