Hack The Box: Omni

Jump Ahead: EnumInitial AccessUserRootResources


To solve this machine, we begin by enumerating exposed services – finding ports 135, 8080, 29817, 29820, 5985, and 29819 open. None of these provided a clear path forward, so we did some research around “windows iot vulnerability” and found an exploit for the Sirep/WPCon communications protocol. Using the exploit script provided, we are able to obtain RCE as the system account. Using the RCE exploit, we are able to extract the files needed to crack the account hashes. Next, we upload netcat to the machine, to obtain a reverse shell. Then, we log into the web application hosted on port 8080 and execute our reverse shell – gaining access to the machine as the app user. We find user.txt, however, it is encrypted. We are able to decrypt it, and grab the flag. In app‘s home directory, we see iot-admin.xml, which is also encrypted. Like before, we decrypt it, and use the credentials to log into the web application and launch a reverse shell. As the reverse shell is owned by Administrator we are able to root.txt.


Like all machines, we begin by enumerating open services – finding ports 135, 8080, 29817, 29820, 5985, and 29819 open.

$ nmap -v -p- --min-rate 3000 $RHOST
$ nmap -Pn -A -oA scans/nmap/tcp-scripts -p 135,8080,29817,29820,5985,29819

# Nmap 7.80 scan initiated Sat Aug 22 14:03:36 2020 as: nmap -Pn -A -oA scans/nmap/tcp-scripts -p 135,8080,29817,29820,5985,29819
Nmap scan report for
Host is up (0.040s latency).

135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 22 14:04:49 2020 -- 1 IP address (1 host up) scanned in 73.17 seconds

Looking at the webservice on port 8080, we see that it requires HTTP authentication – which we do not have credentials for. WinRM, which is running on port 5985, also requires credentials to use, so we decide to take a look at RPC on port 135. Trying to use anonymous authentication, we are denied access. As we do not recognize the other ports as common services, we next search Google for “windows iot vulnerability”.

Initial access

Researching for vulnerabilities in Windows IOT, we find this article. Essentially, it states a researcher found a vulnerability in the Sirep/WPCon protocol, and links to his GitHub with a working exploit. Using the exploit script, we do some basic enumeration to see who we are, and where can can potentially upload a reverse shell.

For a reverse shell, we upload netcat to the DefaultAccount‘s Document directory. To receive the reverse shell, we start a netcat listener on our machine. Once we have the reverse shell, we check who we are running as – in our case, we are the machine.

Getting User

Since we are on the machine as the system, we can dump credentials – using this article as a guide.

U:\Users\System\Documents> reg.exe save hklm\sam U:\Users\DefaultAccount\Documents\SAM
U:\Users\System\Documents> reg.exe save hklm\security U:\Users\DefaultAccount\Documents\SECURITY
U:\Users\System\Documents> reg.exe save hklm\system U:\Users\DefaultAccount\Documents\SYSTEM

Next, we copy them over to our local machine, so we can crack them.

Next, we use Impacket’s secretsdump.py to convert the the registry files to password hashes, and then use hashcat to crack them. After we’ve cracked the hashes, we now have the password for the app account.

We try to use the credentials with WinRM, however, they do not work. Next, we try them on the Windows Device Portal (port 8080). Credentials allow us to log in, and we look around and find a virtual terminal at Processes->Run Command. This should allow us to run commands on the machine as the app user, so we will use it to get a reverse shell. Since we uploaded netcat to a folder app won’t be able to access, we use our system shell to copy it to C:\Windows\Temp. Next, we use icacls to give everyone execution permissions on it. Once copied and given proper permissions, we can now use our web terminal to get a reverse shell as the app user.

Going to U:\Users\app, we are able to see user.txt. When we try to read it, we see that it is a XML file of a PowerShell Credential object for the username “flag”.

After Googling “pscredential file”, we find an article that demonstrates how to decrypt the object. Following the example under “Credentials”, we are able to decrypt the file, and get the flag for user.txt.

Getting Root

Looking in the same directory we found user.txt, we also see iot-admin.xml. Reading it, it appears the be the same format as user.txt, but the credentials for Administrator.

Using the same method as we did for getting the user flag, we decrypt the file and get the credentials for Administrator.

Using them, we log into the the Windows Device Portal, and as we did for app, get a reverse shell as Administrator. Going to Administrator‘s home directory, we see root.txt, but like the previous files, it is encrypted. Decrypting it as we did the others, we get the flag.

Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!