Official Omni Discussion

Kind of frustrating machine, but learn new things always is good :slight_smile: i don’t think this machine is “easy” since there is a particular way to get access to it as well as get root.

rooted, although I feel I cheated a bit
had to look some stuff up because I didn’t want to waste hours enumerating

The short file you find definately seems to be an oversight. Theres a really obvious path to user → root that gets kinda ruined by that little file…

Finally managed to root after three days of suffering.
Some hints…

Foothold:

You need to know your target. Firefox tells you, on the higher port. Just look closer. Then, a quick google search can give you a tool for shell. No need for guess work as some other comments say.

User/Root:

I managed to get every user shell without password, including administrator (started some service, and added my own keys). But, wasn’t enough to decrypt the files for flags. Finally, got a nudge from someone that I needed to find a file to get some creds. And the portal is needed here. Decryption only works if logged-in with password I guess! Didn’t know that, and wasted 2 days. User/Root flags need exact same steps, just a different set of THOSE.

PM for any nudges.

This was a really weird box. The initial foothold is the “hardest” part, when you get the reverse shell you just need to find the right file (remember, ls -force shows more than just ls), and everything else is pretty much straightforward.

So… besides the hints here how does everyone know this is an IoT box?

Jesus christ this exploit code is ■■■■. Have to retrofit everything to python 3

Rooted. Would be lying if I said I enjoyed that. It’s certainly an easy box, but I would not recommend anyone who is new do this.

I will give it credit for being more stable than most windows boxes

@LMAY75 said:

So… besides the hints here how does everyone know this is an IoT box?

Google that Nmap term and you will be there. Simply Google everything you came to see.

Manage to get root.
Had to go back a bit to get user but got there in the end.

Type your comment

I am sure no one is working this box any longer - but if you are, I am losing my wits reading all the docs on importing, exporting, pscreds, and so on. I have seen hints that you don’t actually need to change users, that there is a certain hidden file and its not i**-blahblah.xml, enum enum enum, I have enumed manually, looking through lots and lots of folders, I have used Get-ChildItem and still gotten nowhere… I am sure that I have read the answer and just don’t understand it, but at the this point I am going in circles. the shell was not that hard, so what am I not looking at? If anyone is still giving hints, please hit me up

@Reddsec said:

I am sure no one is working this box any longer

The box is only a month old, I bet lots of people are still working on it.

  • but if you are, I am losing my wits reading all the docs on importing, exporting, pscreds, and so on.

Ok - at the risk of sounding like I am joking, if it is driving you insane, it is probably the wrong path.

I have seen hints that you don’t actually need to change users,

Based on how I approached this box, this hint is drastically incorrect.

that there is a certain hidden file and its not i**-blahblah.xml, enum enum enum, I have enumed manually, looking through lots and lots of folders, I have used Get-ChildItem and still gotten nowhere…

The bad news is this is still the best advice anyone can give on the forum without it being a spoiler. You may need to make a more specific question as a direct message.

I am sure that I have read the answer and just don’t understand it, but at the this point I am going in circles. the shell was not that hard, so what am I not looking at? If anyone is still giving hints, please hit me up

The shell not being difficult is a bit misleading. It depends how you got it and which account you have it as. There are probably at least three shells you will need to get.

If you’ve got the shell via the initial exploit, you are in the wrong user account and you absolutely need to find something which lets you go in via the site. If this is the bit you are missing, I strongly recommend you look at possible automation or “job”-related files.

@TazWake - Thank you, I will keep looking, I have 2 shells, one as system, and one that you get using a --as_logg** flag. I am looking for that third I believe…

@Reddsec said:

@TazWake - Thank you, I will keep looking, I have 2 shells, one as system, and one that you get using a --as_logg** flag. I am looking for that third I believe…

Possibly a fourth but it really does depend on your workflow here and I need to be careful to avoid spoilers.

The main tip I can give is that if you want to read a file “locked” to BobbyTables, you would need to have a shell as BobbyTables.

If you got your shell via the http interface you are on the right track.

This is a great box IMO. What I really liked about it was multiple times you have to combine enumeration output from tool or command, use the information with another resource at your disposal. The encrypted flag is perhaps the best. It is not enough to get system shell. You have to extract loot and dig deeper. Thank you @egre55. BTW I could not remember if I had properly respected you and was quite surprised to see you can “disrespect” someone you previously respected! Crazy man.

@TazWake Again Thank you.
After throwing my initial fit above, I received a bit of help.
Foothold- Once you find what your looking for, just get the syntax right.
User/root - I made a mistake in enumeration, I was looking for files, but not the right ones. Kicking myself, googling windows privesc enumeration would have revealed a few thing for sure. Afterthat, understand the object you are trying to read. root wasn’t really any different than user.

Spoiler Removed

the only reason I got the creds it’s because I CDed everywhere after hours. I really suck at win enum, I don’t know where to look for anything and I have to google every powershell thing I’m trying to do. I guess ‘use the force’ is the most important tip I can leave here, the rest was done by google and again, CDing around like a mad man.