OpenAdmin

@6062055 said:

EDIT: …still can’t figure this out, after few more hours messing with it. I don’t understand, why sudo isn’t working when it says NOPASSWD. I don’t see how the GTFOBin method is supposed to work without sudo. I’ve tried it without sudo a hundred times now. Anyone else still messing with this? Does anyone have user2 cred’s, for sudo? Maybe I’m missing some cred’s. Someone mentioned some mysql cred’s. I haven’t seen them, but not sure if I need them, either.

Are you still stuck? If so PM me. No extra creds needed but I am curious how you got user 1’s creds.

@awarkozak said:

Stuck on user1. Got lost somewhere and found myself digging through the database for info which I’m certain is the wrong path.

Thought I found the right info in m***.p file within the i****l directory but having trouble gaining what I need to from it.

Find out where it is being served.

Type your comment> @OrangeHat said:

@6062055 I had the same problem as you at first. Read my comment above about the output being a single command, not two commands. E.g. if you see ‘/bin/command /opt/otherthing’ you should run that as a single command, not just /bin/command by itself.

@OrangeHat Thanks for the tip (:::respected:::).
@TazWake Figured out with a couple nudges…thanks :slight_smile: (:::respected:::slight_smile:

@6062055 said:

@OrangeHat Thanks for the tip (:::respected:::).
@TazWake Figured out with a couple nudges…thanks :slight_smile: (:::respected:::slight_smile:

Nice work.

@TazWake I got the user 1 (j***y) pass from some php or html file somewhere, viewable from www-data, then just logged in with that.

For anyone else interested…
User 2 = look for ‘internal’ files, try curl w/ interesting port.
Root = sudo -l, find out what that output really means, and how to use it. Google should give you an idea, or just ask me :slight_smile:

This was my fourth machine. Took me way too long and too many hints to figure out Root, thought it would be easier to figure out. @dmw0ng , thanks for the great machine :smile:

Someone has just delete the whole admin application. Can you please don’t do that next time, oh my god…

finally rooted … DM me if you want any help or hint :slight_smile:

I am totally stuck on getting root. I dont understand what I am doing wrong with the sudo -l output. I feel I should be able to run these commands but I am not able to get privileges… frustrating.

EDIT:

hahahaha nice trick. I figured it out

This is my first ever box so I am learning a lot but I am stuck on www-d***. I got the shell running and I have browsed the files for a long time. I found a myi password for _sys , the password is n******. I have no idea what to do now, I tried logging in on different services with this password. I’m thinking that I’m missing something obvious but I don’t see what.

Type your comment> @MaartenM said:

This is my first ever box so I am learning a lot but I am stuck on w**-d***. I got the shell running and I have browsed the files for a long time. I found a myi password for o_s*, the password is n************. I have no idea what to do now, I tried logging in on different services with this password. I’m thinking that I’m missing something obvious but I don’t see what.

I think you need to see what the other file in that directory contains which is a big clue

@inzel said:

Type your comment> @MaartenM said:

(Quote)
I think you need to see what the other file in that directory contains which is a big clue

The information I was talking about was in the ./l****/c**** directory. There are 3 files in there, and the file with the information is d*********... The run********* file I cannot cat and the other I cannot find any clues in. What file and directory are you talking about?

I got the ssh for user2 after putting in “sudo -l” and seing my potential way in it’s requesting me a password for user2? I thought I needed no password for this???

Type your comment> @Gentooman said:

I got the ssh for user2 after putting in “sudo -l” and seing my potential way in it’s requesting me a password for user2? I thought I needed no password for this???

NVM I’m fucking stupid… spaces are not comma’s…

Fun box, made me rage on the most easiest things ever.

@TazWake said:
@6062055 said:

EDIT: …still can’t figure this out, after few more hours messing with it. I don’t understand, why sudo isn’t working when it says NOPASSWD. I don’t see how the GTFOBin method is supposed to work without sudo. I’ve tried it without sudo a hundred times now. Anyone else still messing with this? Does anyone have user2 cred’s, for sudo? Maybe I’m missing some cred’s. Someone mentioned some mysql cred’s. I haven’t seen them, but not sure if I need them, either.

Are you still stuck? If so PM me. No extra creds needed but I am curious how you got user 1’s creds.

I am also curious about this…

Type your comment> @awarkozak said:

(Quote)
I am also curious about this…

If you’re setting up a cms or some other webapp it needs a password for a database. Try looking around with cat and ls

Can someone message me how the 2nd user is supposed to work? I used the writable script directory with some curling to laterally move to the other user and some use of public key auth.

@illuzian said:

Can someone message me how the 2nd user is supposed to work? I used the writable script directory with some curling to laterally move to the other user and some use of public key auth.

I am not 100% sure what the question is here. You seem to have answered it yourself.

Type your comment> @TazWake said:

@illuzian said:

Can someone message me how the 2nd user is supposed to work? I used the writable script directory with some curling to laterally move to the other user and some use of public key auth.

I am not 100% sure what the question is here. You seem to have answered it yourself.

Looking through the posts there was mention of cracking a found hash and using that to get the 2nd user. Not sure if this is the case or if I approached it correctly.

@illuzian said:

Looking through the posts there was mention of cracking a found hash and using that to get the 2nd user. Not sure if this is the case or if I approached it correctly.

It depends. I got the 2nd user account without cracking the hash in the script.

Type your comment> @TazWake said:

@illuzian said:

Looking through the posts there was mention of cracking a found hash and using that to get the 2nd user. Not sure if this is the case or if I approached it correctly.

It depends. I got the 2nd user account without cracking the hash in the script.

Ok, awesome. I found a hash and cracked it (it wasn’t a complex password) but it didn’t seem to yield anything useful. Guess there might have been multiple ways to solve this. Thanks for the feedback.