Official Omni Discussion

I would say this box is still on the easier side when it comes down to it. That being said, it took me a while to figure out what needed to be done, even after getting a foothold. I needed a nudge but definitely learned something new about creds. A really thorough enum once on target is also required.

Managed to pwn the box, big thanks to @6h4ack & @rholas and shout out to @egre55.

Overall I think it should be rated between easy and a medium box.
Initial foothold:
Usual reconnaissance stuff and google is your best friend.

User and root:
Again, Windows enum is important and if you know how to filter then it will save your time :slight_smile:

Rooted but how can I get admin hash now, mimi dosent work. :<

I’m at a loss. I couldn’t decrypt the flags or i**-a****.xml. I’m guessing because I’m not the right user (I’m currently oi). Tried looking around and the only interesting thing I’ve found in hours is a file in cr*als folder in user sem. But mimi doesn’t work and I have no idea what I’m supposed to do now. Am I overthinking everything or not thinking at all?

Thought I was doing well on this machine but boy does it get hard with the poweshell stuff at the end.

Lots of people seem to be stuck on the foothold so here’s a nudge:

If nmap can’t identify what the machine is then think about what other scans you can use. The ports may not be the way in.

Spoiler Removed

Spoiler Removed

I’m generally weaker on Windows boxes but that got a bit crazy at the end! I learned a lot from this so thanks @egre55 for the great box!

Initial Foothold:

nmap might help, but the real question to ask is why is this listed as other rather than Win/Linux?
Try connecting to some of the services, really read not what they want, but why.
From here, google is your friend, any high profile exploits for this tech?

Post Exploitation:

Doing enum like this will take forever. Can we get something a bit more interactive?
Perhaps a certain binary that likes milk will help?
Once you’re on the right path, finding obscure things becomes a lot easier!

User/Root

Once you’ve got here you have all the people you need to read them! Just keep pivoting!

Happy to nudge in PM’s for the next few hours if required.

@AviusX said:
I’m at a loss. I couldn’t decrypt the flags or i**-a****.xml. I’m guessing because I’m not the right user (I’m currently oi). Tried looking around and the only interesting thing I’ve found in hours is a file in cr*als folder in user sem. But mimi doesn’t work and I have no idea what I’m supposed to do now. Am I overthinking everything or not thinking at all?

If you can make a flag in your local machine and decrypt it, then you can find your way to decrypt i**-a****.xml. Good luck, you can do it ?.

Spoiler Removed
I didn’t think it was a spoiler. :neutral:

Type your comment> @EstamelGG said:

Rooted but how can I get admin hash now, mimi dosent work. :<

same, i cant get hash :confused: i didnt get hash on win box before

Finally Rooted. To be honest, harder than expected but great box.
I was stuck at the end too, search an alternative to whoami and you will realize maybe you didn’t root the machine as you thought.

Rooted yesterday. I liked this box a lot. Fresh platform to me, learned a lot in the process. Initial steps make the first part easy, but, I would maybe call the rest of it easy to light-medium because there is a little slightly non-standard powershell involved.

Initial foothold: Shouldn’t have to even explain this one once you see it. Do you see 3 ports you don’t recognize? Google.
User: Std places to hide things
Flags: Back to the beginning, and research how to make strings secure in PS. This is user dependent!

I have found Remi’s friend and have found the command to get the %userprofile%. However I cannot seem to “write” to any directory such as temp, etc. Any clues as to how to enumerate a directory I can write too ?

Stuck several hours on repeating upload reverse shell executable and run.
No luck.

@n3wb1en3w9999 said:
I have found Remi’s friend and have found the command to get the %userprofile%. However I cannot seem to “write” to any directory such as temp, etc. Any clues as to how to enumerate a directory I can write too ?

Lol, you have the new friend :wink: Now you should have the power to create your folder with the right command and drop your cat.

Type your comment> @choupit0 said:

@n3wb1en3w9999 said:
I have found Remi’s friend and have found the command to get the %userprofile%. However I cannot seem to “write” to any directory such as temp, etc. Any clues as to how to enumerate a directory I can write too ?

Lol, you have the new friend :wink: Now you should have the power to create your folder with the right command and drop your cat.

Thought so too ! But cannot seem to get mr. kittens across, well Its “simply” not downloading -_-

Rooted machine, thx guys for nudgeds. Very very good box and new skils adquired

Stuck on priv esc after getting a reverse shell. From what I understand I need to become the user instead of system so I can use import-clixml without getting the crypto warning. I did see an old password in hardening.txt but it didn’t work for admin. Any help would be appreciated

Type your comment> @cmoon said:

Stuck on priv esc after getting a reverse shell. From what I understand I need to become the user instead of system so I can use import-clixml without getting the crypto warning. I did see an old password in hardening.txt but it didn’t work for admin. Any help would be appreciated

What’s the crypto warning say? Are you trying to access a file you dont have permission to? import-clixml works great for the logged in user.