HackTheBox Writeup — Omni

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord. This is the first Windows IoT based machine by HackTheBox

The IP of this box is

Running NMAP full port scan on it , we get

We get a lot of Open Ports , the interesting one looks is the port 8080

Checking it into the web browser, we get a basic authentication prompt

Trying default credentials didn't worked out, also we see that the site says “Windows Device Portal”

Since this was a Windows IoT machine, I searched on google about exploiting Windows Device Portal on Windows IoT , I came across a blog which explained about SirepRAT tool which we can use for our benefits here

Here we get the contents of the hosts file on the machine through SirepRAT

To know more about this tool, check the github repo down in the end of this writeup in the References section

In the above, we created a Temp directory in the remote machine

Now we uploaded netcat for windows and then ran a netcat reverse shell and check back the netcat listener on our machine

We got shell, since this is a windows IoT machine, the pattern here are different, we didnt find user flag on the default location, so I searched for it using

We got the location of the user flag, checking the contents we see that its encrypted in Powershell Secure String

Checking for more contents in the directory, we see that there is an iot-admin.xml file

Checking the contents of it, we can see that it is also Powershell Secure String encrypted

When trying to decrypt it, we get an error like below, this might be because the files are owned by some other user,i.e, user app and if you check the documentation of the SirepRAT tool, it tells us we get shell either as NT System or DefaultAccount

Since we have SYSTEM privileges here, we can get the SAM and SYSTEM files so that we can dump it to get the password hashes for the users

We got the files to our local machine and then use impacket’s secretsdump tool to dump the hashes from the files we got

Now we use john to crack the hashes we have

We cracked only one hash from our wordlist and that too for user app, now we use these credentials on the web part where we were prompted for basic authentication

We got in and now checking on the left side and clicking on the Processes options, there is an option to run a command

Since we already uploaded netcat for windows before, we used that again to get a reverse shell and check back our netcat listener

Now we have shell as user app and now we can decode our user flag

Now we move onto getting the user flag

As we remember there was an iot-admin.xml file which was also encrypted as well, we now move onto decrypting that

We have the username as administrator and the password hash

We got password for administrator and now we do the same process which we did before after getting the password for user app and then get reverse shell again and then decrypt the root flag

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store