Hackthebox — Omni

Summary

Today we have another machine is retired with IP 10.10.10.204

Enumeration

Nmap

We can see various ports open, if we go to the 8080 with the browser, we come across a login / pass request that we do not have
We can guess that we are on an IoT box.
Let’s take a look on SirepRAT exploit and download it
https://github.com/SafeBreach-Labs/SirepRAT

After download, We need to upload nc64.exe to get reverse shell, So launch a Simple python server

Let’s take a reverse shell

We are omni now, But we didn’t have user flag

Let’s do some enumeration

Let’s cat the r.bat file

We found 2 credentials that we can use to login on port 8080 on browser, So Let’s login with the first credentials app:mesh5143

After login found Run command page that we can use to get reverse shell to app

We are app now

We can now read user.txt but the contents inside looks to be encrypted.
Let’s decrypt it

Gain user flag!

Privilege Escalation

Let’s use another credentials administrator:_1nt3rn37ofTh1nGz to a reverse shell as administrator

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student