Introduction

Omni from HTB is an Easy ‘real world’ box where we exploit vulnerabilities in the Windows IoT Core platform through the use of SirepRAT. I begin every scan using AutoRecon:

Copy

I use the -vv flag in AutoRecon as I find the verbosity of information in the console allows me to catch things immediately without the need of going into the results for further investigation. In this case I noticed Port 8080 was open. With this being an ‘Easy’ box from HTB I navigated over to the URL in my web browser.

Windows Device Portal

Windows Device Portal

I see a login prompt stating Windows Device Portal. Begin searching for Windows Device Portal and eventually find this GitHub resource:

I cannot stress to read instructions clearly and make sure you have all the per-requisites installed before proceeding. The majority of my time wasted comes from trying to fix scripts that just require a specific version or command to run.

Copy
32bit of nc not supported.

32bit of nc not supported.

After getting SirepRAT working correctly I pushed a 32-bit version of nc into the Temp directory. I then proceeded to launch nc to find out it wasn’t supported. Surprisingly this IoT OS is running 64-bit. After pushing up the 64-bit version and starting a nc session I was able to get a shell.

Below are the commands I used to get a shell with a side PSA – ‘Clean Workspaces‘. When going through these boxes or any engagement I use a labeled TMUX session. I label each tab, having a logging program running and document as I go.

Copy
Importance of a clean workspace.

Importance of a clean workspace.

PowerShell Privilege Escalation

Upon logging into the box I begin my enumeration using some PowerShell commands I find useful and running WinPEAS after downloading it to the box.

Copy
PowerShell list of users/last login.

PowerShell list of users/last login.

Recursive search shows r.bat file which catches my interest.

Recursive search shows r.bat file which catches my interest.

Copy
r.bat provides me with two sets of credentials.

r.bat provides me with two sets of credentials.

After finding and viewing the r.bat file and getting the two sets of credentials I navigate back to the web-ui. I login with the first user, app/mesh5143 figuring the Administrator credentials will be used later. Inside the Windows Device Portal I find a Run Command screen and test a few outputs.

I already have nc on the machine so I attempt a new shell. The shell keeps failing until I realize that (for reasons unknown to me), I am unable to access the Temp folder. I copy my nc over to Public and run it again with success.

Run Command screen.

Run Command screen.

User.txt locked with PSCredential

User.txt locked with PSCredential

The user.txt was locked PSCredential which I have run across multiple times in my field. For those that need more information read the article HERE for some more information.

Copy
Grabbing the encrypted User.txt

Grabbing the encrypted User.txt

After getting the user.txt I did some light enumeration before testing the credentials on the HTTP session. Turns out the process for the user is the same for the Administrator…. lame. I followed above for another session and PSCredential decryption for the Administrator flag. Boo.

Grabbing the encrypted HTB - Omni Administrator.txt

Grabbing the encrypted Administrator.txt

Rooted

Published On: January 17th, 2021 / Categories: HTB, Technology / Tags: , , , , /

Leave A Comment