OpenAdmin

@13FPS said:

curl part : Permission denied for the c** any nudge?

@Jebby said:

Also having issues when trying to go the gym, nudge would be appreciated!

Make sure you are pointing at the correct location.

@Jown said:

Hi everyone,

I got the second user by ssh but i’m not sure about password getting from the key, it didn’t work for ssh or su.

What i have to do with this password ?

As a rule of thumb, if a password is for an SSH key, you need to use that password to unlock the SSH key.

If you are looking for a password for an SSH private key, you probably need to get it from the key rather than somewhere else.

Rooted!!

Service Level and Users 1 were fairly easy.

User 2 I spent a lot of time on–my achilles heel is that I often spend a lot of time reading and sifting through stuff when the answer is right there–wish I knew how to fix that…:frowning:
User 2 made me feel like I was taking OSCP exam and re-running / re-reading stuff and going nowhere.

Root was super easy.

At last I rooted it!

Took me more than I care to admit.
Getting to the second j***** user took me all the time, the initial foothold is pretty easy with some googling and rooting is known gtfo stuff.
I liked it, probably my favorite box so far.

got user2 thanks to @8balla

working on my first root on htb!

IF you have this error, make sure to have a good direct shell :slight_smile:
PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
unable to initialize policy plugin

Rooted the box!

Could anyone help me with the shell syntax please? I’ve tried all the advice on here with and still just get no response just a blank $.

@ratiotile said:

Could anyone help me with the shell syntax please? I’ve tried all the advice on here with and still just get no response just a blank $.

First off, what are you expecting to see when you execute this RCE?

What happens if you try to issue a command at the blank $?

Without error messages it is nearly impossible to help troubleshoot this. If it is a problem the most likely options are:

  1. You aren’t giving it a target.
  2. The script has some unusual characters in it (some of the versions built into the Kali OS have carriage returns which break things)

Type your comment> @ratiotile said:

Could anyone help me with the shell syntax please? I’ve tried all the advice on here with and still just get no response just a blank $.

Try typing some command and see the return. (ls, pwd, id…)

When I try a cmd on the $ I get not response.

First I used ds2unix to get rid of the /r and unexpected end of file errors and passing the target and command as arguements - nothing.

Then tried editing the script to put the IP in as the URL arguement then with /o** and /o**/v**/w** and every combination of that. I’ve tried passing ‘ls’ as an arguement with and putting it in instead of ${cmd} but still no output.

Am I missing a trick?

@ratiotile said:

Am I missing a trick?

Possibly.

Just to check - are you giving it the same target you would see if you visited the page in your browser because it isn’t clear from the asterisked out text.

Yes, the same o** as you would to get to the management page. Also tried using the ot/o** directory and traversing to all dirs on ot/o**/v**/w**.

@ratiotile said:

Yes, the same o** as you would to get to the management page. Also tried using the ot/o** directory and traversing to all dirs on ot/o**/v**/w**.

Again, just to check based on common issues, you have used the correct file extension in the URL?

The shell is .sh with 777 priv. Also I’ve tried it against the php page.

@ratiotile said:

The shell is .sh with 777 priv. Also I’ve tried it against the php page.

Only things I can suggest are to troubleshoot it while it runs.

If you have provided the correct target URI it should either work or spit out errors.

Try running tcpdump to capture traffic to and from the Open Admin server and see if it says what is happening when you invoke it.

Unfortunately, once you are doing everything correctly there isn’t an easy way to remote troubleshoot. For example, it could be a line in the script, it could a networking issue, it could be a box issue etc.

I’m getting bad checksum errors when the script runs but I honestly don’t know if that’s the issue. I’m going to try it on different setup and see.

EDIT: Ran it on Vbox VM in Windows and it worked. I was using a Kali VM on Qubes and its either the NIC or the internal networking that must of been causing the issue. Thanks @TazWake

First box ever and I’m stuck. I had a dream where I went to the seashore and I grabbed a shell, I climbed into the shell and landed on a world where i I went through the process and came across two other people who were much more powerful than I.

I decided to walk around some more and came across a magic cat, I explored the area with the cat and found a cd player. I tried to change the songs but It would only stay on one track and wouldnt let me switch. So there I sat pondering where to go next…

So Im basically stuck in one directory where i landed, have the other user account names but thats all.

any nudges as to how I find creds for the users? I read something about doing curls but i’m not sure how to go about that

Type your comment> @shock72 said:

First box ever and I’m stuck. I had a dream where I went to the seashore and I grabbed a shell, I climbed into the shell and landed on a world where i I went through the process and came across two other people who were much more powerful than I.

I decided to walk around some more and came across a magic cat, I explored the area with the cat and found a cd player. I tried to change the songs but It would only stay on one track and wouldnt let me switch. So there I sat pondering where to go next…

So Im basically stuck in one directory where i landed, have the other user account names but thats all.

any nudges as to how I find creds for the users? I read something about doing curls but i’m not sure how to go about that

The cd player, doesn’t play other songs. But have you seen the bands the players are from? maybe you should listen to more songs from that band, you might like the music they play.

hi

@shock72 said:

So Im basically stuck in one directory where i landed, have the other user account names but thats all.

any nudges as to how I find creds for the users? I read something about doing curls but i’m not sure how to go about that

You don’t need to change directories. Almost every linux command accepts a path.

For example instead of typing cd ./path/to/sub/folder; ls you can just as easily use ls ./path/to/sub/folder

Same with cat - cat ./path/to/sub/folder/interestingFile.php works.