Official Omni Discussion

Type your comment

I am sure no one is working this box any longer - but if you are, I am losing my wits reading all the docs on importing, exporting, pscreds, and so on. I have seen hints that you don’t actually need to change users, that there is a certain hidden file and its not i**-blahblah.xml, enum enum enum, I have enumed manually, looking through lots and lots of folders, I have used Get-ChildItem and still gotten nowhere… I am sure that I have read the answer and just don’t understand it, but at the this point I am going in circles. the shell was not that hard, so what am I not looking at? If anyone is still giving hints, please hit me up

@Reddsec said:

I am sure no one is working this box any longer

The box is only a month old, I bet lots of people are still working on it.

  • but if you are, I am losing my wits reading all the docs on importing, exporting, pscreds, and so on.

Ok - at the risk of sounding like I am joking, if it is driving you insane, it is probably the wrong path.

I have seen hints that you don’t actually need to change users,

Based on how I approached this box, this hint is drastically incorrect.

that there is a certain hidden file and its not i**-blahblah.xml, enum enum enum, I have enumed manually, looking through lots and lots of folders, I have used Get-ChildItem and still gotten nowhere…

The bad news is this is still the best advice anyone can give on the forum without it being a spoiler. You may need to make a more specific question as a direct message.

I am sure that I have read the answer and just don’t understand it, but at the this point I am going in circles. the shell was not that hard, so what am I not looking at? If anyone is still giving hints, please hit me up

The shell not being difficult is a bit misleading. It depends how you got it and which account you have it as. There are probably at least three shells you will need to get.

If you’ve got the shell via the initial exploit, you are in the wrong user account and you absolutely need to find something which lets you go in via the site. If this is the bit you are missing, I strongly recommend you look at possible automation or “job”-related files.

@TazWake - Thank you, I will keep looking, I have 2 shells, one as system, and one that you get using a --as_logg** flag. I am looking for that third I believe…

@Reddsec said:

@TazWake - Thank you, I will keep looking, I have 2 shells, one as system, and one that you get using a --as_logg** flag. I am looking for that third I believe…

Possibly a fourth but it really does depend on your workflow here and I need to be careful to avoid spoilers.

The main tip I can give is that if you want to read a file “locked” to BobbyTables, you would need to have a shell as BobbyTables.

If you got your shell via the http interface you are on the right track.

This is a great box IMO. What I really liked about it was multiple times you have to combine enumeration output from tool or command, use the information with another resource at your disposal. The encrypted flag is perhaps the best. It is not enough to get system shell. You have to extract loot and dig deeper. Thank you @egre55. BTW I could not remember if I had properly respected you and was quite surprised to see you can “disrespect” someone you previously respected! Crazy man.

@TazWake Again Thank you.
After throwing my initial fit above, I received a bit of help.
Foothold- Once you find what your looking for, just get the syntax right.
User/root - I made a mistake in enumeration, I was looking for files, but not the right ones. Kicking myself, googling windows privesc enumeration would have revealed a few thing for sure. Afterthat, understand the object you are trying to read. root wasn’t really any different than user.

Spoiler Removed

the only reason I got the creds it’s because I CDed everywhere after hours. I really suck at win enum, I don’t know where to look for anything and I have to google every powershell thing I’m trying to do. I guess ‘use the force’ is the most important tip I can leave here, the rest was done by google and again, CDing around like a mad man.

Can upload nc but got ‘not recognized’ error when trying to execute it. is this my nc or what?

@gasfad01 said:

Can upload nc but got ‘not recognized’ error when trying to execute it. is this my nc or what?

It depends on how you uploaded it and what is generating the “not recognized” message.

For example, if you are using powershell, “not recognized” normally means you’ve used a command alias it doesn’t know. Other tools will have different meanings.

For those stuck with kali 2020.3 that do not have pip2 installed, you can install it with it with the script below, then add the binary to your path:
https://bootstrap.pypa.io/get-pip.py

Hi i found an exploit for this box, anyone can assist?

rooted, fun box.
feel free to write me if you need help

has anyone got a working version of the script that will work with python3 pls?

Type your comment> @tyronew said:

has anyone got a working version of the script that will work with python3 pls?

you can try this
2to3-2.7 -w yourpython2script.py

Using 2to3 won’t work. For me, it was easier to get it running on Parrot. The box isn’t hard, but wheeze managing python versions can be a burden.

Hi , did someone reach to connect to this box with winRm? Even with users add in Remote Group still have errors “WinRM::WinRMHTTPTransportError”

@roumy said:

Hi , did someone reach to connect to this box with winRm?

I didn’t.

You don’t need it though.

i spend 2 hours try to connect as different users,
Start Proces raise me error " he parameter ‘-Credential’ is not supported for the cmdlet"
Invoke-Command do the same.
Even with user, password and a root access i cannot get a flag, this box drive me crazy.