OpenAdmin

@666Kuro666 said:

Can I get some help with the sshkey fomat, like correct ssh format example ?
I copy it for login account ,
but the terminal show : Load key “sshkey.txt”: invalid format .
the other problem :
I want to use tool for crack(convert) password , but also show : [sshkey.txt] couldn’t parse keyfile
Thanks

Happy to help but I am not sure what you are trying to do. Start with the begging of the key and go to the end. You can create your own to see what the layout should be.

@Crni said:

Can I get some hints I own the first user by I do not know what next to look at, I am new oh HTB.

Sure - have a read through this thread which basically provides a tutorial for this box. If there is something you dont understand or can’t get working either ask here for veiled hints or drop me a DM.

Anybody willing to help me get the second user? I have no idea what’s going on and the forum just keeps saying it’s between the 1st page and here lol but all I can get is:

5.7.28-0ubuntu0.18.04.4vMlMbg>�’���t"[lb%2Zl9mysql_native_password�Got packets out of orderjimmy@openadmin:~$

I’ve tried curling, searching but can’t find anything to get to user 2

Anybody willing to share an example or tutorial or something on how curl can be used to get an SSH key? In all my life and getting OSCP i’ve never used curl so I have zero clue on how to use it in this scenario

@WarrenVos said:

Anybody willing to share an example or tutorial or something on how curl can be used to get an SSH key? In all my life and getting OSCP i’ve never used curl so I have zero clue on how to use it in this scenario

You’ve misunderstood the hints.

There isn’t a standard way to “use curl to get X”. What people have said, several times is enumerate the box. When you find what you need to use curl on, you will understand how to use curl.

This isn’t meant to say “curl X” and an SSH key appears by magic. Its manipulate a service with curl - or the tool of your choice, you can use wget, a web browser, whatever you want.

Curl is just a tool for transferring data to, or from, a server. You could probably use nc if you wanted to do it manually.

Nice fun box :mrgreen:

I stuffed around for a couple of hours with the initial priv esc, just poor enum on my part. If you’re experiencing ‘internal’ frustration :wink: I suggest going back to the basics of retrieving web content from the cmd line (nothing fancy). Priv esc to root took less than a minute. If your stuck on root your overthinking it, just run any popular priv esc script and check the output.

Peace

This is my first box. It’s interesting!
Give someone a bit advices.
user1: Password is reused.

user2: Check all directory and port.

root : Very easy,Use existing.

If you have some questions, welcome PM me.

By the way: some bad guy delete the “root.txt” and “user.txt”, so I am not get them now, but i get the way.

Hope some guy can reset it, i run out of times :slight_smile:

nice straight forward box. Great job :slight_smile:

Huge thanks to @Darvidor for the help and advice given!

@6062055, Thanks for your comments on the forum.
Rooted.

Initial: CVE
User1: Don’t stray far from where you landed, but also don’t go 20 layers deep like i did
User2: Go to the gym but make sure to call and check where to inter from
Root: GTFObins

Owned :blush: , DM for a nudge

found user2 pw with …2j… but not able to ssh … any hint on different spellings?

Edited: just found my mistake …facepalm

Edited again: and rooted :smiley: took me a while to get my head clear again but then it went on :slight_smile:

Rooted! A few techniques used on this that I either hadn’t used before or were variations on a theme so that’s nice, always good to learn something even from an easier box.

in this time i try to connected 10.10.10.171/ona with the shell but can’t connect what happen? I try to reset this box more times

Rooted!

This box was very fun, very interesting for a beginner ! Thanks to @dmw0ng

Foothold: the name is actually a very good hint.
User: enumerate, enumerate. After a while, a path that wasn’t accessible is now.
Root: very common vulnerability, GTFO

Feel free to send me a PM if you need a nudge!
(Hope that I didn’t tell too much in the hints)

I am super frustrated at the moment. I’ve used the tool to convert J’s key to a format john likes. That works fine, but John throws the error “No hashes loaded” with it. Tried every combo and even had friends on discord look with baffle. Anyone run into this issue?

Type your comment> @publicist said:

I am super frustrated at the moment. I’ve used the tool to convert J’s key to a format john likes. That works fine, but John throws the error “No hashes loaded” with it. Tried every combo and even had friends on discord look with baffle. Anyone run into this issue?

Do you use dict?

Type your comment> @evilAdan0s said:

Type your comment> @publicist said:

(Quote)
Do you use dict?

@evilAdan0s said:
Type your comment> @publicist said:

(Quote)
Do you use dict?

Try that option and also just plain brute force. But the error message is “No password hashes loaded (see FAQ)” and it looks like this is an issue with the program. SEE BELOW:

This is my first htb active box, I have been able to find the foothold and use the exploit to get the RCE. I found some interesting info in a file not far from where I landed that eludes to a m***pl user. I am struggling to figure out how to use this. I have explored and attempted everything I can think of using curl from my attacking machine, and even saw a hint about using curl locally. Through tips here I can now comfortably navigate around the RCE to traverse directories but not having much luck finding the first user. Could someone PM so I can provide what I know and see if you can nudge me along just a bit?

Type your comment> @publicist said:

I am super frustrated at the moment. I’ve used the tool to convert J’s key to a format john likes. That works fine, but John throws the error “No hashes loaded” with it. Tried every combo and even had friends on discord look with baffle. Anyone run into this issue?

Yep, I did. The Solution for me was to manually Download and build John and to use it “from the folder”. I’ll have to check whats wrong with john version on my kali dist tho.