OpenAdmin

1282931333464

Comments

  • At last I rooted it!

    Took me more than I care to admit.
    Getting to the second j***** user took me all the time, the initial foothold is pretty easy with some googling and rooting is known gtfo stuff.
    I liked it, probably my favorite box so far.

  • got user2 thanks to @8balla

    working on my first root on htb!

  • IF you have this error, make sure to have a good direct shell :)
    PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
    unable to initialize policy plugin

    Rooted the box!
  • Could anyone help me with the shell syntax please? I've tried all the advice on here with and still just get no response just a blank $.

  • @ratiotile said:

    Could anyone help me with the shell syntax please? I've tried all the advice on here with and still just get no response just a blank $.

    First off, what are you expecting to see when you execute this RCE?

    What happens if you try to issue a command at the blank $?

    Without error messages it is nearly impossible to help troubleshoot this. If it is a problem the most likely options are:

    1) You aren't giving it a target.
    2) The script has some unusual characters in it (some of the versions built into the Kali OS have carriage returns which break things)

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Type your comment> @ratiotile said:

    Could anyone help me with the shell syntax please? I've tried all the advice on here with and still just get no response just a blank $.

    Try typing some command and see the return. (ls, pwd, id...)

  • When I try a cmd on the $ I get not response.

    First I used ds2unix to get rid of the /r and unexpected end of file errors and passing the target and command as arguements - nothing.

    Then tried editing the script to put the IP in as the URL arguement then with /o** and /o/v/w** and every combination of that. I've tried passing 'ls' as an arguement with and putting it in instead of ${cmd} but still no output.

    Am I missing a trick?

  • @ratiotile said:

    Am I missing a trick?

    Possibly.

    Just to check - are you giving it the same target you would see if you visited the page in your browser because it isn't clear from the asterisked out text.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Yes, the same o** as you would to get to the management page. Also tried using the ot/o** directory and traversing to all dirs on ot/o/v/w**.

  • @ratiotile said:

    Yes, the same o** as you would to get to the management page. Also tried using the ot/o** directory and traversing to all dirs on ot/o/v/w**.

    Again, just to check based on common issues, you have used the correct file extension in the URL?

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • The shell is .sh with 777 priv. Also I've tried it against the php page.

  • @ratiotile said:

    The shell is .sh with 777 priv. Also I've tried it against the php page.

    Only things I can suggest are to troubleshoot it while it runs.

    If you have provided the correct target URI it should either work or spit out errors.

    Try running tcpdump to capture traffic to and from the Open Admin server and see if it says what is happening when you invoke it.

    Unfortunately, once you are doing everything correctly there isn't an easy way to remote troubleshoot. For example, it could be a line in the script, it could a networking issue, it could be a box issue etc.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited January 2020

    I'm getting bad checksum errors when the script runs but I honestly don't know if that's the issue. I'm going to try it on different setup and see.

    EDIT: Ran it on Vbox VM in Windows and it worked. I was using a Kali VM on Qubes and its either the NIC or the internal networking that must of been causing the issue. Thanks @TazWake

  • First box ever and I'm stuck. I had a dream where I went to the seashore and I grabbed a shell, I climbed into the shell and landed on a world where i I went through the process and came across two other people who were much more powerful than I.

    I decided to walk around some more and came across a magic cat, I explored the area with the cat and found a cd player. I tried to change the songs but It would only stay on one track and wouldnt let me switch. So there I sat pondering where to go next....

    So Im basically stuck in one directory where i landed, have the other user account names but thats all.

    any nudges as to how I find creds for the users? I read something about doing curls but i'm not sure how to go about that

  • Type your comment> @shock72 said:

    First box ever and I'm stuck. I had a dream where I went to the seashore and I grabbed a shell, I climbed into the shell and landed on a world where i I went through the process and came across two other people who were much more powerful than I.

    I decided to walk around some more and came across a magic cat, I explored the area with the cat and found a cd player. I tried to change the songs but It would only stay on one track and wouldnt let me switch. So there I sat pondering where to go next....

    So Im basically stuck in one directory where i landed, have the other user account names but thats all.

    any nudges as to how I find creds for the users? I read something about doing curls but i'm not sure how to go about that

    The cd player, doesn't play other songs. But have you seen the bands the players are from? maybe you should listen to more songs from that band, you might like the music they play.

  • edited January 2020

    hi

  • @shock72 said:

    So Im basically stuck in one directory where i landed, have the other user account names but thats all.

    any nudges as to how I find creds for the users? I read something about doing curls but i'm not sure how to go about that

    You don't need to change directories. Almost every linux command accepts a path.

    For example instead of typing cd ./path/to/sub/folder; ls you can just as easily use ls ./path/to/sub/folder

    Same with cat - cat ./path/to/sub/folder/interestingFile.php works.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Pwned the box :)

    It's my first box after some time out so it was good to get a refresher of the basics.

    I used the common xxxx.sh script to get in. I am wondering if anyone can explain to me what the xxxx.sh script is doing :)

    Please PM me if you have the explanation.

  • edited January 2020

    Thanks @newman12377 and @TazWake , much appreciated
    ...next thing ya know i'm kung fu fighting

  • Stuck between the 1st and 2nd user, minor directing will be appreciated :)

  • @Peleg said:

    Stuck between the 1st and 2nd user, minor directing will be appreciated :)

    https://forum.hackthebox.eu/discussion/comment/58511/#Comment_58511

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Type your comment> @TazWake said:

    @Peleg said:

    Stuck between the 1st and 2nd user, minor directing will be appreciated :)

    https://forum.hackthebox.eu/discussion/comment/58511/#Comment_58511

    Thank you, but ive already discovered the group and the files and still nothing that I do with them works or gives me any kind of advancement...

  • @Peleg said:

    Thank you, but ive already discovered the group and the files and still nothing that I do with them works or gives me any kind of advancement...

    Ok - it helps if you lead with the problem you are facing then.

    If you have found the files you need to find where they are being served. This might help:
    https://forum.hackthebox.eu/discussion/comment/56286/#Comment_56286
    https://forum.hackthebox.eu/discussion/comment/56163/#Comment_56163
    https://forum.hackthebox.eu/discussion/comment/56239/#Comment_56239
    https://forum.hackthebox.eu/discussion/comment/56122/#Comment_56122
    https://forum.hackthebox.eu/discussion/comment/56193/#Comment_56193
    https://forum.hackthebox.eu/discussion/comment/56290/#Comment_56290
    https://forum.hackthebox.eu/discussion/comment/56401/#Comment_56401

    There are a couple of ways to get the information you need and it is alluded to above.

    Alternatively, if none of the previous hints are useful for you, it might be worth trying to rephrase your question so it asks your specific problem. Hints are always going to be generic but keep in mind 99% of this box is enumeration. If you look in enough places you will find what you need, you just need to think how you want to use it.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Hi. I got the R** for j****a. Cracked it and got the password. After trying to get into the machine via ssh it always throws me permission denied. Any clue why is that so :( ?

  • @Destroyervg said:

    Hi. I got the R** for j****a. Cracked it and got the password. After trying to get into the machine via ssh it always throws me permission denied. Any clue why is that so :( ?

    When you say "it" - do you mean SSH or the remote server?

    Based on what you've put, the likely causes are:

    1) your key hasn't been properly configured. You should see some error messages saying this though.
    2) you haven't unlocked the key - again SSH should throw up some errors here.
    3) You arent using the key to connect to the site, you are trying to use a password.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited January 2020

    Hi i got j****y then i found j****a's Private Key but i dont know how to decode it, is there any way to get public pass? Please help , just 1 step left to get User and Root.

  • Type your comment> @TazWake said:

    @Destroyervg said:

    Hi. I got the R** for j****a. Cracked it and got the password. After trying to get into the machine via ssh it always throws me permission denied. Any clue why is that so :( ?

    When you say "it" - do you mean SSH or the remote server?

    Based on what you've put, the likely causes are:

    1) your key hasn't been properly configured. You should see some error messages saying this though.
    2) you haven't unlocked the key - again SSH should throw up some errors here.
    3) You arent using the key to connect to the site, you are trying to use a password.

    By it i mean the machine: ssh i id_rsa [email protected]

    One of your comments gave me a hint. The error message is the following:
    [email protected]:~/Desktop# ssh -i id_rsa [email protected]



    Permissions 0644 for 'id_rsa' are too open.
    It is required that your private key files are NOT accessible by others.
    This private key will be ignored.
    Load key "id_rsa": bad permissions
    [email protected]'s password:
    Permission denied, please try again.
    [email protected]'s password:

  • Type your comment> @TeRMaN said:

    Hi i got j****y then i found j****a's Private Key but i dont know how to decode it, is there any way to get public pass? Please help , just 1 step left to get User and Root.

    @TeRMaN said:
    Hi i got j****y then i found j****a's Private Key but i dont know how to decode it, is there any way to get public pass? Please help , just 1 step left to get User and Root.

    You can crack it with JohnTheReaper. I did it with this tool.

  • edited January 2020

    Type your comment> @Destroyervg said:

    Type your comment> @TeRMaN said:

    Hi i got j****y then i found j****a's Private Key but i dont know how to decode it, is there any way to get public pass? Please help , just 1 step left to get User and Root.

    @TeRMaN said:
    Hi i got j****y then i found j****a's Private Key but i dont know how to decode it, is there any way to get public pass? Please help , just 1 step left to get User and Root.

    You can crack it with JohnTheReaper. I did it with this tool.

    I found b*********s but it doesn't work :(

  • Type your comment> @TeRMaN said:

    Type your comment> @Destroyervg said:

    Type your comment> @TeRMaN said:

    Hi i got j****y then i found j****a's Private Key but i dont know how to decode it, is there any way to get public pass? Please help , just 1 step left to get User and Root.

    @TeRMaN said:
    Hi i got j****y then i found j****a's Private Key but i dont know how to decode it, is there any way to get public pass? Please help , just 1 step left to get User and Root.

    You can crack it with JohnTheReaper. I did it with this tool.

    I found b*********s but it doesn't work :(

    Same here brother...i get an error "permission denied"

Sign In to comment.