Official Omni Discussion

@TazWake said:
@trab3nd0 said:

Foothold: from all the variants I know to download something only one has worked, so don’t stop trying. In the real life, that would be it since you’re now system on the machine, but no, you have to keep going…

In real life it would if the objective was simply to get the SYSTEM account on that machine. That isn’t all that common an objective.

If system is not the objective, its access and privileges would be. But don’t get me wrong, the rest was good fun.

  • User: I’m pretty sure I got creds I’m not supposed to get (for both the user and admin). For the box creators; that was a bit lazy ;).

To be fair, that is a common problem with automation. It makes life a lot easier for attackers.

Fair enough.

@trab3nd0 said:

If system is not the objective, its access and privileges would be. But don’t get me wrong, the rest was good fun.

Don’t misunderstand - I am not defending the box here.

The reality in a windows environment having SYSTEM isn’t always sufficient for a full compromise (as shown here). It would, on the whole, be a good pentest recommendation that all sensitive information is protected in a related manner (access linked to user account) because it does mean getting SYSTEM is not sufficient to get access to the data.

(and yes, there are lots of other techniques you can use - this is certainly not the only box which uses this type of protection of sensitive data)

I enjoyed the box, even though it was frustrating. Frustrating and obscure doesn’t always mean bad, it depends what you are here for. Everyone will have their preferences.

In my case, I think you learn more from boxes like these specifically because they break the cycle and push you to think in ways you might not have before. When you get used to doing something a certain way, you tend to stop thinking through your actions as actively. Assumptions waste so much time and boxes like these remind you to keep them in check.

I’m saying that considering that I was stuck to the point that I couldn’t advance without nudges from @TazWake. What I missed was a discipline/attention to detail step that will be useful in the near future. The way I was doing that step was sloppy, and this box (and TazWake) exposed the cracks.

That makes for a good box in my book. My 2 cents anyway.

Type your comment> @TazWake said:

@Tu4r3g said:

I’m still stuck with hexdump, could you give some tips how did you manage it to get to work?
It shows me that hexdump is installed but still get that error.
Thks

A possible cause for this is running pip3 then python2 or vice versa. What this means is that if pip defaults to (say) pip3 when you run it, it installs things for python3. Then if you try to run a script with python2 the module isn’t available but pip thinks it is.

You might be able to get round this with explicit version numbers.

You could try pip3 install --upgrade --force-reinstall <package> and pip2 install --upgrade --force-reinstall <package>

(or whatever works to get both versions of pip running on your system)

Thanks for the tips and help, however I was far away to think that this curious box will lead me in an epic troubleshooting journey through Kali Linux versions, Python versions, and so on… As resume with Kali 2020.3 I simply cannot put the script running even using pyenv to manage Python versions, it will give an error for each line. However I try with older Kali versions and the script runs smoothly.
Like someone says in this same forum if this is the first box for newcomers (which is the case), because it’s categorize as “easy”, it scares a lot, and put me thinking that maybe I need to dedicate to do something else. :slight_smile:
Thanks for all you guys for all the precious tips and hints through all this forum discussion, which I think they are a must to go through this box.

Kind of frustrating machine, but learn new things always is good :slight_smile: i don’t think this machine is “easy” since there is a particular way to get access to it as well as get root.

rooted, although I feel I cheated a bit
had to look some stuff up because I didn’t want to waste hours enumerating

The short file you find definately seems to be an oversight. Theres a really obvious path to user → root that gets kinda ruined by that little file…

Finally managed to root after three days of suffering.
Some hints…

Foothold:

You need to know your target. Firefox tells you, on the higher port. Just look closer. Then, a quick google search can give you a tool for shell. No need for guess work as some other comments say.

User/Root:

I managed to get every user shell without password, including administrator (started some service, and added my own keys). But, wasn’t enough to decrypt the files for flags. Finally, got a nudge from someone that I needed to find a file to get some creds. And the portal is needed here. Decryption only works if logged-in with password I guess! Didn’t know that, and wasted 2 days. User/Root flags need exact same steps, just a different set of THOSE.

PM for any nudges.

This was a really weird box. The initial foothold is the “hardest” part, when you get the reverse shell you just need to find the right file (remember, ls -force shows more than just ls), and everything else is pretty much straightforward.

So… besides the hints here how does everyone know this is an IoT box?

Jesus christ this exploit code is ■■■■. Have to retrofit everything to python 3

Rooted. Would be lying if I said I enjoyed that. It’s certainly an easy box, but I would not recommend anyone who is new do this.

I will give it credit for being more stable than most windows boxes

@LMAY75 said:

So… besides the hints here how does everyone know this is an IoT box?

Google that Nmap term and you will be there. Simply Google everything you came to see.

Manage to get root.
Had to go back a bit to get user but got there in the end.

Type your comment

I am sure no one is working this box any longer - but if you are, I am losing my wits reading all the docs on importing, exporting, pscreds, and so on. I have seen hints that you don’t actually need to change users, that there is a certain hidden file and its not i**-blahblah.xml, enum enum enum, I have enumed manually, looking through lots and lots of folders, I have used Get-ChildItem and still gotten nowhere… I am sure that I have read the answer and just don’t understand it, but at the this point I am going in circles. the shell was not that hard, so what am I not looking at? If anyone is still giving hints, please hit me up

@Reddsec said:

I am sure no one is working this box any longer

The box is only a month old, I bet lots of people are still working on it.

  • but if you are, I am losing my wits reading all the docs on importing, exporting, pscreds, and so on.

Ok - at the risk of sounding like I am joking, if it is driving you insane, it is probably the wrong path.

I have seen hints that you don’t actually need to change users,

Based on how I approached this box, this hint is drastically incorrect.

that there is a certain hidden file and its not i**-blahblah.xml, enum enum enum, I have enumed manually, looking through lots and lots of folders, I have used Get-ChildItem and still gotten nowhere…

The bad news is this is still the best advice anyone can give on the forum without it being a spoiler. You may need to make a more specific question as a direct message.

I am sure that I have read the answer and just don’t understand it, but at the this point I am going in circles. the shell was not that hard, so what am I not looking at? If anyone is still giving hints, please hit me up

The shell not being difficult is a bit misleading. It depends how you got it and which account you have it as. There are probably at least three shells you will need to get.

If you’ve got the shell via the initial exploit, you are in the wrong user account and you absolutely need to find something which lets you go in via the site. If this is the bit you are missing, I strongly recommend you look at possible automation or “job”-related files.

@TazWake - Thank you, I will keep looking, I have 2 shells, one as system, and one that you get using a --as_logg** flag. I am looking for that third I believe…

@Reddsec said:

@TazWake - Thank you, I will keep looking, I have 2 shells, one as system, and one that you get using a --as_logg** flag. I am looking for that third I believe…

Possibly a fourth but it really does depend on your workflow here and I need to be careful to avoid spoilers.

The main tip I can give is that if you want to read a file “locked” to BobbyTables, you would need to have a shell as BobbyTables.

If you got your shell via the http interface you are on the right track.