OpenAdmin

Could anyone help me with the shell syntax please? I’ve tried all the advice on here with and still just get no response just a blank $.

@ratiotile said:

Could anyone help me with the shell syntax please? I’ve tried all the advice on here with and still just get no response just a blank $.

First off, what are you expecting to see when you execute this RCE?

What happens if you try to issue a command at the blank $?

Without error messages it is nearly impossible to help troubleshoot this. If it is a problem the most likely options are:

  1. You aren’t giving it a target.
  2. The script has some unusual characters in it (some of the versions built into the Kali OS have carriage returns which break things)

Type your comment> @ratiotile said:

Could anyone help me with the shell syntax please? I’ve tried all the advice on here with and still just get no response just a blank $.

Try typing some command and see the return. (ls, pwd, id…)

When I try a cmd on the $ I get not response.

First I used ds2unix to get rid of the /r and unexpected end of file errors and passing the target and command as arguements - nothing.

Then tried editing the script to put the IP in as the URL arguement then with /o** and /o**/v**/w** and every combination of that. I’ve tried passing ‘ls’ as an arguement with and putting it in instead of ${cmd} but still no output.

Am I missing a trick?

@ratiotile said:

Am I missing a trick?

Possibly.

Just to check - are you giving it the same target you would see if you visited the page in your browser because it isn’t clear from the asterisked out text.

Yes, the same o** as you would to get to the management page. Also tried using the ot/o** directory and traversing to all dirs on ot/o**/v**/w**.

@ratiotile said:

Yes, the same o** as you would to get to the management page. Also tried using the ot/o** directory and traversing to all dirs on ot/o**/v**/w**.

Again, just to check based on common issues, you have used the correct file extension in the URL?

The shell is .sh with 777 priv. Also I’ve tried it against the php page.

@ratiotile said:

The shell is .sh with 777 priv. Also I’ve tried it against the php page.

Only things I can suggest are to troubleshoot it while it runs.

If you have provided the correct target URI it should either work or spit out errors.

Try running tcpdump to capture traffic to and from the Open Admin server and see if it says what is happening when you invoke it.

Unfortunately, once you are doing everything correctly there isn’t an easy way to remote troubleshoot. For example, it could be a line in the script, it could a networking issue, it could be a box issue etc.

I’m getting bad checksum errors when the script runs but I honestly don’t know if that’s the issue. I’m going to try it on different setup and see.

EDIT: Ran it on Vbox VM in Windows and it worked. I was using a Kali VM on Qubes and its either the NIC or the internal networking that must of been causing the issue. Thanks @TazWake

First box ever and I’m stuck. I had a dream where I went to the seashore and I grabbed a shell, I climbed into the shell and landed on a world where i I went through the process and came across two other people who were much more powerful than I.

I decided to walk around some more and came across a magic cat, I explored the area with the cat and found a cd player. I tried to change the songs but It would only stay on one track and wouldnt let me switch. So there I sat pondering where to go next…

So Im basically stuck in one directory where i landed, have the other user account names but thats all.

any nudges as to how I find creds for the users? I read something about doing curls but i’m not sure how to go about that

Type your comment> @shock72 said:

First box ever and I’m stuck. I had a dream where I went to the seashore and I grabbed a shell, I climbed into the shell and landed on a world where i I went through the process and came across two other people who were much more powerful than I.

I decided to walk around some more and came across a magic cat, I explored the area with the cat and found a cd player. I tried to change the songs but It would only stay on one track and wouldnt let me switch. So there I sat pondering where to go next…

So Im basically stuck in one directory where i landed, have the other user account names but thats all.

any nudges as to how I find creds for the users? I read something about doing curls but i’m not sure how to go about that

The cd player, doesn’t play other songs. But have you seen the bands the players are from? maybe you should listen to more songs from that band, you might like the music they play.

hi

@shock72 said:

So Im basically stuck in one directory where i landed, have the other user account names but thats all.

any nudges as to how I find creds for the users? I read something about doing curls but i’m not sure how to go about that

You don’t need to change directories. Almost every linux command accepts a path.

For example instead of typing cd ./path/to/sub/folder; ls you can just as easily use ls ./path/to/sub/folder

Same with cat - cat ./path/to/sub/folder/interestingFile.php works.

Pwned the box :slight_smile:

It’s my first box after some time out so it was good to get a refresher of the basics.

I used the common xxxx.sh script to get in. I am wondering if anyone can explain to me what the xxxx.sh script is doing :slight_smile:

Please PM me if you have the explanation.

Thanks @newman12377 and @TazWake , much appreciated
…next thing ya know i’m kung fu fighting

Stuck between the 1st and 2nd user, minor directing will be appreciated :slight_smile:

@Peleg said:

Stuck between the 1st and 2nd user, minor directing will be appreciated :slight_smile:

Type your comment> @TazWake said:

@Peleg said:

Stuck between the 1st and 2nd user, minor directing will be appreciated :slight_smile:

OpenAdmin - #882 by TazWake - Machines - Hack The Box :: Forums

Thank you, but ive already discovered the group and the files and still nothing that I do with them works or gives me any kind of advancement…

@Peleg said:

Thank you, but ive already discovered the group and the files and still nothing that I do with them works or gives me any kind of advancement…

Ok - it helps if you lead with the problem you are facing then.

If you have found the files you need to find where they are being served. This might help:

There are a couple of ways to get the information you need and it is alluded to above.

Alternatively, if none of the previous hints are useful for you, it might be worth trying to rephrase your question so it asks your specific problem. Hints are always going to be generic but keep in mind 99% of this box is enumeration. If you look in enough places you will find what you need, you just need to think how you want to use it.