OpenAdmin

Is the user ji*** supposed to have a user.txt?

@OrangeHat Nope he’s just a Step on the ladder:D

@TazWake Thanks. Now, I’m stuck on user2, and pretty sure it’s something to do with that program under their share folder, and even has part of the exploit in a file, but it’s not working. It gives me a shell, but it’s the same privilege. Also, I thought that user had sudo, but I guess not…none of the passwords work. Seems like I’ve tried every one of the exploits in GTFOBins, for that program.

Did you already get root on it?

@6062055 So you are user 2 now?
Sudo -l can help you. :slight_smile:

@01ph0rie Oh, sweet, thanks :slight_smile: …will give it a shot.

Oh, wait, was that just to show me that user can use that program with sudo? That’s what I’ve been trying, but it’s not working.

@6062055 and what is it showing to you?
Use that.
Nano is my hint.

Rooted. Thx @D3Fix for the hints. It was a fun box for noobies like me:)

@6062055 said:

@01ph0rie Oh, sweet, thanks :slight_smile: …will give it a shot.

Oh, wait, was that just to show me that user can use that program with sudo? That’s what I’ve been trying, but it’s not working.

Not sure if you’ve cracked this yet, but if you are still struggling, chances are you’ve misread it and are trying something it doesn’t allow you to do.

Ok now that I finally rooted this machine, here are my thoughts:

Lessons Learned

Overall

  • If you’ve got some creds that you think should work but don’t, reset the box and try again. Some people are changing the user creds to block others from connecting - this happened to me multiple times, not sure if this is being done maliciously, or as a defensive mechanism, or what. It’s really annoying. Don’t do this.

Initial foothold

  • Make sure you use a trailing ‘/’ for the exploit script!

User 1

  • There are many ways of spelling “password”!
  • ls and cat are effective tools for enumeration if you’re only checking a few places

User 2

  • If johnny isn’t rocking your world, make sure your command line args are correct (–arg=/some/path, not --arg /some/path)

Root

  • It was the obvious thing, but at first I didn’t understand the format of the command. Each line is a single command, not multiple commands separated by whitespace.

@01ph0rie , @TazWake : The shell pops up, but it’s just the same privilege, same user. So, I see how ‘sudo -l’ shows the program, but that’s what I’ve been trying the whole time. I’ve tried every method on GTFOBins, so now I’m wondering if I’m totally off, or what.

If I run sudo -l, and it shows I’m supposed to be able to run the program with no password, I don’t get why it’s prompting me for a password when I try to sudo the program.

EDIT: …still can’t figure this out, after few more hours messing with it. I don’t understand, why sudo isn’t working when it says NOPASSWD. I don’t see how the GTFOBin method is supposed to work without sudo. I’ve tried it without sudo a hundred times now. Anyone else still messing with this? Does anyone have user2 cred’s, for sudo? Maybe I’m missing some cred’s. Someone mentioned some mysql cred’s. I haven’t seen them, but not sure if I need them, either.

help getting the root, im currently user 2, just pm me. Thanks

Stuck on user1. Got lost somewhere and found myself digging through the database for info which I’m certain is the wrong path.

Thought I found the right info in m***.p file within the i****l directory but having trouble gaining what I need to from it.

@6062055 maybe you don’t need a Shell?
Think of nano, what can you do with it, what shortcuts can you use.

Just rootet it. Yay!

Some thoughts from my side:
Begin with standard Enumeration, after you find the interesting App, search for exploits.
For User1:
at first dig deeper, not higher, you should find everything needed to log into the lowest port
User2: Grab all the stuff you can get and can access before, watch the new files and exploit it, Call your Crack-Buddy and Talk about this key and the phrase
root: The most important point I nearly stumbled (again after Swagshop?) → Spaces are no commas!!! After that, its easy, particularly with the nice Webpage from other hints.

I had issues with all the stuff and how to put it in order.
Thanks for the Box, learned new things and refreshed memories!

@6062055 I had the same problem as you at first. Read my comment above about the output being a single command, not two commands. E.g. if you see ‘/bin/command /opt/otherthing’ you should run that as a single command, not just /bin/command by itself.

@6062055 said:

EDIT: …still can’t figure this out, after few more hours messing with it. I don’t understand, why sudo isn’t working when it says NOPASSWD. I don’t see how the GTFOBin method is supposed to work without sudo. I’ve tried it without sudo a hundred times now. Anyone else still messing with this? Does anyone have user2 cred’s, for sudo? Maybe I’m missing some cred’s. Someone mentioned some mysql cred’s. I haven’t seen them, but not sure if I need them, either.

Are you still stuck? If so PM me. No extra creds needed but I am curious how you got user 1’s creds.

@awarkozak said:

Stuck on user1. Got lost somewhere and found myself digging through the database for info which I’m certain is the wrong path.

Thought I found the right info in m***.p file within the i****l directory but having trouble gaining what I need to from it.

Find out where it is being served.

Type your comment> @OrangeHat said:

@6062055 I had the same problem as you at first. Read my comment above about the output being a single command, not two commands. E.g. if you see ‘/bin/command /opt/otherthing’ you should run that as a single command, not just /bin/command by itself.

@OrangeHat Thanks for the tip (:::respected:::).
@TazWake Figured out with a couple nudges…thanks :slight_smile: (:::respected:::slight_smile:

@6062055 said:

@OrangeHat Thanks for the tip (:::respected:::).
@TazWake Figured out with a couple nudges…thanks :slight_smile: (:::respected:::slight_smile:

Nice work.

@TazWake I got the user 1 (j***y) pass from some php or html file somewhere, viewable from www-data, then just logged in with that.

For anyone else interested…
User 2 = look for ‘internal’ files, try curl w/ interesting port.
Root = sudo -l, find out what that output really means, and how to use it. Google should give you an idea, or just ask me :slight_smile:

This was my fourth machine. Took me way too long and too many hints to figure out Root, thought it would be easier to figure out. @dmw0ng , thanks for the great machine :smile: