Official Omni Discussion

Rooted! After the initial script gets working, its free flow from there. Feel free to ask if you have any problems.

OK nice box!! Was rusty as, so I needed some prodding…but it was fun! Probably a bit higher than easy. Not sure, 'cause as I said, low brain power for htb at present. But: Big Thanks to TazWake for the great targeted comments. Also cheers to Andres7ll & gs4l for hints, and mindframe for link.

Rooted this machine last night.
Thanks @gunroot and @TazWake for the nudges
It was great easy box.Learnt few neat tricks for powershell.
For the people who are struggling for intial foothold, look at the nmap scan.
It tells you something, google that something and you will know what it is. Now you just have to google what you want for that.

PM if you need help

Just rooted Omni. The enumeration part has taken me the longest time. After I’ve found the file with the credentials, I could own this box within 10 minutes. If you need help => DM me.

Root it, but hate it. This machine is doable. A little bit of research on Google may tell you what to do. Exploit of this box is easy to find. To use it correctly though, is kinda hard. user.txt and root.txt are not very common to get. If 0-box-owned users select this box to be their first box. They definitely stop doing HackTheBox LOL. Happy Hacking!

Rooted, this was definitely not an easy box.

Initial enumeration was annoying, but seeing hints about IoT led to a quick and easy exploit to get a foothold - after that, enumeration was more trial and error.

After user.txt obtained, root is almost exactly the same and took no time at all.

Type your comment> @choupit0 said:

Tip: if you get the message “The system cannot execute the specified program.” each time you try to get a rev shell… you have to take the right version of nc64.exe (and think to try all the options of the script found). I lost a lot of time because of this…

PM me if you need a link.

I owe you my life!!! i have been stuck on this for so long now

Type your comment> @Jk3r said:

Type your comment> @TazWake said:

@Jk3r said:

“ImportError: No module named hexdump”
Any one has the same problem…

pip3 install (modulename) is normally a good solution, unless you absolutely must use python2 then pip2 install (modulename) helps.

Thank you bro !! finally worked =D

I’m still stuck with hexdump, could you give some tips how did you manage it to get to work?
It shows me that hexdump is installed but still get that error.
Thks

@Tu4r3g said:

I’m still stuck with hexdump, could you give some tips how did you manage it to get to work?
It shows me that hexdump is installed but still get that error.
Thks

A possible cause for this is running pip3 then python2 or vice versa. What this means is that if pip defaults to (say) pip3 when you run it, it installs things for python3. Then if you try to run a script with python2 the module isn’t available but pip thinks it is.

You might be able to get round this with explicit version numbers.

You could try pip3 install --upgrade --force-reinstall <package> and pip2 install --upgrade --force-reinstall <package>

(or whatever works to get both versions of pip running on your system)

Hello Guys , Can someone please tell me how to upload a file using “PutFileOnDevice” ? The argument --data is for Data string to write to file

@Whiteadmin said:

Hello Guys , Can someone please tell me how to upload a file using “PutFileOnDevice” ? The argument --data is for Data string to write to file

Why not try something else? There are many ways to get a file to move around.

I understand why people hate this machine (currently the worst-rated machine - the ‘lanterne rouge’ as the people of the tour de France will call it).
My 2cents:

  • Foothold: from all the variants I know to download something only one has worked, so don’t stop trying. In the real life, that would be it since you’re now system on the machine, but no, you have to keep going…
  • User: I’m pretty sure I got creds I’m not supposed to get (for both the user and admin). For the box creators; that was a bit lazy ;).
  • Root: anything I tried to do on the command line to switch users failed, so use the portal.

@trab3nd0 said:

Foothold: from all the variants I know to download something only one has worked, so don’t stop trying. In the real life, that would be it since you’re now system on the machine, but no, you have to keep going…

In real life it would if the objective was simply to get the SYSTEM account on that machine. That isn’t all that common an objective.

  • User: I’m pretty sure I got creds I’m not supposed to get (for both the user and admin). For the box creators; that was a bit lazy ;).

To be fair, that is a common problem with automation. It makes life a lot easier for attackers.

@TazWake said:
@trab3nd0 said:

Foothold: from all the variants I know to download something only one has worked, so don’t stop trying. In the real life, that would be it since you’re now system on the machine, but no, you have to keep going…

In real life it would if the objective was simply to get the SYSTEM account on that machine. That isn’t all that common an objective.

If system is not the objective, its access and privileges would be. But don’t get me wrong, the rest was good fun.

  • User: I’m pretty sure I got creds I’m not supposed to get (for both the user and admin). For the box creators; that was a bit lazy ;).

To be fair, that is a common problem with automation. It makes life a lot easier for attackers.

Fair enough.

@trab3nd0 said:

If system is not the objective, its access and privileges would be. But don’t get me wrong, the rest was good fun.

Don’t misunderstand - I am not defending the box here.

The reality in a windows environment having SYSTEM isn’t always sufficient for a full compromise (as shown here). It would, on the whole, be a good pentest recommendation that all sensitive information is protected in a related manner (access linked to user account) because it does mean getting SYSTEM is not sufficient to get access to the data.

(and yes, there are lots of other techniques you can use - this is certainly not the only box which uses this type of protection of sensitive data)

I enjoyed the box, even though it was frustrating. Frustrating and obscure doesn’t always mean bad, it depends what you are here for. Everyone will have their preferences.

In my case, I think you learn more from boxes like these specifically because they break the cycle and push you to think in ways you might not have before. When you get used to doing something a certain way, you tend to stop thinking through your actions as actively. Assumptions waste so much time and boxes like these remind you to keep them in check.

I’m saying that considering that I was stuck to the point that I couldn’t advance without nudges from @TazWake. What I missed was a discipline/attention to detail step that will be useful in the near future. The way I was doing that step was sloppy, and this box (and TazWake) exposed the cracks.

That makes for a good box in my book. My 2 cents anyway.

Type your comment> @TazWake said:

@Tu4r3g said:

I’m still stuck with hexdump, could you give some tips how did you manage it to get to work?
It shows me that hexdump is installed but still get that error.
Thks

A possible cause for this is running pip3 then python2 or vice versa. What this means is that if pip defaults to (say) pip3 when you run it, it installs things for python3. Then if you try to run a script with python2 the module isn’t available but pip thinks it is.

You might be able to get round this with explicit version numbers.

You could try pip3 install --upgrade --force-reinstall <package> and pip2 install --upgrade --force-reinstall <package>

(or whatever works to get both versions of pip running on your system)

Thanks for the tips and help, however I was far away to think that this curious box will lead me in an epic troubleshooting journey through Kali Linux versions, Python versions, and so on… As resume with Kali 2020.3 I simply cannot put the script running even using pyenv to manage Python versions, it will give an error for each line. However I try with older Kali versions and the script runs smoothly.
Like someone says in this same forum if this is the first box for newcomers (which is the case), because it’s categorize as “easy”, it scares a lot, and put me thinking that maybe I need to dedicate to do something else. :slight_smile:
Thanks for all you guys for all the precious tips and hints through all this forum discussion, which I think they are a must to go through this box.

Kind of frustrating machine, but learn new things always is good :slight_smile: i don’t think this machine is “easy” since there is a particular way to get access to it as well as get root.

rooted, although I feel I cheated a bit
had to look some stuff up because I didn’t want to waste hours enumerating

The short file you find definately seems to be an oversight. Theres a really obvious path to user → root that gets kinda ruined by that little file…