Hack the Box [HTB] machines walkthrough CTF series — Omni

Hack the Box (HTB) is an excellent platform that hosts machines belonging to multiple operating systems. Individuals have to solve the puzzle (simple enumeration plus a pentest) to log in to the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Omni, is retired.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Here are the first steps to take:

1. Download the VPN pack for the individual user and use the guidelines to log in to the HTB VPN
2. The Omni machine IP is 10.10.10.204
3. We will adopt the usual methodology of performing penetration testing. We will begin with enumeration to gain as much information on the machine as possible
4. Let's start with the nmap scan to gather more information about the services running on this machine [CLICK IMAGES TO ENLARGE]

   <<nmap -sC -sV -oA Omni 10.10.10.204>>

   

5. Begin the enumeration on the ports found above.
6. Below is the authentication prompt that pops up when the portal is accessed over 8080.
7. It says “Windows device portal.” Searching for it found this link, which has an exploit for it.
8. Using it and executing as shown below shows that the device portal is vulnerable.
9. Modify the execution this time to first upload the nc utility, and then execute it to spawn a reverse PowerShell.
10. We get the reverse shell as can be seen below.
11. Looking at the drives, we can see that there are multiple. Looking at U:, we see user.txt but it is encrypted.

    

    

    
12. By further enumerating the systems, we find an interesting r.bat file.
13. Looking into it, we can see an administrator password.
14. Using it, we can log in to the portal discovered initially.
15. Here, we can run command to spawn reverse shells.
16. We get the system shell back and we can check the root.txt flag, which also is encrypted.
17. Using the admin recovered password and OS creds, we can decrypt the root flag as well.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

This was an interesting machine simply because I have not worked on a device portal previously. Also, there was a lot of enumeration required to find r.bat.

We will continue this series with more HTB machines.