Omni An easy box
User
First I start by scanning the ip using nmap.
Two ports are found, port 135(RCP) and port 8080(IIS).
IIS
Visting port 8080,I see a web server but I am unable to get something back because it requires username/password via basic authentication.
I don’t know the password. I search for “Windows Devie portal” and I find a tool SirepRat which can exploit a service thus giving me code execution.
I download and install the requirements.
I download n64.exe on the target machine and then I execute a reverse shell on my machine.
Searching around I found some credentials inside C:\Program Files\WindowsPowershell\Modules\PackageManagement
. The file was hidden so I had to use dir -Force
, which is a good idea to do when trying to list files.
I use the first set of credentials on port 8080.
Under Processes I can execute commands, I use the previous downloaded nc.exe and get another reverse shell.
this time I am user app
I couldn’t find my directory under Users. I listed all the drives on the machine.
D
is not accessible because it does not exist, I enter U:
and I find under Users app
Users directory and user.txt
.
The flag is encrypted using powershell. We execute the following commands and decrypt it.
Root
Root is the same as user, we use the credentials we found earlier inside C:\Program Files\WindowsPowershell\Modules\PackageManagement
to login to the control panel on port 8000 after under Proccesses I execute a reverse shell on my box which will give me shell as administrator
user. The root.txt file is encrypted with the same method as user.txt. Executing the same decryption commands as I did with user.txt I get root.txt flag unencrypted.