Official Omni Discussion

struggling to figure out the root puzzle. I assume I’m failing to enumerate something, but I’ve checked everywhere I can think of. I’ve run multiple privesc checkers looking for info… poked around the registry, can’t find anything useful.

A nudge would be appreciated (PM me.)

Thanks to @egre55 for uploading this one

The flag reading part is a bit CTF but I think is totally necessary, this because without that enumeration needed, the VM will become an instant pwn

My hints:

Initial foothold

  • Think logically! Which other operating system could run that kind of service

Flags

  • You are the one, but looks like you are not omnipotent, enumerate a bit and you will find what you need

If this is spoiler, feel free to remove it

Getting: AttributeError: ‘int’ object has no attribute ‘value’ ?
it gave me a headache too.

pip uninstall enum
pip install enum34

Problem solved.

Well…this is indeed an easy machine in term of knowledge needed to go ahead.
But it’s also a trap.
It is indeed not so easy when it comes to the path to follow and the risk of getting sucked in the quicksands of overthinking.
IMHO, this is that kind of boxes that can be solved easily by beginners but not by someone more experienced…
Lesson learnt: DO NOT OVERTHINK!
hints here are everywhere…just remember that a root reverse shell is not always the final goal: if some command does not work as expected in your shell it does not means that the command is wrong…

For anyone having issues getting the script to run, first install “enum34”, then use the “2to3” script to convert the entire directory and subfolders.

Type your comment> @Sm4rtK1dz said:

Getting: AttributeError: ‘int’ object has no attribute ‘value’ ?
it gave me a headache too.

pip uninstall enum
pip install enum34

Problem solved.

thank you so much, this saved my life. The script really needs a requirements.txt file

Rooted
First time i got insane with the flags huh…
feel free to pm me for nudges

Can some one can give me a nudge how i can dump hashes after getting admin shell. i have tried mimikatz it doesn’t worked. Any help?

@parteeksingh said:

Can some one can give me a nudge how i can dump hashes after getting admin shell. i have tried mimikatz it doesn’t worked. Any help?

When you say dump hashes, do you mean the password hashes for the administrator?

This is a fun box - managed to get root before user though, largely because I overlooked something very obvious.

This box is a good example of enumeration and simple processes being the key to every step.

@TazWake i was trying to dump password hash as this is a fun box with Win based. Just playing with this box like without any password dumping tool working still we can dump hashes. Just for learning if these types of situations arrive in real world so i would know what i have to do. I know i have the admin pass i can convert that pass to NTLM hASh. just learning different ways.

The box is quite good enumeration is the key it took me 4 hours to find my foothold. After that it’s like a piece of cake. :slight_smile:

For the people struggling to get foothold here is a quick reference. Every thing is on the forum. I will just brief about this box.

Enumeration is the key look for every piece of information . look closely to nmap scan it might help to find what is running in this machine

once you get what is running Google is your best friend. Don’t look or overthink as i missed and overthink here. Everything is in front of us nee to just think in that way.

once you get what is required and get shell . There is something more just a normal enumeration in the box and maybe some switches can help here.

user and administrator is piece of cake once you get your required thing after getting shell.

@egre55 Thanks for this awesome and fun box.

If i spoiled something feel free to remove this … :smile:

@parteeksingh said:

@TazWake i was trying to dump password hash as this is a fun box with Win based. Just playing with this box like without any password dumping tool working still we can dump hashes. Just for learning if these types of situations arrive in real world so i would know what i have to do. I know i have the admin pass i can convert that pass to NTLM hASh. just learning different ways.

Awesome - good idea.

This was a really nice box, learned some cool PS things in the proccess. Thanks for this @egre55 :smiley:

Can someone drop a note with some nudge, already got a reverse shell but expending many hours looking around files/directories but finding are not working to get root :neutral:

@sk1pf said:

Can someone drop a note with some nudge, already got a reverse shell but expending many hours looking around files/directories but finding are not working to get root :neutral:

If you have a reverse shell which got you the user flag, then you do a very similar thing to get root.

If you haven’t got user yet, you need to enumerate quite hard on this box. There are good techniques for searching for what you need and it helps a lot if you have a powershell shell.

Rooted! Went down a rabbit hole after getting initial foothold which cost me a day of wasted effort, but woke up this morning and remembered to go back to basics, and then it all fell into place. Got a bit hung up looking trying to shift user identities, until I realised I didn’t need to to get user. Once you get user, root is like 3 mins more work.

My advice - don’t get ahead of yourself thinking you’ve got it in the bag once you get the initial exploit - you still need actual user creds to get the flags.

Type your comment> @TazWake said:

@sk1pf said:

Can someone drop a note with some nudge, already got a reverse shell but expending many hours looking around files/directories but finding are not working to get root :neutral:

If you have a reverse shell which got you the user flag, then you do a very similar thing to get root.

If you haven’t got user yet, you need to enumerate quite hard on this box. There are good techniques for searching for what you need and it helps a lot if you have a powershell shell.

Thanks TazWake, already rooted this machine, lot of enumeration :smile:

Nice Box, after spend time to understand the environment it is quite simple, but not too much, some interesting things i learned. thanks to @egre55

Rooted! That was a fun box and I learned a lot doing it. It was interesting being that root was the exact same as user. If you get one, you have the other too.
The hardest part was the ‘hashes’. If you’re struggling with that, read the file more and read up on the class you see.