OpenAdmin

Can anyone give me a nudge in the right direction? I have the initial foothold after running a .sh script onto the right endpoint, i’m trying to get to user 1 level.
How am I supposed to do that though? Login via the web app? I have found a few things which look like they could be usernames or passwords in some files but have no idea how to use them? Also am I right in saying the flow is w**-a → jy → j****a → root ?

@5uP3Rn0v4 said:

Can anyone give me a nudge in the right direction? I have the initial foothold after running a .sh script onto the right endpoint, i’m trying to get to user 1 level.
How am I supposed to do that though? Login via the web app? I have found a few things which look like they could be usernames or passwords in some files but have no idea how to use them? Also am I right in saying the flow is w**-a → jy → j****a → root ?

Your flow is basically correct.

So reversing, if you have something that looks like a password you should try to see if it is a password.

You can get a list of valid users on a Linux system with a quick cat of the correct file. When you can confirm the user account names you can try to see if they’ve reused the password somewhere else.

Thanks TazWake, I have scanned that file and I have tried it on //**.**p but I get Password Incorrect, I must be confusing what I think is the password with the actual password. How deep is this password containing file from where you initially land? I feel like im grep’ing every file for keywords but cant find anything else

@5uP3Rn0v4 said:

Thanks TazWake, I have scanned that file and I have tried it on //**.**p

That might be the mistake. Try it somewhere else.

Ahha! Eureka moment. I’m in as user 1 and I think I found what I need to get user 2. Thanks alot!

@5uP3Rn0v4 said:

Ahha! Eureka moment. I’m in as user 1 and I think I found what I need to get user 2.
Thanks alot!

Nice work.

Stuck again. Going for user 2, used john to help and got a pass but its saying incorrect password. Can I get a nudge please?

Edit
Figured it out, now to shoot for root!

Edit 2
Rooted! Finally figured out how to get the f*** out of user 2 shell.

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

Great machine - kudos to the maker!

For hints, I would say initial access is very simple, and then you just need to think lazy admin for the rest of the multi-step process.

Great Machine! It was fun cracking it. But I didn’t get all the points. I submitted both the root and user flag but was unable to get full points. Does anyone know, why is it so?

I’m stuck, can’t find the priv esc I need way from www to user, can I have a nudge? Maybe DM so I can talk about what I tried?

Rooted
For those who had an issue with John not working, I tried loading the ‘file’ in johnny (after doing *2john) and displayed what you’re looking for.

Rooted PM for hints

Type your comment> @H0ru5 said:

I’m stuck, can’t find the priv esc I need way from www to user, can I have a nudge? Maybe DM so I can talk about what I tried?

ENUMERATE… you will definitely find something

if anyone can give me a nudge for root, that wud be much appreciated… :slight_smile:

Type your comment> @thescriptkiddy said:

if anyone can give me a nudge for root, that wud be much appreciated… :slight_smile:

To quote yourself :slight_smile: ENUMERATE… and especially check what inventory of tools User1 and User2 has access to. Most tools can be used in more than one way :slight_smile:

Fell free to PM if you want more hint.

Can anyone give me a little help? I discovered my weakness is enumeration because I’m stuck with www data

Type your comment> @H0ru5 said:

Can anyone give me a little help? I discovered my weakness is enumeration because I’m stuck with www data

To get around in a Linux system you need a username and some sort of credentials. See if you can find potential usernames.

If you have found anything remotely interesting, have you tried to utilize it in some way? See if you can find credentials.

You only need ‘cat’ and ‘ls’ command at this stage. Until you find some username and credentials, then you need an additional tool to test your findings.

My first root own. I had a lot of help from all the comments scattered throughout but learned a lot that will be useful elsewhere :slight_smile: Initial foothold, user1 and root were easy enough; user 2 was the challenge but once I started looking in the right place it got easier.

Rooted !
DM if you stuck

Type your comment> @GreyHat86 said:

Can someone give me a nudge? found a possible R** for ON***N. just want to check i’m not off down a rabbit hole.

you are going right!