OpenAdmin

I have obtained the w**-a user through the exploit but I am now stuck on the enumeration for the next user which I assume is jy. Could someone DM a nudge please

@dewdrop0247 said:

I have obtained the w**-a user through the exploit but I am now stuck on the enumeration for the next user which I assume is jy. Could someone DM a nudge please

Look through the files and folders to find what you need. Or read through the previous hints here which have been more explicit.

Rooted! Loved this box! I learned some new things! Thank you @TazWake for this! Feel free to DM for any help!

@jibbiez said:

Rooted! Loved this box! I learned some new things! Thank you @TazWake for this! Feel free to DM for any help!

Glad to help

Hello folks.

I’m stuck with an RSA key. Post John, I am endlessly presented with ‘load key “id_rsa”: invalid format’

  1. Yes, it’s the ‘correct’ key.
  2. I understand john’s role - I’m past that.
  3. I understand how to SSH as User2.

Specifically, it is only the ‘load key:id_rsa invalid format’ that I am having trouble with and obviously I can’t progress without getting this bit right.

Can anyone tell me exactly, precisely how to SSH into User2, from User1, with the 2 x SSH things ?

On the verge of giving up - totally stumped.

Clue: The formatting for RSA private keys is very specific; any deviation and you’ll have a ‘computer says no’ circle.

Rooted. Make sure you understand how ssh public key authentication works

@ElPablo said:

Clue: The formatting for RSA private keys is very specific; any deviation and you’ll have a ‘computer says no’ circle.

Good work persisting on the problem though. Lots of people give up a bit too quickly rather than work through the information they have.

Managed to get www-data shell, but don’t know how to privesc from here! Could anyone DM for help?

@Cane said:

Managed to get www-data shell, but don’t know how to privesc from here! Could anyone DM for help?

guys i have the RSA key and I cracked it but still cant login to the user2. idk why am i missing something?

rooted

I just rooted the box by literally reading a file called p****.s**e

There’s no way this is how you’re meant to root the box right? Everyone here was mentioning GTFObins. I assume the program we’re meant to be using for priv esc is a specific text editor program. I’m guessing some a**hole just left the root flag lying around? or am I wrong?

So to respond to my own question above: no that’s not how you’re meant to get root. Can people please be a little more conscientious and not leave flags lying around please!

Anyway, this was my favourite box I’ve done so far, and I struggled the most with root.

As someone else said, there are plenty of hints here to get you through this box, but I’ll leave some of my own, just in case it’s the little nudge needed, even if only worded differently.

Initial foothold: I couldn’t for the life of me work this one out due to the directory you need to find via dirb/gobuster being in any of the wordlists I used. I’m not really sure what hint to give here because of that, but either way, once you find that page/directory, then you’re going to want to find an exploit for that. You’ll see alot of people throughout this thread had difficulty getting it to work. In my opinion the easiest fix is to change the file format via vim: open the exploit in vim and press :set ff=unix. Then all you need to do is point the exploit to openadmin/o**/l***n.php

User 1: This took me hours… I actually found what I needed in only a matter of minutes. When you find it, you’ll see a username in the same file, but it’s not actually for that user. Think alot more obvious but in a stupid way and you’ll get it. A hint is to utilise find to list all PHP files in the directory you land in and grep for a different variation of spelling for a sensitive keyword.

User 2: Enumerate what network services are running on the machine and figure out a way to interact with that service without using a webpage. Specify the resource at the far end of the command you run, not somewhere in the middle.

Root: The BEST hint I saw here (sorry, I forgot on what page it was, so I can’t credit) was that you’re not looking at two separate commands, they’re one command, e.g. /bin/**** /opt/****

Quite a nice box to work with.

If you need any hint feel free to pm me ^^

Got root, this was fun!
pm if you need anything

I enjoyed this box a lot, there are several layers to get the user flag and some great red herrings thrown in for added fun!

I think the hints thus far have covered things well. I will say that User 1 seems ‘interested’ in User 2 …

Happy to help if you need a nudge.

After a long “hackthebox” break this was a very funny box.
The way to root is the easy part. A big thanks to @OddRabbit

I’m really lost with getting john to crack the goodies.

I have used the python script to convert it into a hash, but when I run john it does a bunch of stuff and then says :

Warning: invalid UTF-8 seen reading XXX.txt
Using default input encoding: UTF-8
Loaded 1 password hash (*** [RSA/DSA/EC/OPENSSH (*** p***e ks) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press ‘q’ or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2020-04-12 00:12) 0g/s 177300p/s 177300c/s 177300C/s 1701d…sss
Session completed

It just dies on me… So I’m not sure what I am doing wrong? Googling the issues on brings up guides showing me what I have already tried. Can anyone help me?

@Knoss said:

It just dies on me… So I’m not sure what I am doing wrong? Googling the issues on brings up guides showing me what I have already tried. Can anyone help me?

It’s hard to suggest anything else without knowing more.

Sometimes John produces a result like this when it has cracked the password. That’s why --show exists. (john --show filename for example).

It’s possible you’ve used a wrong wordlist. It’s possible that you’ve hashed it incorrectly.

Looking at the message, if it isn’t storing the password, my first guess would be the conversion didn’t work.

i got shell as www-data any hint after that?