Official Omni Discussion

Hey guys, noob here and i just cant move ahead of nmap scan on this. Dont know what to do. Pls drop a small hint to give me some direction

@tej4pa said:

Hey guys, noob here and i just cant move ahead of nmap scan on this. Dont know what to do. Pls drop a small hint to give me some direction

Read your nmap output or visit the page. That tells you a term to look up. Look it up and find the tool you need to get a foothold.

Type your comment> @tej4pa said:

Hey guys, noob here and i just cant move ahead of nmap scan on this. Dont know what to do. Pls drop a small hint to give me some direction

nmap has more to offer than just simple port enumeration… try the included scripts to gather more info on found ports… and then google is your friend!

Omni got some nasty defaults settings

is the credential file uses a .x** extension?.

Well, I guess i shouldn’t have chosen this machine to start my HTB journey, but after struggling with it for 3 days and using a couple of hints from this forum for the machine enumeration part, i actually managed to root it and i am so proud of that!

I pretty much managed to get all parts on my own, except for the machine enum part and i can tell for sure i would have never gotten that part on my own in a million years!

I am very much a beginner at this, and all the enum i know is from my VHL training and online checklists i got from random googling, and none of that helped me here, unless i missed something.

If someone could please DM me any resources / references to help me get better at the enum part for future reference, or that explain how you guys knew what you should look for that would be fantastic!!!

Thanks a lot for all the help! you guys are awesome! :slight_smile:

1 Like

@hefnyy said:

Well, I guess i shouldn’t have chosen this machine to start my HTB journey, but after struggling with it for 3 days and using a couple of hints from this forum for the machine enumeration part, i actually managed to root it and i am so proud of that!

Nice work! Welcome to HTB and I really hope you enjoy it here.

If someone could please DM me any resources / references to help me get better at the enum part for future reference, or that explain how you guys knew what you should look for that would be fantastic!!!

There isn’t really a simple answer for that. Enumeration is sort of a term people use to mean “trying stuff and seeing what turns up”.

There general methodologies - used by tools like Linenum / WinPEAS etc - but I am not a huge fan of these and you’ll discover they work on about 10% of HTB boxes. In real-world pentests they are often so noisy you’d struggle to justify using them.

At a very, very, basic level Enumeration for privesc is down to simply thinking of things to look at and then trying it. For example, I’ve seen lots of situations where sysadmins have left privileged credentials in web.config and unattended.xml files to support automation. Checking to see if any exist is a good enumeration step but - off the top of my head - I’ve never seen this work on an HTB box. However, the general principle off “Look for credentials in files related to automation” is fairly useful.

Really - all enumeration is about looking at things and deciding if you can use them. I try to avoid noisy things like cd /; grep -ir password * because (for me) it becomes to hard to use the output. But more targeted things like searches for specific files is useful.

Also, a lot of enumeration is down to drawing conclusions - for example finding a service is suspended and also discovering your account has the privileges to modify that service gives you an idea how to exploit it.

1 Like

Machine Pwned. Enjoy!
Root \o and User \o

Struggling to get a shell. Can anyone nudge me little

@mrWh17e said:

Struggling to get a shell. Can anyone nudge me little

If you’ve used the right tool, that gives you a way to upload something else you can use to get a very effective shell.

Just a reminder - Omni retires tomorrow.

Anyone manage to use Python3 rather than Python2 lately?

ok

Type your comment> @BinaryShadow said:

Hi, I’m already stuck with the flag files, someone can give me a hint how to decode the Sxxxxm.Sxxxxxxy.Sxxxxxxxxg. I’ve been trying for hours with Pxxxr Sxxxl with no results.

You need to be logged into the account of the owner of the password hash Administrator, and from there you use the powershell terminal to decode. pull me to DM

@mrWh17e said:

yeah! That’s where the issue is I am not able to upload

Rather than rely on the built in upload, treat it as a remote code execution and use tools on the machine to upload.

Type your comment> @emilyj27 said:

Anyone manage to use Python3 rather than Python2 lately?

yeah ! I did the exploit using python3

First Windows box done - had a big unintended nudge for the passwords :neutral: - still, learnt a lot about p********l

Currently having issues with a Error Code.

“‘b’The system cannot execute the specified program.\r\n’'>” is what I am getting when trying to run the **.exe and ***4.exe using the program once the .exe is uploaded.

Anyone else had this issue?

@CrackerMan said:

Currently having issues with a Error Code.

“‘b’The system cannot execute the specified program.\r\n’'>” is what I am getting when trying to run the **.exe and ***4.exe using the program once the .exe is uploaded.

Anyone else had this issue?

It depends how you are trying to execute them.

I’d try LaunchCommandWithOutput and call cmd then issue the commands you want to run as arguments.

The good news is that this box is retired now so if you get stuck you can read a write up.

Type your comment> @TazWake said:

@CrackerMan said:

Currently having issues with a Error Code.

“‘b’The system cannot execute the specified program.\r\n’'>” is what I am getting when trying to run the **.exe and ***4.exe using the program once the .exe is uploaded.

Anyone else had this issue?

It depends how you are trying to execute them.

I’d try LaunchCommandWithOutput and call cmd then issue the commands you want to run as arguments.

The good news is that this box is retired now so if you get stuck you can read a write up.

Thanks Taz, you seem to be really an active part of this forum and are helping me loads. I am trying to keep it to online research etc (no walkthroughs) but I think you can only do so much as a begginer.

@CrackerMan said:

Thanks Taz, you seem to be really an active part of this forum and are helping me loads.

I am glad to help.

I am trying to keep it to online research etc (no walkthroughs) but I think you can only do so much as a begginer.

Cool - I wouldn’t worry too much about using a walkthrough, as long as you try to understand what it is doing, it’s pretty much the same as doing online research.