Jump Ahead: Enum – Initial Access – User – Root – Resources
To solve this machine, we begin by enumerating exposed services – finding ports
29819 open. None of these provided a clear path forward, so we did some research around “windows iot vulnerability” and found an exploit for the Sirep/WPCon communications protocol. Using the exploit script provided, we are able to obtain RCE as the system account. Using the RCE exploit, we are able to extract the files needed to crack the account hashes. Next, we upload netcat to the machine, to obtain a reverse shell. Then, we log into the web application hosted on port
8080 and execute our reverse shell – gaining access to the machine as the
app user. We find
user.txt, however, it is encrypted. We are able to decrypt it, and grab the flag. In
app‘s home directory, we see
iot-admin.xml, which is also encrypted. Like before, we decrypt it, and use the credentials to log into the web application and launch a reverse shell. As the reverse shell is owned by
Administrator we are able to
Like all machines, we begin by enumerating open services – finding ports
$ nmap -v -p- --min-rate 3000 $RHOST $ nmap -Pn -A -oA scans/nmap/tcp-scripts -p 135,8080,29817,29820,5985,29819 10.129.2.33 # Nmap 7.80 scan initiated Sat Aug 22 14:03:36 2020 as: nmap -Pn -A -oA scans/nmap/tcp-scripts -p 135,8080,29817,29820,5985,29819 10.129.2.33 Nmap scan report for 10.129.2.33 Host is up (0.040s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 5985/tcp open upnp Microsoft IIS httpd 8080/tcp open upnp Microsoft IIS httpd | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=Windows Device Portal |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Site doesn't have a title. 29817/tcp open unknown 29819/tcp open arcserve ARCserve Discovery 29820/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port29820-TCP:V=7.80%I=7%D=8/22%Time=5F416C0F%P=x86_64-pc-linux-gnu%r(N SF:ULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10," SF:\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x0 SF:4G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\x SF:c9}\xc8O\x12"); Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Aug 22 14:04:49 2020 -- 1 IP address (1 host up) scanned in 73.17 seconds
Looking at the webservice on port
8080, we see that it requires HTTP authentication – which we do not have credentials for. WinRM, which is running on port
5985, also requires credentials to use, so we decide to take a look at RPC on port
135. Trying to use anonymous authentication, we are denied access. As we do not recognize the other ports as common services, we next search Google for “windows iot vulnerability”.
Researching for vulnerabilities in Windows IOT, we find this article. Essentially, it states a researcher found a vulnerability in the Sirep/WPCon protocol, and links to his GitHub with a working exploit. Using the exploit script, we do some basic enumeration to see who we are, and where can can potentially upload a reverse shell.
For a reverse shell, we upload netcat to the
DefaultAccount‘s Document directory. To receive the reverse shell, we start a netcat listener on our machine. Once we have the reverse shell, we check who we are running as – in our case, we are the machine.
Since we are on the machine as the system, we can dump credentials – using this article as a guide.
U:\Users\System\Documents> reg.exe save hklm\sam U:\Users\DefaultAccount\Documents\SAM U:\Users\System\Documents> reg.exe save hklm\security U:\Users\DefaultAccount\Documents\SECURITY U:\Users\System\Documents> reg.exe save hklm\system U:\Users\DefaultAccount\Documents\SYSTEM
Next, we copy them over to our local machine, so we can crack them.
Next, we use Impacket’s secretsdump.py to convert the the registry files to password hashes, and then use hashcat to crack them. After we’ve cracked the hashes, we now have the password for the
We try to use the credentials with WinRM, however, they do not work. Next, we try them on the Windows Device Portal (port 8080). Credentials allow us to log in, and we look around and find a virtual terminal at
Processes->Run Command. This should allow us to run commands on the machine as the
app user, so we will use it to get a reverse shell. Since we uploaded netcat to a folder
app won’t be able to access, we use our system shell to copy it to
C:\Windows\Temp. Next, we use icacls to give everyone execution permissions on it. Once copied and given proper permissions, we can now use our web terminal to get a reverse shell as the
U:\Users\app, we are able to see
user.txt. When we try to read it, we see that it is a XML file of a PowerShell Credential object for the username “flag”.
After Googling “pscredential file”, we find an article that demonstrates how to decrypt the object. Following the example under “Credentials”, we are able to decrypt the file, and get the flag for
Looking in the same directory we found
user.txt, we also see
iot-admin.xml. Reading it, it appears the be the same format as
user.txt, but the credentials for
Using the same method as we did for getting the user flag, we decrypt the file and get the credentials for
Using them, we log into the the Windows Device Portal, and as we did for
app, get a reverse shell as
Administrator. Going to
Administrator‘s home directory, we see
root.txt, but like the previous files, it is encrypted. Decrypting it as we did the others, we get the flag.
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!