OpenAdmin

rooted…

so, it boils down to something like this:

OSINT + Explore as much as possible
As you move next, find something which may not be openly accessible but does exist there :wink:
Exactly understand what you have (very important!)… misunderstanding it took quarter hour of mine until i figured out it was a piece of cake to privesc to root from J****a

feel free to PM for a nudge :slight_smile:

rooted! :smiley:

Nice box, pretty easy actually but not trivial. Lots of interesting things to discover, sort of logical configurations and escalation. Little tricks to go from a stage to the next, this is what I felt… rooting, super easy, but I have to admit that a nudge from this forum helped a lot to reduce the required time to discover the “right command”… after that, the exploit is a piece of cake!

Type your comment> @TazWake said:

@arhackthebox said:

Anyone experiencing issues with john crapping out?
I’ve read that there’s a bug (password cracking - How do I crack an id_rsa encrypted private key with john the ripper? - Information Security Stack Exchange) but I’m not seeing others on this thread report trouble with it.

Lots of people have been complaining about John not working.

Its worth using the “Magnum” version rather than the out-of-the-box one: GitHub - openwall/john: John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs

Someone suggested… “-w=wordlist works but -w wordlist does not.”

That solved it for me!

@TazWake Thank you once again for your answer.

I am ashamed to ask, but I think I need a hint for the curl command (I am aware I could use something else) . I have literally been through all the pages and curl hints, yet I’m still doing it wrong…

I have found and understood the .**p scripts, and also found an interesting port. I know it runs locally, but even with all this information, I can’t figure out how to write the command precisely. It either returns me the script (so I’m not at the right place) or a “connection refused” error. I have tried a bunch of different syntaxes, to no avail…

I hope it’s the last time I ask a question for this box :confounded:

Thank you

@netpal said:

@TazWake Thank you once again for your answer.

Always glad to help if I can.

I am ashamed to ask, but I think I need a hint for the curl command (I am aware I could use something else) . I have literally been through all the pages and curl hints, yet I’m still doing it wrong…

The general syntax to make a request with curl is: curl http://ipaddress:port/page.php There are other things you need to do if you want to send things like credentials such as curl -u username:password http://ipaddress:port/page.php (this is generally bad practice as the password gets stored in the history file but its acceptable for CTFs)

Also man curl is a very good place to start.

On getting root

Can someone explain if it is normal to get a password prompt when excecuting s**o commands as a user that has the N******D flag set on said commands?

A pm would be appreciated, thanks!

@arkountos said:

On getting root

Can someone explain if it is normal to get a password prompt when excecuting s**o commands as a user that has the N******D flag set on said commands?

A pm would be appreciated, thanks!

Only if you’ve entered the command incorrectly.

Hi there, I got the w**-***a shell. I see that the two users are kinda “linked” together and I know that I can now make some http requests to a private server on a strange port. Can this be the way to go? The place in which I landed seems so messy.
Since I’m pretty new to this website, I would like to ask if files inside the box can be modified.

Hey,

I got a passphrase from JtR but don’t see how to use it to crack the key… I tried with openssl but get the error message “unable to load Private Key”.

I have read all the questions/answers about this question and have chmoded 600 the file.

Do I have to create a pair of keys and add it to the ssh-agent ? Or should I just find a way to crack the key and then ssh -i key j**a@… ?

I have spent hours on this and feel like a retard…

Thanks!

@netpal said:

Hey,

I got a passphrase from JtR but don’t see how to use it to crack the key… I tried with openssl but get the error message “unable to load Private Key”.

I have read all the questions/answers about this question and have chmoded 600 the file.

Do I have to create a pair of keys and add it to the ssh-agent ? Or should I just find a way to crack the key and then ssh -i key j**a@… ?

I have spent hours on this and feel like a retard…

Thanks!

Not sure why you are trying to crack the keys or use ssh-agent. If you have the passphrase, what do you need to crack?

Have you tried ssh -i key j****a@... ?

@TazWake Well, I’m confused myself… I read so many questions/answers about this…
Yes, I tried what you said but get an error: Load key “id_rsa”: error in libcrypto.
Permissions for this .pem file are -rw-------.
Am I using the wrong key ? I tried with the hashed one too (.txt format), but get an invalid format error.

Or maybe I missed a step? Isn’t the passphrase b*********s ?

Thank you!

Type your comment

@netpal said:

@TazWake Well, I’m confused myself… I read so many questions/answers about this…
Yes, I tried what you said but get an error: Load key “id_rsa”: error in libcrypto.
Permissions for this .pem file are -rw-------.
Am I using the wrong key ? I tried with the hashed one too (.txt format), but get an invalid format error.

Or maybe I missed a step? Isn’t the passphrase b*********s ?

Thank you!

Most of the time, I’d say the likely cause is that there is something wrong with your key. However you have got the correct phrase something must be working.

People change important files on OpenAdmin all the time so it is possible that someone has helpfully broken the box and you need to reset it.

Hi folks!
I was able to get first shell by running a 4****.sh script of user w**-a. Afterthat done a lot of enumeration and i got a pv file in a directory. There is a 32 character hash c9*********f in /o**/ directory. Now i have used john and hashcat both to crack this hash but in both cases im fail to crack this hash. Any hint for next stage

@kashi139 said:

Hi folks!
I was able to get first shell by running a 4****.sh script of user w**-a. Afterthat done a lot of enumeration and i got a pv file in a directory. There is a 32 character hash c9*********f in /o**/ directory. Now i have used john and hashcat both to crack this hash but in both cases im fail to crack this hash. Any hint for next stage

You’ve probably strayed too far from the initial RCE point. Use ls -al, ignore any recent files and look through the files and folders you can find to see if there is any interesting loot you can use.

It’s also worth enumerating the users on the system.

Type your comment> @Blacknuxx said:

Hi guys! I’m newbie and I really stuck with openadmin box, somebody can help me?
Please send DM

I achieved!!!
Problem was not the exploit the problem was in the tool that I used, I ran manually the exploit and works, w****a 2 users and I’m root.

:smiley:

is it possible to get the special key for user j***a without using john?
and could someone please DM me why the cl command does work for the m
.php file?

@Cooper24 said:

is it possible to get the special key for user j****a without using john?

Possibly, but every other tool needs a lot of configuration to make it work.

and could someone please DM me why the cl command does work for the m*.php file?

Its a way of interacting with a webserver. You could use loads of tools, that’s just the easiest one & most people know it well.

@TazWake I wish you were right, but sadly I am just retarded :smile:
I was trying to SSH from my kali user (I had copied the key there).
After correcting my error, I was able to get both flags!

I’d like to thank you @TazWake for your help and your patience… I clearly wouldn’t have done it without you!

Good luck everyone and see you soon!

Rooted