Hackthebox — Omni
Summary
Today we have another machine is retired with IP 10.10.10.204
Enumeration
Nmap
We can see various ports open, if we go to the 8080 with the browser, we come across a login / pass request that we do not have
We can guess that we are on an IoT box.
Let’s take a look on SirepRAT exploit and download it
https://github.com/SafeBreach-Labs/SirepRAT
After download, We need to upload nc64.exe to get reverse shell, So launch a Simple python server
Let’s take a reverse shell
We are omni now, But we didn’t have user flag
Let’s do some enumeration
Let’s cat the r.bat file
We found 2 credentials that we can use to login on port 8080 on browser, So Let’s login with the first credentials app:mesh5143
After login found Run command page that we can use to get reverse shell to app
We are app now
We can now read user.txt but the contents inside looks to be encrypted.
Let’s decrypt it
Gain user flag!
Privilege Escalation
Let’s use another credentials administrator:_1nt3rn37ofTh1nGz to a reverse shell as administrator
Gain root flag!
If u learn any thing useful from write up, Respect me on HackTheBox