OpenAdmin

1545557596064

Comments

  • rooted..

    so, it boils down to something like this:

    OSINT + Explore as much as possible
    As you move next, find something which may not be openly accessible but does exist there :wink:
    Exactly understand what you have (very important!).. misunderstanding it took quarter hour of mine until i figured out it was a piece of cake to privesc to root from J****a

    feel free to PM for a nudge :)

  • rooted! :smiley:

    Nice box, pretty easy actually but not trivial. Lots of interesting things to discover, sort of logical configurations and escalation. Little tricks to go from a stage to the next, this is what I felt... rooting, super easy, but I have to admit that a nudge from this forum helped a lot to reduce the required time to discover the "right command"... after that, the exploit is a piece of cake!

  • Type your comment> @TazWake said:

    @arhackthebox said:

    Anyone experiencing issues with john crapping out?
    I've read that there's a bug (https://security.stackexchange.com/questions/224109/how-do-i-crack-an-id-rsa-encrypted-private-key-with-john-the-ripper) but I'm not seeing others on this thread report trouble with it.

    Lots of people have been complaining about John not working.

    Its worth using the "Magnum" version rather than the out-of-the-box one: https://github.com/magnumripper/JohnTheRipper

    Someone suggested... "-w=wordlist works but -w wordlist does not."

    That solved it for me!

  • @TazWake Thank you once again for your answer.

    I am ashamed to ask, but I think I need a hint for the curl command (I am aware I could use something else) . I have literally been through all the pages and curl hints, yet I'm still doing it wrong...

    I have found and understood the .**p scripts, and also found an interesting port. I know it runs locally, but even with all this information, I can't figure out how to write the command precisely. It either returns me the script (so I'm not at the right place) or a "connection refused" error. I have tried a bunch of different syntaxes, to no avail...

    I hope it's the last time I ask a question for this box :confounded:

    Thank you

  • @netpal said:

    @TazWake Thank you once again for your answer.

    Always glad to help if I can.

    I am ashamed to ask, but I think I need a hint for the curl command (I am aware I could use something else) . I have literally been through all the pages and curl hints, yet I'm still doing it wrong...

    The general syntax to make a request with curl is: curl http://ipaddress:port/page.php There are other things you need to do if you want to send things like credentials such as curl -u username:password http://ipaddress:port/page.php (this is generally bad practice as the password gets stored in the history file but its acceptable for CTFs)

    Also man curl is a very good place to start.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • On getting root

    Can someone explain if it is normal to get a password prompt when excecuting s**o commands as a user that has the N******D flag set on said commands?

    A pm would be appreciated, thanks!

  • @arkountos said:

    On getting root

    Can someone explain if it is normal to get a password prompt when excecuting s**o commands as a user that has the N******D flag set on said commands?

    A pm would be appreciated, thanks!

    Only if you've entered the command incorrectly.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Hi there, I got the w**-***a shell. I see that the two users are kinda "linked" together and I know that I can now make some http requests to a private server on a strange port. Can this be the way to go? The place in which I landed seems so messy.
    Since I'm pretty new to this website, I would like to ask if files inside the box can be modified.

    Hack The Box

  • Hey,

    I got a passphrase from JtR but don't see how to use it to crack the key... I tried with openssl but get the error message "unable to load Private Key".

    I have read all the questions/answers about this question and have chmoded 600 the file.

    Do I have to create a pair of keys and add it to the ssh-agent ? Or should I just find a way to crack the key and then ssh -i key j****[email protected] ?

    I have spent hours on this and feel like a retard...

    Thanks!

  • @netpal said:

    Hey,

    I got a passphrase from JtR but don't see how to use it to crack the key... I tried with openssl but get the error message "unable to load Private Key".

    I have read all the questions/answers about this question and have chmoded 600 the file.

    Do I have to create a pair of keys and add it to the ssh-agent ? Or should I just find a way to crack the key and then ssh -i key j****[email protected] ?

    I have spent hours on this and feel like a retard...

    Thanks!

    Not sure why you are trying to crack the keys or use ssh-agent. If you have the passphrase, what do you need to crack?

    Have you tried ssh -i key j****[email protected] ?

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @TazWake Well, I'm confused myself... I read so many questions/answers about this...
    Yes, I tried what you said but get an error: Load key "id_rsa": error in libcrypto.
    Permissions for this .pem file are -rw-------.
    Am I using the wrong key ? I tried with the hashed one too (.txt format), but get an invalid format error.

    Or maybe I missed a step? Isn't the passphrase b*********s ?

    Thank you!

  • Type your comment

  • @netpal said:

    @TazWake Well, I'm confused myself... I read so many questions/answers about this...
    Yes, I tried what you said but get an error: Load key "id_rsa": error in libcrypto.
    Permissions for this .pem file are -rw-------.
    Am I using the wrong key ? I tried with the hashed one too (.txt format), but get an invalid format error.

    Or maybe I missed a step? Isn't the passphrase b*********s ?

    Thank you!

    Most of the time, I'd say the likely cause is that there is something wrong with your key. However you have got the correct phrase something must be working.

    People change important files on OpenAdmin all the time so it is possible that someone has helpfully broken the box and you need to reset it.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Hi folks!
    I was able to get first shell by running a 4****.sh script of user w-***a. Afterthat done a lot of enumeration and i got a pv file in a directory. There is a 32 character hash c9**********f in /o**/ directory. Now i have used john and hashcat both to crack this hash but in both cases im fail to crack this hash. Any hint for next stage

  • @kashi139 said:

    Hi folks!
    I was able to get first shell by running a 4****.sh script of user w-***a. Afterthat done a lot of enumeration and i got a pv file in a directory. There is a 32 character hash c9**********f in /o**/ directory. Now i have used john and hashcat both to crack this hash but in both cases im fail to crack this hash. Any hint for next stage

    You've probably strayed too far from the initial RCE point. Use ls -al, ignore any recent files and look through the files and folders you can find to see if there is any interesting loot you can use.

    It's also worth enumerating the users on the system.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @Blacknuxx said:

    Hi guys! I'm newbie and I really stuck with openadmin box, somebody can help me?
    Please send DM

    I achieved!!!!!!!!
    Problem was not the exploit the problem was in the tool that I used, I ran manually the exploit and works, w****a 2 users and I'm root.

    :smiley:

  • edited March 31

    is it possible to get the special key for user j****a without using john?
    and could someone please DM me why the c**l command does work for the m***.php file?

  • @Cooper24 said:

    is it possible to get the special key for user j****a without using john?

    Possibly, but every other tool needs a lot of configuration to make it work.

    and could someone please DM me why the c**l command does work for the m***.php file?

    Its a way of interacting with a webserver. You could use loads of tools, that's just the easiest one & most people know it well.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @TazWake I wish you were right, but sadly I am just retarded :smile:
    I was trying to SSH from my kali user (I had copied the key there).
    After correcting my error, I was able to get both flags!

    I'd like to thank you @TazWake for your help and your patience... I clearly wouldn't have done it without you!

    Good luck everyone and see you soon!

  • Rooted

    HTB{HappyHacking}

  • Finally Rooted :D
    took some time, but first box rooted.. on to the next one!

  • About the c**l thing

    As said in previous comments, in order to c**l a file, that file has to be served somewhere. And wouldn't that need a server? Well maybe you can find where it is being served by digging around?

  • I am stuck, which isnt helped by the box keeps glitching for some reason.

    I have a shell with a certain user and I have other user names. I found some creds but not sure what to do with them.

    Can anybody DM me for a bit of a nudge in the right direction please.

    Thanks

  • @Jamarsoft said:

    I am stuck, which isnt helped by the box keeps glitching for some reason.

    I have a shell with a certain user and I have other user names. I found some creds but not sure what to do with them.

    Can anybody DM me for a bit of a nudge in the right direction please.

    Thanks

    Scroll back a few pages - this has been asked a lot and the answers are pretty much close to spoilers.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited March 31

    Hello Guys,

    Can you please help me in PV?
    I tried Enum with metasploit or Python Enum script on ssh.
    None of them worked...
    Python tells me server is maybe patched...

    Please note I'm pretty new in pentest and exploit use, and hope to be at list on the good way with this!

    Thank you!
    Tempus l'ancien, from home confined.

  • @Tempuslancien said:

    Hello Guys,

    Can you please help me in PV?
    I tried Enum with metasploit or Python Enum script on ssh.
    None of them worked...
    Python tells me server is maybe patched...

    If you are looking for the initial foothold:

    Manual enumeration is the key. Use a tool to find the directories, then visit them. Look at the links and see if anything exploitable appears.

    When you find something vulnerable, use an RCE to issue commands. From here enumerate further - again manually is probably the key unless you are 100% confident you know what you are looking for.

    When you get that, you are first user. More manual enumeration will get you a way to become the second user.

    Then you can either continue manual steps or run an enum tool to find out how to become root.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @Jamarsoft said:
    > I am stuck, which isnt helped by the box keeps glitching for some reason.
    >
    > I have a shell with a certain user and I have other user names. I found some creds but not sure what to do with them.
    >
    > Can anybody DM me for a bit of a nudge in the right direction please.
    >
    > Thanks

    Hey how are you?

    Enumerate all that you can and careful with all config files that you find. If you take a look here in forum are a lot of replies related that.
  • Type your comment> @TazWake said:

    @Tempuslancien said:

    Hello Guys,

    Can you please help me in PV?
    I tried Enum with metasploit or Python Enum script on ssh.
    None of them worked...
    Python tells me server is maybe patched...

    If you are looking for the initial foothold:

    Manual enumeration is the key. Use a tool to find the directories, then visit them. Look at the links and see if anything exploitable appears.

    When you find something vulnerable, use an RCE to issue commands. From here enumerate further - again manually is probably the key unless you are 100% confident you know what you are looking for.

    When you get that, you are first user. More manual enumeration will get you a way to become the second user.

    Then you can either continue manual steps or run an enum tool to find out how to become root.

    Ok than you TazWake.
    Thank you also to EvilT0r13 and Blacknuxx is PV.
    What is an RCE?
    Well I probably understand I miss about steps and processes to execute in order to perform manual enumeration till the end...
    Does someone has a little how to like a cheatsheet with steps and tools to manually process in a recurrent way during a pentest after and before access ? I have cheat for lots of things but not this one.

    Regards,
    Tempus

  • @Tempuslancien said:

    What is an RCE?

    Remote Code Execution - a type of exploit that allows you to execute code (in this case commands) on the box.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    @Tempuslancien said:

    What is an RCE?

    Remote Code Execution - a type of exploit that allows you to execute code (in this case commands) on the box.

    Thank you got it.
    Tomorrow I'll try apache vuln exploit

Sign In to comment.