Omni from HTB is an Easy ‘real world’ box where we exploit vulnerabilities in the Windows IoT Core platform through the use of SirepRAT. I begin every scan using AutoRecon:
I use the
-vv flag in AutoRecon as I find the verbosity of information in the console allows me to catch things immediately without the need of going into the results for further investigation. In this case I noticed
Port 8080 was open. With this being an ‘Easy’ box from HTB I navigated over to the URL in my web browser.
I see a login prompt stating Windows Device Portal. Begin searching for Windows Device Portal and eventually find this GitHub resource:
I cannot stress to read instructions clearly and make sure you have all the per-requisites installed before proceeding. The majority of my time wasted comes from trying to fix scripts that just require a specific version or command to run.
nc not supported.
SirepRAT working correctly I pushed a 32-bit version of
nc into the Temp directory. I then proceeded to launch
nc to find out it wasn’t supported. Surprisingly this IoT OS is running 64-bit. After pushing up the 64-bit version and starting a
nc session I was able to get a shell.
Below are the commands I used to get a shell with a side PSA – ‘Clean Workspaces‘. When going through these boxes or any engagement I use a labeled TMUX session. I label each tab, having a logging program running and document as I go.
Importance of a clean workspace.
PowerShell Privilege Escalation
Upon logging into the box I begin my enumeration using some PowerShell commands I find useful and running WinPEAS after downloading it to the box.
PowerShell list of users/last login.
Recursive search shows
r.bat file which catches my interest.
r.bat provides me with two sets of credentials.
After finding and viewing the
r.bat file and getting the two sets of credentials I navigate back to the
web-ui. I login with the first user,
app/mesh5143 figuring the Administrator credentials will be used later. Inside the Windows Device Portal I find a Run Command screen and test a few outputs.
I already have
nc on the machine so I attempt a new shell. The shell keeps failing until I realize that (for reasons unknown to me), I am unable to access the Temp folder. I copy my
nc over to Public and run it again with success.
User.txt locked with PSCredential
user.txt was locked
PSCredential which I have run across multiple times in my field. For those that need more information read the article HERE for some more information.
Grabbing the encrypted User.txt
After getting the
user.txt I did some light enumeration before testing the credentials on the HTTP session. Turns out the process for the user is the same for the Administrator…. lame. I followed above for another session and
PSCredential decryption for the Administrator flag. Boo.
Grabbing the encrypted Administrator.txt