OpenAdmin

kalitkd · January 16, 2020, 11:05pm

Type your comment> @xformer1337 said:

Need some help here… i stuck on getting the cred of second user.
I found the file m***.php and manage to crack the password (sha***) but that is not the password for the second user. I try to run the m***.php with openadmin cli tool (with admin cred) but I still can’t access anything on second user’s directory. I imagine user.txt is inside the second user’s directory but i can’t seem to reach that. please help …

DM me

TazWake · January 16, 2020, 11:17pm

@awakengaming83 said:

@kalitkd I how found the dir /o** and found the .sh script on google, but since I am very new to both linux and pentesting I am unaware of how to modify said script to point at the correct location.

try scriptname.sh http://ipaddress/path/target - change the details to be what you want to use.

TazWake · January 16, 2020, 11:26pm

@nigamelastic said:

i am just at www-**** shell but how to go forward , please nudge me. I hear people saying enumerate but i cant find anything

This sounds harsh, but either some idiot has messed up the box or you just need to look harder. When you run ls you find files. Are you 100% sure you’ve read every one, in every folder, and not found anything useful?

TazWake · January 16, 2020, 11:28pm

@burjanbalazs said:

Hello, did somebody change something on the box, even with the ssh key I cannot ssh into the box, it keeps asking me for a password. Can somebody give any tips

If you are on a free box, it is very possible (even likely) that someone has broken it.

However you need to troubleshoot better. When you say “it” asks for a password is SSH asking for a password (i.e. to unlock the key) or is the remote box asking for a password (i.e the key hasnt worked).

If you spend time to find that out, you can work out a solution.

wail99 · January 16, 2020, 11:55pm

just rooted !!!
Hack The Box

D4v3x0 · January 17, 2020, 12:10am

anyone have a problem with the box?? i can’t do a nmap scan due to the box lost connection

tj0 · January 17, 2020, 3:25am

alright, this was not a particularly difficult box.

Foothold: find the vulnerable service, Google-fu
User 1: it’s right in front of you, don’t over think
User 2: pay attention to what you’re given
Root: Simplest priv esc yet on HTB

Overall a fun box. Quickest own yet for me personally.

burjanbalazs · January 17, 2020, 7:08am

Type your comment> @TazWake said:

@burjanbalazs said:

Hello, did somebody change something on the box, even with the ssh key I cannot ssh into the box, it keeps asking me for a password. Can somebody give any tips

If you are on a free box, it is very possible (even likely) that someone has broken it.

However you need to troubleshoot better. When you say “it” asks for a password is SSH asking for a password (i.e. to unlock the key) or is the remote box asking for a password (i.e the key hasnt worked).

If you spend time to find that out, you can work out a solution.

I’m sorry, you’re right, I didn’t describe my problem well enough. So my problem was that when I tried to run ssh with the key that I found, it asked for a passphrase, well enough since i cracked the key I knew the passphrase, but after that it still asked me for the user’s password. After about 30 minutes of head banging some voice in my head told me to switch servers, maybe someone messed up the box, and lo and behold, after the switch it immediately worked, thank you for your response

yuksec · January 17, 2020, 7:12am

I found some interesting words in login.php — <input id=“standalone” type=“hidden” ,but don’t know how to use it .Can anybody help me?

karTiK010 · January 17, 2020, 7:58am

rooted!! ,good box or beginners like me

CuriousJ · January 17, 2020, 8:50am

Type your comment> @yuksec said:

I found some interesting words in login.php — <input id=“standalone” type=“hidden” ,but don’t know how to use it .Can anybody help me?

I didn’t use what you have mentioned. What stage are you at? You can PM if needed.

obarmatz · January 17, 2020, 12:17pm

can someone PM me with some help for user1 please? I can run commands in the machine as www-data and even reverse-shell to it and run LinEnum, but I am not finding anything interesting apart from confusion… Please help if you can, thanks!

Sc4v3ng3r · January 17, 2020, 12:49pm

Could someone perhaps assist me with a nudge in the right direction, so I have a low priv shell (w****a) but, I cannot seem to find the credentials everone is talking about? I have gone fully though the files and directories in /o/ but I have no idea why I cannot seem to find them?

CuriousJ · January 17, 2020, 1:35pm

Type your comment> @Sc4v3ng3r said:

Could someone perhaps assist me with a nudge in the right direction, so I have a low priv shell (w****a) but, I cannot seem to find the credentials everone is talking about? I have gone fully though the files and directories in /o/ but I have no idea why I cannot seem to find them?

It’s a bit laborious but you have to read all the files. It’s not too far from where you land.

TazWake · January 17, 2020, 1:38pm

@obarmatz said:

can someone PM me with some help for user1 please? I can run commands in the machine as www-data and even reverse-shell to it and run LinEnum, but I am not finding anything interesting apart from confusion… Please help if you can, thanks!

@Sc4v3ng3r said:

Could someone perhaps assist me with a nudge in the right direction, so I have a low priv shell (w****a) but, I cannot seem to find the credentials everyone is talking about? I have gone fully through the files and directories in /o/ but I have no idea why I cannot seem to find them?

This is the same problem lots of people have. As far as I can tell it boils down to one of two things:

Someone has messed with the box. Check the modification timestamps of the files and folders you can see. If files inside subfolders look like they’ve been modified “today”, then chances are, the box has been tampered with.
You’ve overlooked something. The info you need is surprisingly easy to come across so it is likely you’ve skipped ahead (especially if you are running LinEnum). It isn’t about finding some way to subvert the filesystem, it’s about looking at where a careless/lazy admin might have left something useful as they configured the systems which you can then reuse somewhere else.

The problem is that this is simple enough that pretty much any hint would be a complete spoiler.

ardevas09 · January 17, 2020, 2:13pm

@TazWake I’m curious if what i’m looking at is what you’re talking about. if so, where would you be able to use it?

WhiteLily · January 17, 2020, 2:28pm

I’m struggling in the part user1→user2.
what is ‘n***a’ password…
I have only a hashed password for another user. any help?

Edit : ROOTED! Thank you @TazWake

calmit · January 17, 2020, 2:55pm

I’ve found the interesting scripts as user1, struggling to figure out how to get them to execute for the txt. Can anyone help?

TazWake · January 17, 2020, 3:04pm

@ardevas09 said:

@TazWake I’m curious if what i’m looking at is what you’re talking about. if so, where would you be able to use it?

If you’ve run a port scan on the box, there is an obvious place to try and authenticate. You can see if one of the users on the machine has been lazy and reused a password.

TazWake · January 17, 2020, 3:04pm

@whitelily said:

I’m struggling in the part user1→user2.
what is ‘n***a’ password…
I have only a hashed password for another user. any help?

If you have recovered the “thing” you need to get from there, you can extract the password from it using a well known tool.