Hackthebox — Omni Walkthrough

6 min readJan 9, 2021

Omni is an Windows IoT Core machine that is retired on Hack The Box. It covers exploiting vulnerable Sirep Test Service in the IoT Core OS, remote code execution and receiving reverse shell on the target host, finding credential file by enumerating the file system, and eventually getting the user and root flags.

We first run nmap to enumerate open ports and services running on those ports, and the following results showing that 2 ports are open.

-sC: default nmap scripts
-sV: detect service version

Add the domain in the /etc/hosts file.

We start off with enumerating HTTP first.

An authentication pop-up. It asks for credentials from us to continue.

We do not have any credentials. What is Windows Device Portal? Let’s google it.

The web page provides us some information. So, we understand that it is related to Windows 10 IoT Core.

The web page also shows, that port 8080, means that dev mode is enabled from default.
https://docs.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal

Note the default credentials.

The default credentials are not working.

We search for exploits related to Windows IoT Core.

SirepRAT is a tool that allows us exploiting Windows IoT Core target. What it simple does is, to dump the SAM and copy the SYSTEM registry files.

Clone the repository.

We install required modules in order to exploit can work properly.

Firstly let’s see how it does work by typing “-help”

These are the available commands we can use.

Here is the plan. We will establish a reverse shell by using powershell. To do so, we will first upload netcat to the target machine. Then, we will run netcat reverse shell command by using SirepRAT and if everything goes well it will send us a connection request while we are waiting for it on listening mode.

We have netcat which is 64 bits. (Netcat 32 bits did not work at the first attempt.)

Start up a simple python server in the directory netcat is in.

This command will upload nc64.exe file to the directory which is specified below.

Set up a listener to receive the reverse shell.

We run the command to receive reverse shell.

Perfect! We get a shell.

Who are we on this Windows machine? #whoami

Let’s check the root.txt file.

Here we try to apply decrypt process on both root.txt and user.txt but we failed because user omni has a low level privilege.

We start enumerating the directories one by one to get some interesting information.

Well, a bat file might be interesting for us. Let’s check it inside.

Cool! We get the credentials. Let’s use them one by one at the web application (omni.htb:8080).

First, we log in as user app.

And we have command prompt to run command. What is the next step now? Yes! Let’s try to receive reverse shell.

We set up a listener on port 6767.

Run the command.

And we have another shell as user app.

We are user app. That means we might be able to decrypt the encrypted content in user.txt file. To do so, we execute the following commands.

We successfully get the decrypted version of user.txt flag.

We need to privilege escalation again in order to view the root.txt flag. But wait a sec! What if we as app user can decrypt the encrypted content in root.txt file? Let’s just give a try.

We could not decrypt the root.txt file. Well, we need to be administrator user. To do so, we will use the other credentials that we got from r.bat file.