Official Omni Discussion

I guess @TazWake is answering to everybody… well thanks a lot I guess :slight_smile: And I’m pretty curious about that powershell command you can use. Mind sharing it in private chat @TazWake ? Thanks ?

Message sent.

If you’ve made it this deep into the hints but still don’t know ‘what the trick is’, I don’t blame you. Many hints are quite misleading (maybe that’s the nature of hints).

This box will stop your forward progress at almost every step. Things that work elsewhere just don’t work here. Omni forces you to read and understand how the tools work, get creative, and sidestep obstacles all the way to root. You think your enumeration game is a 10, well raise it to 11 for Omni.

Initial access
A solid nmap scan returns a big clue that helps you Google for an exploit and a UI. But getting the exploit to work requires some careful reading and a bit if creativity. You can get some commands to execute, but others just won’t. You may need to try commands that will spawn other commands. The trial and error here could get really frustrating, but keep at it. You might eventually be able to move files over, but you’re shocked when they don’t execute. Again, get creative, look for alternatives, keep trying. Enumeration is key, understand what you’re working with - enum scripts, architecture, environment variables, there’s so much that needs to be considered here. It’s possible to do deep enumeration without a shell, and even though you might have the ability to change account passwords, that will probably work against you in the end (as well as everyone else working on the box).

User and root
There may be other ways, but the simplest way I found is to look for creds. They seem to be hidden so deeply that you’ll never find them, but again if you’re creative, they can be located. They’re not where I would have ever expected them to be though, and thanks to how the key account was named, filtering out the noise becomes critical. If using Powershell, use 2> $null or ErrorAction SilentlyContinue to filter error messages out of the search results. Once you have creds, you still have plenty of work to do (this is still Omni after all) but it follows more of a logical pattern from that point.

I hope this helps but does not overhint. Good luck!

Well, just finished this machine. The enumeration after the initial foothold certainly kicked my ■■■■, but I learned a great deal from this machine.

It’s also worth noting that if you’re using Kali, it’s probably a great deal easier to get python2 / pip2 working so you can run Python 2 scripts, rather than converting it to Python 3.

Crazy thing. I just can’t get the reverse shell from the S******T script. I can do whatever I want. After fixing the Python messages I could run the necessary download to the remote system. I also know that it is the right file and that it is really there. The run command seemed also correct and will be executed without error message. However the shell is not spawning. Same on Kali 2020.2 and Parrot 4.10. Anyone with good advice? Thanks!

@hopihallido : Took me a while to get a working shell that way. There are a few things worth pointing out:

  • You might get a 0 return code, but in some cases an error message might be getting printed which isn’t getting returned to you (e.g. I saw this when playing with a particular powershell payload).
  • Some of the payloads I’ve tried were (I believe) getting blocked by Windows Defender. Although at least some of these raised a resonable error code.

Try uploading different payloads, or ideally something that would be considered legitimate rather than harmful.

This box pushed me out of my powershell comfort zone.

Foothold

There is already a wealth of information in this thread about it. Once you find the CVE and the accompanying script foothold is straight foward. Focus on the command that facilitate RCE. If your cat is not pleased use another.

User and Foot

Lots of enum but focus on things that you were not meant to see. This will contain gems that would open doors. The door in question here would have been the very first time you checked out when you started out on this box.
Once in see how you can run commands from here.

Flags are encrypted but there is a provision to be able to view the plain text version.

PM for a nudge

Hi All, I can’t seem to successfully upload n*.exe always results in 0 bytes file being created?

@pwnableTurkey said:

Hi All, I can’t seem to successfully upload n*.exe always results in 0 bytes file being created?

Check the outfile syntax and possibly the location you are writing to.

Type your comment> @TazWake said:

@iWillBeFamous said:

Winpeas didn’t find it since,

I find winpeas is hit and miss at the best of times. I’ve never been a big fan of it. On HTB it wont work on about 50% of the boxes and in real life I’ve found it tends to be pretty untrustworthy.

Like I get it , but it’s not fun to look for hidden files everywhere on the system.

You don’t need to look everywhere. Looking for files related to automation is good practice and should be one of the first steps for enum. A single PowerShell command achieves this really quickly.

I’d be interested in this as well if you don’t mind, finally rooted the box after enumerating an unhealthy amount and came across the file by luck.

I got the script but whenever I run it but I get this error:

HResultResult | type: 1, payload length: 4, HResult: 0x80070002
Can someone help me please!!

Hello everybody, I am trying to get user and I got really stuck. I found what that machine is and my way in. But I can’t execute the script even after modifying it to the latest version of the language. I would appreciate any help. Thanks. I am on htb discord if you want to dm me.

Im curious what methods would have been used to find the user credentials in this box? I just think i got lucky just checking out folders

@tbautista said:

Im curious what methods would have been used to find the user credentials in this box? I just think i got lucky just checking out folders

Powershell enumeration for common files related to lazy programmers/sysadmins.

Not stable at all for me…

@St4yc4lm said:

I got the script but whenever I run it but I get this error:

HResultResult | type: 1, payload length: 4, HResult: 0x80070002
Can someone help me please!!

File not found error. Look around, double check where you’ve found yourself. Make sure your syntax is correct.

@silentdanni said:

Rooted! Thanks everyone for the nudges. This has certainly been the toughest box in my short career here in HTB.

On a side note, was *.**t the only way in for escalation?

I don’t believe so. Maybe the only intended way. I spent a fair amount of time trying to use a different method just to see if I could, but I had too much trouble and gave up. Still, I do think there is another method for those who are particularly stubborn ;).

For anyone struggling with the script and “python” gives no “module installed” or something along those lines. A great help to me (a newbie) was downloading and using Pip2. “Pip3” and “Pip” by default installs to modules to Python3.etc. Pip2 routes modules into Python 2.etc which is native for this script. Seems like a cool tool and solved a problem for me.

Did anyone use a powershell enumeration script to find the creds?

@rpthomps said:

Did anyone use a powershell enumeration script to find the creds?

Not an enumeration script as such, but I used powershell.

Well, I guess I better start learning how to do that…LOL…