Official Omni Discussion

Type your comment> @rholas said:

Script not working on Kali 2020.3 python 2.7.18

AttributeError: ‘int’ object has no attribute ‘value’

solved:
e…m34

it works but I had to install python2 pip manually.

Finally Rooted. Easy? For a pro! :slight_smile:
I had many problems with initial foothold. Even having the script the initial shell was a nightmare. Maybe a matter of syntax. But I tried many ways to access. Enumeration was hard. To many things to see but I learn a several useful things. Fun.

Spoiler Removed

found out I was using the wrong method…

Rooted! Thanks everyone for the nudges. This has certainly been the toughest box in my short career here in HTB.

On a side note, was *.**t the only way in for escalation?

Type your comment> @silentdanni said:

Rooted! Thanks everyone for the nudges. This has certainly been the toughest box in my short career here in HTB.

On a side note, was *.**t the only way in for escalation?

Hi, I believe not, I’m quite sure I am a really small step away from doing it. Willing to discuss it in DMs

Hi! I need help on foothold to this box.
I found a scrip S******T that could enable me to upload and and download from the victim machine however problem arises because of obscure nature of the responses I got I cant make much sense of it.
Another problem, after executing a command to run a reverse shell payload(msf binary) no response on the listening port. My techniques are not the best if you see this kindly point out where I’m getting it wrong…

@C4P7A1NFlint said:

Hi! I need help on foothold to this box.
I found a scrip S******T that could enable me to upload and and download from the victim machine however problem arises because of obscure nature of the responses I got I cant make much sense of it.

Its a python script, so possibly worth spending a bit of time checking what it does. That can help you understand how to use it.

Another problem, after executing a command to run a reverse shell payload(msf binary) no response on the listening port. My techniques are not the best if you see this kindly point out where I’m getting it wrong…

The --args matter its hard to say what you are getting wrong. Typos? Bad logic? Impossible approach?

Have a think about what you want the script to do. Work out what each step is and what each step needs, then string it together. This helps you see if you’ve made any risky assumptions (for example, if you try to call nc.exe you need to be sure it exists)

@trab3nd0 said:

  • Root: anything I tried to do on the command line to switch users failed, so use the portal.

I just wanna thank you a lot for that!!! It was painful trying to switch users on the command line. Cheers!

Rooted.

Spoiler Removed

To be honest, the box is fine. Not the best not the worst. I rooted the box, but I really didn’t get the part where you had to find that file with the creds. Like how are you even supposed to find that ? Winpeas didn’t find it since, it’s looking for the key word “pass” and there wasn’t that key word in the file. I clearly understand that people say that it’s a perfect example of “enumeration”. Like I get it , but it’s not fun to look for hidden files everywhere on the system. This is only my opinion, you may disagree with it. No hate to @egre55, you already did the hardest job of creating this box, so thanks for a lot for that ! One last thing, if anyone has used an automated way for doing this, I would be glad if you could share the way with me. Thanks for reading :slight_smile:

@iWillBeFamous said:

Winpeas didn’t find it since,

I find winpeas is hit and miss at the best of times. I’ve never been a big fan of it. On HTB it wont work on about 50% of the boxes and in real life I’ve found it tends to be pretty untrustworthy.

Like I get it , but it’s not fun to look for hidden files everywhere on the system.

You don’t need to look everywhere. Looking for files related to automation is good practice and should be one of the first steps for enum. A single PowerShell command achieves this really quickly.

I guess @TazWake is answering to everybody… well thanks a lot I guess :slight_smile: And I’m pretty curious about that powershell command you can use. Mind sharing it in private chat @TazWake ? Thanks ?

Message sent.

If you’ve made it this deep into the hints but still don’t know ‘what the trick is’, I don’t blame you. Many hints are quite misleading (maybe that’s the nature of hints).

This box will stop your forward progress at almost every step. Things that work elsewhere just don’t work here. Omni forces you to read and understand how the tools work, get creative, and sidestep obstacles all the way to root. You think your enumeration game is a 10, well raise it to 11 for Omni.

Initial access
A solid nmap scan returns a big clue that helps you Google for an exploit and a UI. But getting the exploit to work requires some careful reading and a bit if creativity. You can get some commands to execute, but others just won’t. You may need to try commands that will spawn other commands. The trial and error here could get really frustrating, but keep at it. You might eventually be able to move files over, but you’re shocked when they don’t execute. Again, get creative, look for alternatives, keep trying. Enumeration is key, understand what you’re working with - enum scripts, architecture, environment variables, there’s so much that needs to be considered here. It’s possible to do deep enumeration without a shell, and even though you might have the ability to change account passwords, that will probably work against you in the end (as well as everyone else working on the box).

User and root
There may be other ways, but the simplest way I found is to look for creds. They seem to be hidden so deeply that you’ll never find them, but again if you’re creative, they can be located. They’re not where I would have ever expected them to be though, and thanks to how the key account was named, filtering out the noise becomes critical. If using Powershell, use 2> $null or ErrorAction SilentlyContinue to filter error messages out of the search results. Once you have creds, you still have plenty of work to do (this is still Omni after all) but it follows more of a logical pattern from that point.

I hope this helps but does not overhint. Good luck!

Well, just finished this machine. The enumeration after the initial foothold certainly kicked my ■■■■, but I learned a great deal from this machine.

It’s also worth noting that if you’re using Kali, it’s probably a great deal easier to get python2 / pip2 working so you can run Python 2 scripts, rather than converting it to Python 3.

Crazy thing. I just can’t get the reverse shell from the S******T script. I can do whatever I want. After fixing the Python messages I could run the necessary download to the remote system. I also know that it is the right file and that it is really there. The run command seemed also correct and will be executed without error message. However the shell is not spawning. Same on Kali 2020.2 and Parrot 4.10. Anyone with good advice? Thanks!

@hopihallido : Took me a while to get a working shell that way. There are a few things worth pointing out:

  • You might get a 0 return code, but in some cases an error message might be getting printed which isn’t getting returned to you (e.g. I saw this when playing with a particular powershell payload).
  • Some of the payloads I’ve tried were (I believe) getting blocked by Windows Defender. Although at least some of these raised a resonable error code.

Try uploading different payloads, or ideally something that would be considered legitimate rather than harmful.

This box pushed me out of my powershell comfort zone.

Foothold

There is already a wealth of information in this thread about it. Once you find the CVE and the accompanying script foothold is straight foward. Focus on the command that facilitate RCE. If your cat is not pleased use another.

User and Foot

Lots of enum but focus on things that you were not meant to see. This will contain gems that would open doors. The door in question here would have been the very first time you checked out when you started out on this box.
Once in see how you can run commands from here.

Flags are encrypted but there is a provision to be able to view the plain text version.

PM for a nudge