OpenAdmin

Stop reseting the box

Rooted finally after baging my head on root for a while.
Almost every hint is already given here in the forum (thanks to everybody!) but again: it’s sometimes so obvious that it get’s overlooked. I didn’t thought that some escalation pathes may have some parameters that are already given as well. It’s easy to execute but you have to read carefully.

PM me if you need a little nudge.

I get the message
“[] Command Stager progress - 100.14% done (705/704 bytes)
[
] Exploit completed, but no session was created.” if I try to create the meterpreter session… also tried different payloads, same error, any suggestion?

Type your comment> @Lucaman said:

I get the message
“[] Command Stager progress - 100.14% done (705/704 bytes)
[
] Exploit completed, but no session was created.” if I try to create the meterpreter session… also tried different payloads, same error, any suggestion?

The MSF one is far from perfect but it depends on the payload. If you use a non-staged one you might have better luck, but I found the bash script was much more effective.

I wish there weren’t so many box resets. I think I understand why it’s happening, but the low-hanging fruit from first pass of enumeration just isn’t there (not that I was able to see anyway) and results in trolling everyone else who is further along :slight_smile:

Type your comment> @TazWake said:

Type your comment> @Lucaman said:

I get the message
“[] Command Stager progress - 100.14% done (705/704 bytes)
[
] Exploit completed, but no session was created.” if I try to create the meterpreter session… also tried different payloads, same error, any suggestion?

The MSF one is far from perfect but it depends on the payload. If you use a non-staged one you might have better luck, but I found the bash script was much more effective.

An example of a non-staged? I tried running the bash script and it didn’t work, I tried almost any payload for linux and it’s also not working, same error. (Also tried a simple reverse shell)

@Lucaman said:

An example of a non-staged? I tried running the bash script and it didn’t work, I tried almost any payload for linux and it’s also not working, same error. (Also tried a simple reverse shell)

On staged vs stageless: Deep Dive Into Stageless Meterpreter Payloads | Rapid7 Blog

But to be clear, I never got MSF to work here. The bash script is much better.

The bash script is not a reverse shell, it is an RCE. Don’t be fooled by this, it is all that you need to get a foothold and find a user account. You dont need to generate the hassle of a reverse shell which will die every time someone resets the machine.

If the script and msf are generating the same error, the problem is likely to be how you are invoking it. I cant imagine the bash script is saying it cant send a stager though.

With the script, for example, you have to tell it where to look. See this from a few lines up OpenAdmin - #694 by TazWake - Machines - Hack The Box :: Forums

I understood that the bash script was a RCE, it didn’t work until now that I tried “sed -i -e ‘s/\r$//’ expl.sh” before executing it… Idk what that command does but I found it reading some comments here

got the user flag; now on to root :slight_smile: (in between random box resets)

I feel kinda dumb with this. Still new to the boxes. Have foothold and feel like I’ve read every file I can get my hands on with nothing really standing out. After reading a bunch of comments on here, I’ve redirected my enumeration to working dir and subdirs, but if anyone can help nudge me where I should be looking, that would be a huge help. I think if I can get user access, the rest should be a breeze.

I finally did it ! My first box rooted :smiley:

Thank you to @kalitkd @TazWake @Saker for your help and encouragement, and everyone else who has posted any kind of tip for this box. I must have read this whole discussion 20 times trying to figure out each stage so chances are, if you posted a tip, it probably helped me! It has been a massive learning curve, as I was starting completely from scratch, but it was well worth the effort. I am truly addicted now.

Extra special thanks to @SamTheSapien for going the extra mile supporting me, somehow without giving away any direct spoilers. (At the time I wish you had, but now I’m so glad you didn’t :slight_smile: ).

Any suggestions / recommendations for the next box I should try…?

Big thanks too to @ippsec for your videos, especially Swagshop which just got me over the last hurdle here.

still in the low-priv shell and just got the mi credential in the d***_s*******.i**.p** file, but cannot connect to that service… am i on the right path?

guys trying to get into root if i type “sudo -l” i get the following issue, with all the 3 users wwata , jy and J*****a
$ sudo -l
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin

Any help for this issue? pls ping me if you have any info, thank you in advance

@theLorD said:

still in the low-priv shell and just got the mi credential in the d***_s*******.i**.p** file, but cannot connect to that service… am i on the right path?

yes

@wsurfer said:

guys trying to get into root if i type “sudo -l” i get the following issue, with all the 3 users wwata , jy and J*****a
$ sudo -l
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin

Any help for this issue? pls ping me if you have any info, thank you in advance

reset the box

Got user 1. Would be able to get user 2 if people didn’t keep resetting the box haha

Best advise I can give on the first part - it’s easy to over-think it or over-complicate it. Enumerate well and don’t dismiss something that looks important. Remember that the weakest link is the user.

I got the RSA key through curl for user2 but unable to crack with john…help appreciated

Pretty fun box, and the first I was able to do in a few hours. Was really dumb on user, answer was staring me in the face the whole time.

Any nudge would be way cool. Got user 1 ok, got user 2 ok, and for some reason I hit a wall with root. It looks like it should be straight forward. I checked j******a’s privs, and it looks like I should be able to use nn to get some joy, but it says the file is not found. It doesn’t say I don’t have permission, just that it isn’t there. GTFO B, I have tried every thing in there multiple times, and also no joy. I have even copied and pasted exactly to make sure I am not fat fingering it. Am I barking up the wrong tree here? did someone hide the flag? any help would be super appreciated. Thnx