Good box. Nothing advanced really, standard enumeration and knowing how to use publically available scripts. Anyone needing a nudge (not a solution) feel free to message me 
Stuck @ www-data shell. Just Roaming around directories. Where to go ,what to do?
Come on, who took the OpenAdmin main page down??? 
There are people working on the box, mate…
Whoever you are, finish your job, I’ll come back later to reset to box…
Hi guys! I’m newbie and I really stuck with openadmin box, somebody can help me?
Please send DM
rooted! this was a good box to do, when you are actually avoiding Multimaster
@netpal said:
@TazWake Thanks for the hints. I was able to add the exploit to Metasploit and make it work.
I am glad it worked
I was connected as w**-***a and able to execute some commands. From there, I enumerated and found usernames and a password. I used this password to connect via ssh with a user.
I enumerated from this new terminal and found more interesting files (password files). I wanted to download them on my machine with scp but don’t have the permission…
Ok. If you have an MSF session you should be able to download via that. Alternative you can use nc to shuttle files as well simply base64ing them and then copy/paste to local files.
Generally, if you see data on your screen there are a myriad of ways you can get it to your local device.
In a general way, what am I supposed to do here? What should I look for? Also, since I am connected as a user, shouldn’t I have found the first flag ?!
The user flag isn’t always the first user. Its just one of the two flags you need to get. Oddly on this box, sometimes people have broken it and copied the user flag into the first user account. But you cant account for people.
What are you supposed to do? Find the information you need to gain access to the second user account.
@EzioRaison said:
Stuck @ www-data shell. Just Roaming around directories. Where to go ,what to do?
Read the files, find the information you need. It’s not very far from where your exploit landed.
Type your comment> @TazWake said:
@EzioRaison said:
Stuck @ www-data shell. Just Roaming around directories. Where to go ,what to do?
Read the files, find the information you need. It’s not very far from where your exploit landed.
I have found mysql credentials, user jy, ja, and a string which seems like pass, but don’t know what it is. it’s like my***********rd.
Finally root!!
Special thanks to @TazWake. Great support for a newbie like me, giving the right hints and pushing my brain to look with broader perspective.
It has been a great challenge as my first box here in HTB. Lack of experience maybe is a handicap, but with support it is possible to learn step by step and not falling into desperation.
Foothold was by my own, after that I needed some nudges to move along to the end
For incomers, discussion has enough tips to root the machine.
@EzioRaison said:
I have found mysql credentials, user jy, ja, and a string which seems like pass, but don’t know what it is. it’s like my***********rd.
So, to repeat a previous quote from John Strand (BlackHills Infosec): " find creds, crack creds, use creds ".
Have you tried using them? Password reuse is common.
Type your comment> @enigmaNL said:
rooted! this was a good box to do, when you are actually avoiding Multimaster
Ahahahahahah!!! You’re right! I left Multimaster for a later time, too 
Got root flag. Turned out there is more work to do with the i*** file. I had wrong mindset and tried to use reverse shell under user2’s permission which didn’t work. The playtime with the file is pretty fast. It should takes only 1 or 2 seconds. The key of this play is use the right flag for the tool (i did it wrong and i couldn’t get the right thing). Next step is pretty easy (If anybody tried pentesterlab’s unix, it is very useful). The step to get root is pretty easy: Read everything the n*** tool can do for you.
p/s: super big thank to @cybersecviking who helped me the mindset and correct my playtime mistake.
rooted…
so, it boils down to something like this:
OSINT + Explore as much as possible
As you move next, find something which may not be openly accessible but does exist there
Exactly understand what you have (very important!)… misunderstanding it took quarter hour of mine until i figured out it was a piece of cake to privesc to root from J****a
feel free to PM for a nudge
rooted! 
Nice box, pretty easy actually but not trivial. Lots of interesting things to discover, sort of logical configurations and escalation. Little tricks to go from a stage to the next, this is what I felt… rooting, super easy, but I have to admit that a nudge from this forum helped a lot to reduce the required time to discover the “right command”… after that, the exploit is a piece of cake!
Type your comment> @TazWake said:
@arhackthebox said:
Anyone experiencing issues with john crapping out?
I’ve read that there’s a bug (password cracking - How do I crack an id_rsa encrypted private key with john the ripper? - Information Security Stack Exchange) but I’m not seeing others on this thread report trouble with it.Lots of people have been complaining about John not working.
Its worth using the “Magnum” version rather than the out-of-the-box one: GitHub - openwall/john: John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs
Someone suggested… “-w=wordlist works but -w wordlist does not.”
That solved it for me!
@TazWake Thank you once again for your answer.
I am ashamed to ask, but I think I need a hint for the curl command (I am aware I could use something else) . I have literally been through all the pages and curl hints, yet I’m still doing it wrong…
I have found and understood the .**p scripts, and also found an interesting port. I know it runs locally, but even with all this information, I can’t figure out how to write the command precisely. It either returns me the script (so I’m not at the right place) or a “connection refused” error. I have tried a bunch of different syntaxes, to no avail…
I hope it’s the last time I ask a question for this box 
Thank you
@netpal said:
@TazWake Thank you once again for your answer.
Always glad to help if I can.
I am ashamed to ask, but I think I need a hint for the curl command (I am aware I could use something else) . I have literally been through all the pages and curl hints, yet I’m still doing it wrong…
The general syntax to make a request with curl is: curl http://ipaddress:port/page.php There are other things you need to do if you want to send things like credentials such as curl -u username:password http://ipaddress:port/page.php (this is generally bad practice as the password gets stored in the history file but its acceptable for CTFs)
Also man curl is a very good place to start.
On getting root
Can someone explain if it is normal to get a password prompt when excecuting s**o commands as a user that has the N******D flag set on said commands?
A pm would be appreciated, thanks!
@arkountos said:
On getting root
Can someone explain if it is normal to get a password prompt when excecuting
s**ocommands as a user that has theN******Dflag set on said commands?A pm would be appreciated, thanks!
Only if you’ve entered the command incorrectly.
Hi there, I got the w**-***a shell. I see that the two users are kinda “linked” together and I know that I can now make some http requests to a private server on a strange port. Can this be the way to go? The place in which I landed seems so messy.
Since I’m pretty new to this website, I would like to ask if files inside the box can be modified.