Omni HTB

Updated:November 3, 2021 pm

User

First I start by scanning the ip using nmap.

nmap

Two ports are found, port 135(RCP) and port 8080(IIS).

IIS

Visting port 8080,I see a web server but I am unable to get something back because it requires username/password via basic authentication.

basicauth

I don’t know the password. I search for “Windows Devie portal” and I find a tool SirepRat which can exploit a service thus giving me code execution.
I download and install the requirements.

sireraptool

I download n64.exe on the target machine and then I execute a reverse shell on my machine.

shell

Searching around I found some credentials inside C:\Program Files\WindowsPowershell\Modules\PackageManagement. The file was hidden so I had to use dir -Force, which is a good idea to do when trying to list files.

credentials

I use the first set of credentials on port 8080.

successlogin

Under Processes I can execute commands, I use the previous downloaded nc.exe and get another reverse shell.

commandexec

this time I am user app

userapp

I couldn’t find my directory under Users. I listed all the drives on the machine.

drives

D is not accessible because it does not exist, I enter U: and I find under Users app Users directory and user.txt.

encrypteduser txt

The flag is encrypted using powershell. We execute the following commands and decrypt it.

usertxt

Root

Root is the same as user, we use the credentials we found earlier inside C:\Program Files\WindowsPowershell\Modules\PackageManagement to login to the control panel on port 8000 after under Proccesses I execute a reverse shell on my box which will give me shell as administrator user. The root.txt file is encrypted with the same method as user.txt. Executing the same decryption commands as I did with user.txt I get root.txt flag unencrypted.