SILO
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Silo, what is a retired machine from the Hack the Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Silo's IP is 10.10.10.82:
- Scanning with Nmap:
- So we have a Windows machine running the database Oracle listening on ports 1521 and 49161, and also IIS at port 80.
- Metasploit helps with the module sid_brute to bruteforce the Oracle SID's to connect to the database:
- The ODAT (Oracle Database Attacking Tool) yields similar result when guessing the SID's:
https://github.com/quentinhardy/odat
- Along this exercise I will be using the standalone version for ODAT.
https://github.com/quentinhardy/odat/releases/
- Also, we know that default credentials for Oracle are scott:tiger, as explained here:
http://www.orafaq.com/wiki/SCOTT
http://www.dba-oracle.com/t_oracle_scott_tiger_user.htm
3 - EXPLOITATION
- Msfvenom helps to create an .aspx backdoor:
- ODAT uploads backdoor.aspx at Silo's web root directory:
- Starting a listening session:
- Running backdoor.aspx from the browser:
- The consequence is a low privileged Meterpreter session:
- Also, we can spawn a shell:
- Going to Phineas user's Desktop there are two interesting files: user.txt and Oracle issue.txt:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- There are different ways of getting a remote root shell, let's see two of them.
5.1 - Uploading and running a backdoor with Odat
- Let's create now an executable backdoor.exe with Msfvenom:
- Copying backdoor.exe to Odat's working directory:
- Odat's utlfile --putFile option uploads the executable to Silo's C:/
- Setting a listening session:
- Running backdoor.exe with Odat's option externaltable --exec:
- Once backdoor.exe is executed we get a root Meterpreter session:
5.2 - Pass The Hash (PTH)
- First, we need to get the credential hashes with Volatility.
- Reading the text file Oracle issue.txt we find a link to Dropbox and an associated password:
- However the first character of the password needs to be found:
- Backgrounding the shell and going back to the Meterpreter session we can download the Oracle issue.txt text file to Kali:
- Opening with gedit, now the 1st character of the password is clear:
- Using the password there is access to the Dropbox link:
- We find a Memory Dump for Silo:
- Saving the file:
- Unzipping twice:
- Finally we get a .dmp file:
- The forensics tool Volatility can help to read the dump content:
https://www.volatilityfoundation.org/
- Some options for Volatility:
- Getting virtual addresses for some files:
- Actually, adresses of SYSTEM and SAM are of our greatest interest:
- Hashdumping to a text file:
- Finally, we can read the hashes for 3 of the users, Administrator, Guest, Phineas:
- Pass The Hash (PTH) is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash of a user's password, instead of requiring the associated plaintext password as is normally the case.
- We will use Pass The Hash (PTH) in two ways , the first using the Metasploit module psexec, the second using pth-winexe:
5.2.1 - Pash the Hash (PTH) with Metasploit psexec
- The psexec module can be used to obtain access to a given system when credentials like username and password hash are known:
https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/
5.2.2 - Pash the Hash (PTH) with pth-winexe
- pth-winexe is a patched version of winexe that can be used to get a remote shell by just providing the username and the hash of the password, so no cleartext password is needed:
https://www.whitelist1.com/2017/10/pass-hash-pth-attack-with-pth-winexe.html
- Also, passing the username and hashed password on the command-line:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
