So to respond to my own question above: no that’s not how you’re meant to get root. Can people please be a little more conscientious and not leave flags lying around please!
Anyway, this was my favourite box I’ve done so far, and I struggled the most with root.
As someone else said, there are plenty of hints here to get you through this box, but I’ll leave some of my own, just in case it’s the little nudge needed, even if only worded differently.
Initial foothold: I couldn’t for the life of me work this one out due to the directory you need to find via dirb/gobuster being in any of the wordlists I used. I’m not really sure what hint to give here because of that, but either way, once you find that page/directory, then you’re going to want to find an exploit for that. You’ll see alot of people throughout this thread had difficulty getting it to work. In my opinion the easiest fix is to change the file format via vim: open the exploit in vim and press
:set ff=unix. Then all you need to do is point the exploit to openadmin/o**/l***n.php
User 1: This took me hours… I actually found what I needed in only a matter of minutes. When you find it, you’ll see a username in the same file, but it’s not actually for that user. Think alot more obvious but in a stupid way and you’ll get it. A hint is to utilise find to list all PHP files in the directory you land in and grep for a different variation of spelling for a sensitive keyword.
User 2: Enumerate what network services are running on the machine and figure out a way to interact with that service without using a webpage. Specify the resource at the far end of the command you run, not somewhere in the middle.
Root: The BEST hint I saw here (sorry, I forgot on what page it was, so I can’t credit) was that you’re not looking at two separate commands, they’re one command, e.g.