Official Omni Discussion

okay nvm… i found the file with the right user credentials to decrypt the flags
→ rooted

got shell tks @Abhiiz1 , if need anyone need hint, dm

Type your comment> @Timdb said:

okay nvm… i found the file with the right user credentials to decrypt the flags
→ rooted

Can you give me a nudge on where that file is?

Rooted!

User and root flags were pretty ctf-like, but I learnt a few new tricks in the process. Initial exploit is pretty interesting too.

You don’t really need a reverse shell to do this box at all.

DM for nudges.

@yaagn said:

Nice box!

Is the *.**t file the intended way to root it? Would like to discuss with someone else who rooted it!

I don’t think that was the intended way as it bypasses the decryption of another file in the user folder which contains information to move forward.

Its bit tricky, definitely not easy box.

Don’t hesitate to call for help!!
They are very simple things ~ which we tend to ignore.

Phew, finally rooted. My hint for those with a shell/RCE and struggling with the flags, learn how to use the powershell version of ls with date filters. From there you get the file everyone is talking about and everything you’ve been trying and reading about will work.

DM for nudges. Just let me know what you’ve tried!

Why would my post on asking if anyone here was able to reg save, be flagged as a spoiler?

rooted. thanks for @choupit0 , @6h4ack and @Abhiiz1. Learned new things from this box, thanks to the creator @egre55 .

i really hate window box haa

Rooted. Thanks @6h4ack for the help!.

Ping me if you need a hint!

Having trouble in uploading the file or reverse shell. Any nudges?

Rooted.

I enjoyed this box, although I had to do my enumeration twice. Once I fixed that it was plain sailing with a tiny bit of Googlefu.

My only hint is, if you feel like you’re fighting it (which feels like every box at the moment…) you’re doing it wrong. Backup, enumerate again and research anything you see that you don’t understand.

The script will work only if you’re connected to internet with a Ethernet cable?

Hi,

Could someone shoot me a nudge? I’ve got a shell onto the box now and I understand how the flags are obfuscated, but I get a crypto error for all three. Have tried with both accessible users, no luck. Can’t find any other files to try.

Thanks in advance.

Type your comment> @M1sha said:

Hi,

Could someone shoot me a nudge? I’ve got a shell onto the box now and I understand how the flags are obfuscated, but I get a crypto error for all three. Have tried with both accessible users, no luck. Can’t find any other files to try.

Thanks in advance.

Enum enum enum and PrivEsc, then go back to the files

Type your comment> @HASHme said:

The script will work only if you’re connected to internet with a Ethernet cable?

No… you can connect to the internet any way you want. haha.

It’s just that you have to be connected to the I*T C**e device with a physical ethernet cable, which the HTB VPN already emulates.

Type your comment> @ricepancakes said:

Type your comment> @HASHme said:

The script will work only if you’re connected to internet with a Ethernet cable?

No… you can connect to the internet any way you want. haha.

It’s just that you have to be connected to the I*T C**e device with a physical ethernet cable, which the HTB VPN already emulates.

Thanks!

Type your comment> @cybeR0ot said:

Having trouble in uploading the file or reverse shell. Any nudges?

Do not use script builtin function because it has problem with large/binary files. Use normal powershell function to download what you need on the victim machine.

Rooted. I’m a bit confused by the method for obtaining credentials though - it didn’t feel like it was the ‘intended’ process for privesc…