Sunday, March 31, 2019

Silo


SILO

- Layout for this exercise:




1 - INTRODUCTION

-  The goal of this exercise is to develop a hacking process for the vulnerable machine Silo, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Silo's IP is 10.10.10.82:





- Scanning with Nmap:




- So we have a Windows machine running the database Oracle listening on ports 1521 and 49161, and also IIS at port 80.

- Metasploit helps with the module sid_brute to bruteforce the Oracle SID's to connect to the database:





- The ODAT (Oracle Database Attacking Tool) yields similar result when guessing the SID's:

https://github.com/quentinhardy/odat


- Along this exercise I will be using the standalone version for ODAT.

https://github.com/quentinhardy/odat/releases/




- Also, we know that default credentials for Oracle are scott:tiger, as explained here:

http://www.orafaq.com/wiki/SCOTT

http://www.dba-oracle.com/t_oracle_scott_tiger_user.htm






3 - EXPLOITATION

Msfvenom helps to create an .aspx backdoor:









- ODAT uploads backdoor.aspx at Silo's web root directory:




- Starting a listening session:




- Running backdoor.aspx from the browser:




- The consequence is a low privileged Meterpreter session:




- Also, we can spawn a shell:





- Going to Phineas user's Desktop there are two interesting files: user.txt and Oracle issue.txt:







4 - CAPTURING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- There are different ways of getting a remote root shell, let's see two of them.


5.1 - Uploading and running a backdoor with Odat

- Let's create now an executable backdoor.exe with Msfvenom:







- Copying backdoor.exe to Odat's working directory:




- Odat's utlfile --putFile option uploads the executable to Silo's C:/





- Setting a listening session:





- Running backdoor.exe with Odat's option externaltable --exec:





- Once backdoor.exe is executed we get a root Meterpreter session:







5.2 - Pass The Hash (PTH)

- First, we need to get the credential hashes with Volatility.

- Reading the text file Oracle issue.txt we find a link to Dropbox and an associated password:



- However the first character of the password needs to be found:




- Backgrounding the shell and going back to the Meterpreter session we can download the Oracle issue.txt text file to Kali:

















- Opening with gedit, now  the 1st character of the password is clear:






- Using the password there is access to the Dropbox link:







- We find a Memory Dump for Silo:





- Saving the file:




- Unzipping twice:







- Finally we get a .dmp file:







- The forensics tool Volatility can help to read the dump content:


https://www.volatilityfoundation.org/


- Some options for Volatility:











- Getting virtual addresses for some files:




- Actually, adresses of SYSTEM and SAM are of our greatest interest:








- Hashdumping to a text file:




- Finally, we can read the hashes for 3 of the users, Administrator, Guest, Phineas:



Pass The Hash (PTH) is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash of a user's password, instead of requiring the associated plaintext password as is normally the case.



- We will use Pass The Hash (PTH) in two ways , the first using the Metasploit module psexec, the second using pth-winexe:


5.2.1 - Pash the Hash (PTH) with Metasploit psexec

- The psexec module can be used to obtain access to a given system when credentials like username and password hash are known:

https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/


5.2.2 - Pash the Hash (PTH) with pth-winexe

- pth-winexe is a patched version of winexe that can be used to get a remote shell by just providing the username and the hash of the password, so no cleartext password is needed:

https://www.whitelist1.com/2017/10/pass-hash-pth-attack-with-pth-winexe.html




- Also, passing the username and hashed password on the command-line:







6 - CAPTURING THE 2nd FLAG

- Reading root.txt: