Capture the flag (CTF)

Hack the Box [HTB] machines walkthrough CTF series — Omni

Security Ninja
March 1, 2021 by
Security Ninja

Hack the Box (HTB) is an excellent platform that hosts machines belonging to multiple operating systems. Individuals have to solve the puzzle (simple enumeration plus a pentest) to log in to the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Omni, is retired.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Here are the first steps to take:

  1. Download the VPN pack for the individual user and use the guidelines to log in to the HTB VPN
  2. The Omni machine IP is
  3. We will adopt the usual methodology of performing penetration testing. We will begin with enumeration to gain as much information on the machine as possible
  4. Let's start with the nmap scan to gather more information about the services running on this machine [CLICK IMAGES TO ENLARGE]

    <<nmap -sC -sV -oA Omni>>

  5. Begin the enumeration on the ports found above.
  6. Below is the authentication prompt that pops up when the portal is accessed over 8080.
  7. It says “Windows device portal.” Searching for it found this link, which has an exploit for it.
  8. Using it and executing as shown below shows that the device portal is vulnerable.
  9. Modify the execution this time to first upload the nc utility, and then execute it to spawn a reverse PowerShell.
  10. We get the reverse shell as can be seen below.
  11. Looking at the drives, we can see that there are multiple. Looking at U:, we see user.txt but it is encrypted.

  12. By further enumerating the systems, we find an interesting r.bat file.
  13. Looking into it, we can see an administrator password.
  14. Using it, we can log in to the portal discovered initially.
  15. Here, we can run command to spawn reverse shells.
  16. We get the system shell back and we can check the root.txt flag, which also is encrypted.
  17. Using the admin recovered password and OS creds, we can decrypt the root flag as well.

Enjoy CTFs? Take our challenge!

Enjoy CTFs? Take our challenge!

Test your hands-on skills, earn bragging rights and win your share of $1,000+ in prizes. Do you accept the challenge?

This was an interesting machine simply because I have not worked on a device portal previously. Also, there was a lot of enumeration required to find r.bat.

We will continue this series with more HTB machines.

Security Ninja
Security Ninja

THE PLANETS EARTH: CTF walkthrough, part 1

EMPIRE BREAKOUT: VulnHub CTF walkthrough

JANGOW: 1.0.1: CTF walkthrough